Hacker News new | comments | ask | show | jobs | submit login
I can no longer solve ReCAPTHCA captchas
53 points by pbhjpbhj on Mar 18, 2014 | hide | past | web | favorite | 66 comments
For a time there were lots of number based captchas on ReCAPTCHA using sites - presumably for Google Maps - but now they all appear to be a random mixture of letters. I can not solve them.

They're things like "rnmnnihmr" which is barely legible in plain text but when obfuscated - grunged, blurred and waved - I find it's taking about 8 tries before I guess the answer correctly.

Reportedly there are bots getting 90% correct.

Mainly this is just a statement of frustration but in part it's a question of "doesn't this mean we've largely solved OCR now?".

[I think the last time ReCAPTCHA was discussed was this - https://news.ycombinator.com/item?id=6615326.]

Supposedly reCAPTCHA is easier if google thinks you're human.


I guess google thinks you are a robot.

I dunno, in my experience I usually don't second-guess google. Sorry to break it to you.

To add a bit of seriousness back into this: Google is being coy about how they guess at humanness/robotness, but IP address is a likely factor. Maybe the OP is coming from an IP address or block that has a lot of robot activity on it.

I am fairly certain that one of the factors is whether or not you are signed into a Google account.

This explains why I sometimes get really easy reCAPTCHAs sometimes ridiculously hard ones. It seems to depend on IP and computer that I am using.

If it knows you are human why are you still forced to solve it?

Thinks, not knows. Probability estimates should not be confused with certainty.

that dosent change the equation really, if you serve an OCR bot a weak CAPTCHA (and it will be an OCR bot as its capable of interacting with recaptcha to begin with) , its as ineffective as not having a captcha anyways, so what purpose is it serving.

If you really want to get around CAPTCHA you can pay someone on the other side of the planet to solve them for a nickle or whatever. So it can never be a perfect system.

But killing high-speed bots does seem achievable, and I'll bet that's all they really care about.

I can confirm that my reCAPTCHAs are a LOT easier today than they were a year ago. Usually I get pics of numbers from Street View or something like that.

I felt like I was alone with this problem. I have been unable to solve some reCAPTCHA generated puzzles for about 6 months now. There was one particular site, I badly wanted to complete the registration form, but after about the 7th or 8th attempt at solving the captcha, I just decided it wasn't worth it. Now I don't even bother? reCAPTCHA? Bye.


And for the love of all that's holy I wish they'd stop using characters that are impossible to distinguish in the mangled font. Is that 0? O? 1? I? l?.

Also, if they're going to make it case-sensitive, they shouldn't use ANY characters that look almost the same in upper and lower-case (especially when there's no baseline). Is that p? P? w? W?

Not alone by a long shot. I swear google has a line of code somewhere which says:

If ACow_Adonis then recaptcha(warpandobliterate("mnmnvwvvo0Ol1I|"))

Except, its not really bye reCAPTCHA, but bye to the site that used it.

I've found a combination of posting frequency (if more than x posts in x time) + hidden form honeypots + time-to-submit timer + nofollow links + some simple filtering rules/checks on text and links, all but eradicates spam without the need for captchas (with or without user accounts). Common bots still can't make it through that gauntlet, and it's very easy to refine it, even if you're being aggressive, such that humans make it through without a problem.

Did you know only one of the two pieces of text is really there to determine if you're a human?

The other is so you translate for them digital photography into text. Those assholes make us waste time so they make money.

You're going to have to solve one of those anyway. Why not put it to good use? This isn't part of some evil master-plan Google's come up with. It was originally a project at CMU, and is now used to power what is probably the only neural network that can match whole house numbers (ie. without segmentation.) How is that bad for anyone? Personally, I really love Google's symbiotic model for data collection eg. Recaptcha/Google Maps, Ingress/Google Maps, etc.

That used to be the case, but both seem equally hard now - and are no longer recognisable words.

You realize the same exact thing could be said about video game designers, right?

Video game designers aren't forcing me to play their game in order to submit necessary forms.

Yeah, because computers can't win Tic Tac Toe at all, so that's a good way to separate computers from humans.

100% success rate for bots. How is that a useful CAPTCHA?

Well, the really smart ones know not to play.

"General, you are listening to a machine. Do the world a favor and don't act like one." -- Dr. Stephen Falken, "WarGames" (1983)

I too noticed this, particularly while on proxies during testing.

My biggest frustration with captchas isn't even having to try multiple times, it's having to enter most or sometimes all my info again and again.

I know this is not really reCAPTCHAs fault but the font-end guys, still what I would love to see is an independent reCAPTCHA-submit, meaning I don't have to submit the complete form and hope I guessed correctly, instead I only submit after I know I nailed the challenge. Similar to email-verification or password-strengh-checks it could report this to me on-the-fly.

I hate CAPTCHA. If I go to your site to sign up or anything and get a CAPTCHA, I will try it twice. After that I move on.

It's not hard to combat spam without forcing such nefarious acts onto your users.

CAPTCHAs have always suffered from keming.

I hate CAPTCHA, and avoid using sites that require me to use them every time I post a comment even though I'm a registered user of the site.

I figured keming was a joke about kerning. Never heard it before, so thanks! Posting to save other people time: http://www.urbandictionary.com/define.php?term=Keming&defid=...

You know, the fact that it's in urban dictionary doesn't mean it's not a joke about kerning.

The Urban Dictionary entry was about bad kerning...

I'll ask the obvious question: are you a human? :)

I kind of like the idea of spambot creators programming their spambots to post to HN and complain about ReCaptcha, in an effort to get people to stop using it.

I also can no longer read reCaptcha. So I did the smart thing and got rid of it. Instead, I've been using this:


A MILLION times better. It's actually a pleasure to use. I've had no problems with it at all. Go to my website websmithing.com if you want to see it in action.

Death to reCaptcha. Your usefulness as a product is diminishing.

Captcha is dying as computer vision improves. However similar technologies also make automated spam filtering much easier. There are tons of available datapoints to figure out what accounts are bots. IP, how they behave, the times they log in, browser details, etc, and mainly the contents of the text they post.

I totally absolve myself from captchas. If its required, I don't go there. Its demeaning, I hate it. I'm not going to struggle with some frickin game to help your website do whatever those are supposed to do, so get over it, web designers.

Initially I had no problems with them. But these latest ones are something else - I can't even work out how they are helping ReCAPTCHA actually convert text-images to text either. They're not [English] prose of any sort.

If I have to reload because there's no way I can work out if that character is "in" or "rn" or "m" or "hi" or whatever then I'm not going to be coming back.

What they are supposed to do is help prevent a website that accepts and presents user-supplied content from being overwhelmed with automated spam.

Except they don't always work. Spammers have ways to get around them, including farming it out to extremely cheap labor.

I started reading Engineering Security, by Peter Gutmann. Excellent book, btw. At the start of the book he discusses security theory vs. reality. One thing he describes is the "most ineffective CAPTCHA of all time" (according to mainstream security theory). This "ineffective" CAPTCHA on a blog required exactly one thing: the user had to enter the word "orange."

Surprisingly, the blog received zero spam. The reason it's so effective is because it's different. Whereas CAPTCHA is a monoculture. Standard CAPTCHA fits into the economic model for spammers. But for spammers to adjust their behavior for just this one blog? It's not worth it for them.

Which is nothing to me - it has no direct user-benefit at all. And I'm paying the cost. So its really easy to be annoyed.

With respect, no. If you're on a domain with any kind of google juice, your comments will be absolutely over-run with viagra spam, fake designed purse spam, fake investment scams, etc, etc, etc. So, there is user benefit, if you consider having a site not vandalized to be of user benefit.

That's a straw man(?). There are other ways. Use them. It isn't 'captcha or nothing'.

They work even worse. Been there, done that.

> Which is nothing to me - it has no direct user-benefit at all.

It has a direct benefit to users who are readers (since it reduces the spam they are subject to) and users who are contributors of things they want read (since it reduces the spam that their contributions would otherwise be buried in).

Your attitude is like saying measles vaccinations are dumb because nobody you know has ever gotten measles.

Not at all. I'm not going to catch anything this website is worried about. I'm there for the features. There are other solutions besides 'captcha'. Use them, or lose me.

The primary function of a CAPTCHA is to act as a gatekeeper that a human can bypass while a not can not. The reCAPTCHA was a clever creation to put capture what would otherwise be fruitless labor.


Clever, in that it offends/ticks off record numbers of potential customers? I'm not impressed.

Clever in that it has captured hundreds of thousands (millions?) of person-hours of labor. reCAPTCHA is now being used to improve Street View CV and will ultimately contribute to automated driving. We were doing CAPTCHAs before, and reCAPTCHA improved upon that method of human verification. As for people like you that have trouble reading, why not just listen to the audio?

Why not just go somewhere else? If I have no vested interest in the site.

Could be the company performs whatever service better than the competitor and the time spent locating an alternative site would take longer than filling out a reCAPTCHA.

And who's to say that the competitor site won't employ human verification more annoying than reCAPTCHA?

Of course this depends on personal preference, but for me I loathe being asked for my phone number.

The internet is vast. I'll never know if they were better, because I voted with my feet (my mouse anyway).

We need reReCaptcha. When you solve your captcha request on a website with reReCaptcha, you're not just proving you're human; You're also helping to provide OCR to some spam bot to allow it to solve reCaptcha.

On some sites I see numeric ReCAPTCHAS, which are easy to solve. Others, though, have the sometimes-impossible alphabetical ones. Does the site developer have any control over which type shows up?

Unfortunately no. Recaptcha implemented a new feature recently that uses some sort of data to determine whether you are a bot or not. Unless it can know you are a human, you will get the hard alphabetical ones.

There is some sort of control though, going to the Google Account creation page will only give you easy captchas. Possibly an undocumented API or a custom build, we can't know for sure.

This could be a pretty damn good captcha replacement:


EDIT: I found their demo page.

Moving random objects to the right will let through about 10% of bots. Useless.

A lot of captcha systems have audio fallbacks (for the legally blind). If I can't figure out the obfuscated letters on the first try or two, I switch to the audio.

I've tried but the audio never seems to work (with ReCAPTCHA in particular).

Are you based in the US? I use proxies every once in a while to do some testing and notice that the captcha difficulty does vary depending where I am "from".

Totally agree, I never get it right first time around.

Recaptcha is just poor, full stop.

I'm a big fan of Funcaptcha, it's much easier to solve.


Simply randomly rotating the objects will let through a fair number of naive bots.

I played around with it for a while. It seems invalid attempts add another required item to the captcha queue. So if you are trying to solve the first one, and fail, it adds another one that the bot must attempt. I am not sure if this helps much, but it was noteworthy.

Botnetters have thousands of IP addresses to attack from. They can also use successful attempts to build a database of images used by this CAPTCHA

not sure regarding the security of the "alternative captchas" listed here.

but that aside, I have the same problem you have, can't solve them :S which is retarded, because they are meant to tell humans and robots apart, but apparently "everyone is a robot" is good enough.

Admins: Why punish all your users because of the actions of a few? Drop your reCAPTCHA today.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact