I was unaware how abysmal the voice version of some CAPTCHAs were until I tried one a week ago, having failed 5 times to register for an account somewhere. It was completely intelligible. If that was the standard, blind people must be completely incapable of registering for most sites (never mind the constant breaches of accessibility most sites engage in.)
Instead of captchas, which I can't stand doing myself and didn't want to impose on my site users, I implemented a three-pass filter for anonymous comments:
1. Answer a simple math question (e.g. "What do you get if you multiply 5 by 1?").
2. Hidden form field that is supposed to stay empty.
3. Spam word filter ("cialis", "levitra", etc.).
After I put this in place a couple of years ago, the daily number of spam comments my site got dropped from 200 to zero. I was worried that it wouldn't last, but to this day I've only had to delete about five spam comments in total - and they were posted in registered user accounts.
If you have a high-value site, none of those will work. By making your form different than the masses, you've protected yourself from common attacks. Diversity is good.
However, if you are implementing a sign-up form for an email service there really isn't a great way to detect fraudulent signups without using a captcha.
That being said, the end game is that the bots will be able to detect anything a human can. Already, they can detect better than elderly or disabled humans. The path to take in this is to get better at automatically detecting behavior we don't want (wether via human or bot) and to block or delete it.
I think the simplest solution is adding your phone number and have the website call you back with the first password. Granted it's not anonymous for the user and not free for the website. You would still need to ban accounts that generated spam, but that now becomes a useful tool.
We did this with a PHPBB install (which are awful for spam). We added one custom question to the registration (check this box if you're not human) and we instantly got rid of 99.9 percent of our bot spam problems.
Obviously it has failed to received widespread adoption to date, but I've always thought that the hashcash concept was technically sound, and generally applicable for both web and email.
Google and openid providers should host captchas and keep track of pass rates. Im getting sick of doing 5 captchas on stackoverflow every time I ask and revise a question. I've easily done several hundred of them, im not a bot for chissake.
Sorry, they can't do that. Then an attacker could do one or a small number of CAPTCHAs, and then use the now-proven-"good" account to do some amount of mischief before getting shut down, where the amount of mischief is proportional to how much Google et al accommodate your otherwise-reasonable request.
trust can be more than a boolean, and P(captcha) can be proportional to my trust. I bet of the people who have done hundreds of captchas on stackoverflow, exactly zero of them are going to bot their accounts.
Whew, it's not just me then. I've never been a fan of captchas, they're only useful to the extent that a fake account/transaction has a lower economic cost than the price of hiring someone for 2 minutes on Mechanical Turk.
The main thing that they are used for is protecting against spam, which has a very low dollar to account/post ratio, almost certainly lower than the cost to use Mechanical Turk.
I've always been interested in truly alternative captcha designs. I like the "math problem" idea or even something crazier like reading the time of an analog clock?
These piss me off more than job interviewers that ask me how I would make a bicycle for a blind man or how to figure out how much a plane weighs ect...
That's a lie. I find those questions more amusing, but I hope my point is still seen =p
