My friend showed me this after trying to sign up for HN. There’s now a Capcha when you sign up which is more than difficult to answer... mostly because the text is so difficult to read it doesn't look like english.
Not sure if the intent is trying to stop bots or trying to stop anyone who doesn’t want to spend 10 guessing characters.
Oh, and think the text CAPTCHA is hard… listen to the audio puzzle (get your pen and paper ready).
It seems to me that any captcha worth breaking is already "broken", given the existence of captcha farms - and I put broken in quotes because <i>technically</i>, with captcha farms, the captcha is working as designed, you're just paying human beings to break them. The assumption, of course, that there is necessarily a difference between a "spambot" and a "human being" is not as true as it used to be.<p>Even so, the constant war of escalation between captchas and anti-captcha measures should eventually lead to the necessity to create a captcha which is impossible for most humans to decipher, once the capability of software to decipher them passes baseline human ability. At that point, just being able to solve the captcha would more or less prove you're probably not a human being. So the basic model of "text a human can read but a computer can't" is probably obsolete, and only still works due to the inertia of programmer laziness, and the fact that breaking captchas probably doesn't have a ROI worth the trouble for most sites.<p>Constructing more subtle captchas present their own problems, in that they can make cultural assumptions about the user. If you're also using the captcha as a community filter, this may be a feature though (for instance - having a site about anime set up a quiz about anime as a captcha, or having users solve complex programming puzzles.) Even so, any process which a human can perform through rote UI can be automated, so even those tests will fail. Most captchas are poorly designed and leak their solutions one way or another anyway. I've even seen a few posted here which seem to add their solutions in plaintext to the form as a hidden field or something.<p>I haven't got a clue what Recaptcha can be replaced with once it's thoroughly useless, but i've come to believe that captchas are one of those things it's impossible to do correctly, just adequately most of the time.
The captcha on HN is temporary. We put it up to mitigate an attack while implementing a longer-term solution. Sorry for the inconvenience.<p>If we ask nicely, perhaps kogir will show up to say more.
Okay, you win HN, I created an account because the anti-captcha crowd is missing the point.<p>There's a current bug in Recaptcha.<p>IPs that successfully solve too many captchas get given progressively more difficult challenges, which is fine, but currently Recaptcha is using the IP of the web servers, not the client. This means that the difficulty ramps up for all users quite quickly. It seems the iframe Recaptcha is permanently affected, if you use AJAX its fine after the first reload (I wrote a simple JS hack that makes it reload the first time, see www.mPoll.me)<p>Only noticed it because I was previously proxying Recaptcha through the server and it run its successful solutions up too high, so when the new bug came in it was immediately obvious what had happened when the first challenge is "wthdyjikhgfyijv" and on reload its "fluffy bunny 18".<p>On my website I'm currently overwriting the Recaptcha callbacks to allow multiple captchas, just put in a simple check to reload it the first time:<p><pre><code> var reloaded = false;
function reloadCaptcha(challenge) {
$(':input[name=recaptcha_response_field]').val('');
$('img.recaptcha').attr('src', '//www.google.com/recaptcha/api/image?c='+challenge);
$(':input.recaptcha').val(challenge);
if(!reloaded)
{
reloaded = true;
Recaptcha.reload();
}
}
Recaptcha.finish_reload = function(challenge,b,c){
reloadCaptcha(challenge);
}
Recaptcha.challenge_callback = function(){
reloadCaptcha(RecaptchaState.challenge);
}
Recaptcha.create(recaptchaKey);</code></pre>
Most CAPTCHA's nowadays I find unnecessarily complex. Use tricks like timing form completion (<50ms? Bot), hidden fields, etc, before ruining the UX with CAPTCHA.<p>Then again... does HN really care about UX? Token expiration after x time when browsing through the listings, ancient unresponsive design, etc.<p>There comes a point where it'll be more cost effective for spammers to just farm out the solving of CAPTCHA's to people in third-world countries. It just depends if there is enough value in spamming HN for them to bother (probably not, given the user-curated-and-rated content model.
The Facebook account delete CAPTCHA was literally impossible. I had to give up and use the audio option. Every step of the process made me happier I was doing it.
I don't know that the research says about their effectiveness (hard to find through all the stuff on google) but I've liked the slider-based captchas I've seen:<p><a href="http://www.3dcaptcha.net/" rel="nofollow">http://www.3dcaptcha.net/</a><p>Seems promising given that human visual processing and pattern recognition are lightening fast, and the slider is intuitive and kinda fun.<p>Anyone know how effective they are at stopping bots?
I sometimes think that people don't really give much thought to some of the things that they do where they simply copy what others do.<p>My own personal pet peeve is people, on HN, who obscure their gmail address so that it can't be slurped by bots.<p>I mean why not just use a dedicated gmail account, just for HN, rather than "use my hn handle at that email service that everyone else uses generally". The dedicated account has spam protection and you can forward mail to your primary account as a filter if you want.<p>I have a couple of web forms with no spam protection at all. The amount of bots that I get isn't so great that I need to trouble people to figure out a captcha. Much less a really difficult one.
Just today I found this:<p><a href="https://www.sublimetext.com/forum" rel="nofollow">https://www.sublimetext.com/forum</a><p>Incredibly frustrating. A CAPTCHA that requires you to email for the code
We're just using the standard reCAPTCHA (<a href="https://www.google.com/recaptcha/intro/index.html" rel="nofollow">https://www.google.com/recaptcha/intro/index.html</a>). Maybe they're harder because I don't trust third party javascript and use the iframe version instead?<p>It sucks, and will shortly go away for most users. When previously our code would refuse or tell you to try again in a few hours, the captcha will be required instead.
> Not sure if the intent is trying to stop bots<p>CAPTCHA does not stop bots. Captcha solving can, at the very least, be automated away. CAPTCHA's do not work.
Some random ideas which I know are not perfect just putting it out here :<p>Taking an image and turning into a jigsaw puzzle.<p>Using a proof of work scheme similar to bitcoin.<p>Do a google image search for say fish . Take 5 of those images and put them on one side put two on the other alongside images of 10 other random objects. Ask the user to pick the two on the right similar to the ones on the left.
May I suggest an alternative: paying a small fee to avoid/replace captchas (say $1-10, or higher than the captcha farms pay...)<p>Also it seems like HN is using the older recaptcha (without numeric signs), I didn't know you could choose your recaptcha "version" though.