Ask HN: Are some signup CAPTCHAs becoming a bit ridiculous (yes you HN)?

It seems to me that any captcha worth breaking is already &quot;broken&quot;, given the existence of captcha farms - and I put broken in quotes because <i>technically</i>, with captcha farms, the captcha is working as designed, you&#x27;re just paying human beings to break them. The assumption, of course, that there is necessarily a difference between a &quot;spambot&quot; and a &quot;human being&quot; is not as true as it used to be.<p>Even so, the constant war of escalation between captchas and anti-captcha measures should eventually lead to the necessity to create a captcha which is impossible for most humans to decipher, once the capability of software to decipher them passes baseline human ability. At that point, just being able to solve the captcha would more or less prove you&#x27;re probably not a human being. So the basic model of &quot;text a human can read but a computer can&#x27;t&quot; is probably obsolete, and only still works due to the inertia of programmer laziness, and the fact that breaking captchas probably doesn&#x27;t have a ROI worth the trouble for most sites.<p>Constructing more subtle captchas present their own problems, in that they can make cultural assumptions about the user. If you&#x27;re also using the captcha as a community filter, this may be a feature though (for instance - having a site about anime set up a quiz about anime as a captcha, or having users solve complex programming puzzles.) Even so, any process which a human can perform through rote UI can be automated, so even those tests will fail. Most captchas are poorly designed and leak their solutions one way or another anyway. I&#x27;ve even seen a few posted here which seem to add their solutions in plaintext to the form as a hidden field or something.<p>I haven&#x27;t got a clue what Recaptcha can be replaced with once it&#x27;s thoroughly useless, but i&#x27;ve come to believe that captchas are one of those things it&#x27;s impossible to do correctly, just adequately most of the time.

The captcha on HN is temporary. We put it up to mitigate an attack while implementing a longer-term solution. Sorry for the inconvenience.<p>If we ask nicely, perhaps kogir will show up to say more.

Okay, you win HN, I created an account because the anti-captcha crowd is missing the point.<p>There&#x27;s a current bug in Recaptcha.<p>IPs that successfully solve too many captchas get given progressively more difficult challenges, which is fine, but currently Recaptcha is using the IP of the web servers, not the client. This means that the difficulty ramps up for all users quite quickly. It seems the iframe Recaptcha is permanently affected, if you use AJAX its fine after the first reload (I wrote a simple JS hack that makes it reload the first time, see www.mPoll.me)<p>Only noticed it because I was previously proxying Recaptcha through the server and it run its successful solutions up too high, so when the new bug came in it was immediately obvious what had happened when the first challenge is &quot;wthdyjikhgfyijv&quot; and on reload its &quot;fluffy bunny 18&quot;.<p>On my website I&#x27;m currently overwriting the Recaptcha callbacks to allow multiple captchas, just put in a simple check to reload it the first time:<p><pre><code> var reloaded = false; function reloadCaptcha(challenge) { $(&#x27;:input[name=recaptcha_response_field]&#x27;).val(&#x27;&#x27;); $(&#x27;img.recaptcha&#x27;).attr(&#x27;src&#x27;, &#x27;&#x2F;&#x2F;www.google.com&#x2F;recaptcha&#x2F;api&#x2F;image?c=&#x27;+challenge); $(&#x27;:input.recaptcha&#x27;).val(challenge); if(!reloaded) { reloaded = true; Recaptcha.reload(); } } Recaptcha.finish_reload = function(challenge,b,c){ reloadCaptcha(challenge); } Recaptcha.challenge_callback = function(){ reloadCaptcha(RecaptchaState.challenge); } Recaptcha.create(recaptchaKey);</code></pre>

For a throwaway account recently it took me &gt;20 tries to register an HN account.

Most CAPTCHA&#x27;s nowadays I find unnecessarily complex. Use tricks like timing form completion (&lt;50ms? Bot), hidden fields, etc, before ruining the UX with CAPTCHA.<p>Then again... does HN really care about UX? Token expiration after x time when browsing through the listings, ancient unresponsive design, etc.<p>There comes a point where it&#x27;ll be more cost effective for spammers to just farm out the solving of CAPTCHA&#x27;s to people in third-world countries. It just depends if there is enough value in spamming HN for them to bother (probably not, given the user-curated-and-rated content model.

The Facebook account delete CAPTCHA was literally impossible. I had to give up and use the audio option. Every step of the process made me happier I was doing it.

I don&#x27;t know that the research says about their effectiveness (hard to find through all the stuff on google) but I&#x27;ve liked the slider-based captchas I&#x27;ve seen:<p><a href="http://www.3dcaptcha.net/" rel="nofollow">http:&#x2F;&#x2F;www.3dcaptcha.net&#x2F;</a><p>Seems promising given that human visual processing and pattern recognition are lightening fast, and the slider is intuitive and kinda fun.<p>Anyone know how effective they are at stopping bots?

There have been several websites recently where I&#x27;ve given up because after 10 attempts or so I still can&#x27;t get the capcha right.

I sometimes think that people don&#x27;t really give much thought to some of the things that they do where they simply copy what others do.<p>My own personal pet peeve is people, on HN, who obscure their gmail address so that it can&#x27;t be slurped by bots.<p>I mean why not just use a dedicated gmail account, just for HN, rather than &quot;use my hn handle at that email service that everyone else uses generally&quot;. The dedicated account has spam protection and you can forward mail to your primary account as a filter if you want.<p>I have a couple of web forms with no spam protection at all. The amount of bots that I get isn&#x27;t so great that I need to trouble people to figure out a captcha. Much less a really difficult one.

Just today I found this:<p><a href="https://www.sublimetext.com/forum" rel="nofollow">https:&#x2F;&#x2F;www.sublimetext.com&#x2F;forum</a><p>Incredibly frustrating. A CAPTCHA that requires you to email for the code

We&#x27;re just using the standard reCAPTCHA (<a href="https://www.google.com/recaptcha/intro/index.html" rel="nofollow">https:&#x2F;&#x2F;www.google.com&#x2F;recaptcha&#x2F;intro&#x2F;index.html</a>). Maybe they&#x27;re harder because I don&#x27;t trust third party javascript and use the iframe version instead?<p>It sucks, and will shortly go away for most users. When previously our code would refuse or tell you to try again in a few hours, the captcha will be required instead.

&gt; Not sure if the intent is trying to stop bots<p>CAPTCHA does not stop bots. Captcha solving can, at the very least, be automated away. CAPTCHA&#x27;s do not work.

Some random ideas which I know are not perfect just putting it out here :<p>Taking an image and turning into a jigsaw puzzle.<p>Using a proof of work scheme similar to bitcoin.<p>Do a google image search for say fish . Take 5 of those images and put them on one side put two on the other alongside images of 10 other random objects. Ask the user to pick the two on the right similar to the ones on the left.

Try the audio version, it&#x27;s even worst!

May I suggest an alternative: paying a small fee to avoid&#x2F;replace captchas (say $1-10, or higher than the captcha farms pay...)<p>Also it seems like HN is using the older recaptcha (without numeric signs), I didn&#x27;t know you could choose your recaptcha &quot;version&quot; though.

HN uses reCAPTCHA, it can be bit frustrating sometimes. but its one time thing to get in .

If you like the image, just wait until you try the audio! Even more fun.

Is the actual link missing? Not sure where I&#x27;m supposed to look, anyway.

IMHO visual&#x2F;audio recognition based CAPTCHAs are a dead end.