I understand why people don't like captchas - specifically recaptcha - but I believe it's a 'necessary' evil. Many small startups and hobby sites don't have the resources to roll their own bot prevention/detection or subscribe to paid captcha solutions. Without recaptcha, these sites likely wouldn't exist or would be few and far between.<p>> Your service could still be at risk, even with a CAPTCHA in place. Advances in computer imaging and the use of CAPTCHA farms means some bots will still be able to access your service.<p>I don't think anyone will tell you that captchas are a 100% effective method at preventing automated/falsified actions. The main reason they are so widely used and generally the 'one stop shop' for bot prevention is that it increases the cost of attacking your service. Without them, an attacker could set up a simple loop that gets a site's csrf token and attempts a username/password combination. With them, an attacker does have to have a bot with "advances in computer imaging" or will have to rent a click farm. ReCaptcha is fairly good at preventing these two anyways since they will often blacklist a client[0] while still collecting the known good captcha answers for their car NN.<p>> Alternatives to CAPTCHAs<p>Transaction monitoring can be effective, but costly. Honeypots are only effective against non-targeted attacks, as an attacker can just submit one form themselves and see the browser's network request and know what to send to look like a regular browser. Rate limits are also pretty easy to bypass, new IPs are easy to obtain since every VPS provider I know hands them out like candy (the only cost to this is not getting kicked off the provider).<p>0: <a href="https://news.ycombinator.com/item?id=16164549" rel="nofollow">https://news.ycombinator.com/item?id=16164549</a><p>---<p>For the UK government, I do expect them to employ better mechanisms than captchas to protect their services. But without them, there would be even less small communities than there are now. They may be up at the mercy of Google, but nothing is done without the permission of the biggest companies.