Aside from the fact I find CAPTCHA's annoying, face it, if someone wants to crack a code they will. CAPTCHA's are like locks on a door - they keep honest people honest, nothing more.

Marshall

I had an interesting reading two months about the death of Captcha. It's in French but very detailed with all technics used and even links to Mass Captcha Graber (no links here, just PM).

They said that even the Firefox extension called Captcha Killer had a 80% success when tested on Yahoo pages although it was a bit long (25 s to 4 min) - so it is indeed the dead of captcha.

They mention the ASIRRA (Animals Species Image Recognition for Restricting Access) launched by Microsoft and inspired by the unethic HotCaptcha (where the user has to choose the 3 hottest persons amongst 9 pictures).

They say that 3D Captcha will never be implemented since they can also be cracked and are heavy on resources.

<edit>Sorry it it looks like a PHP post, I did not pay enough attention, I was under the impression that it was in PHP and not in "general"</edit>

Here is my captcha implementation:
1) find a free font “funky enough” bur still readable
2) use the resulting number/lower/upper-case combo ($str_1) and make it a session (SESSION_A)
Next: mingle $str_1 with $_SERVER[‘HTTP_USER_AGENT’] then md5 the new str and create a session (SESSION_B)
3) pass to the landing page SESSION_A and SESSION_B
Still on the landing page, again, create SESSION_C to be a new combo of SESSION_A and SERVER[‘HTTP_USER_AGENT’]

What we do is to recreate a new session on the landing page to assure that the landing page is view by the intended user.

Compare SESSION_B and SESSION_C obviously if the sessions do not match then
Even if the captcha was properly entered, “the page view” will fell due to false USER_AGENT

Hopefully the future of CAPTCHA will not include any of those illegible text images and the like. There are many other ways to implement a CAPTCHA without that.

The future of CAPTCHA will need to be be imperceptible to the user, or innocuous enough not to impede the exchange of information. The stuff we have today is ineffective and unaccessible.

There's plenty of development going on, and no doubt that even the crudest captcha at least keeps out the crudest of bots.

Slightly more sophisticated systems are still keeping out slightly more sophisticated spammers "3+6=?", for example, seems to stop most bots or at least slow them down.

Other simple ideas can stop spammers in their tracks - using weird parameters in forms (email=aardvark", name="trolley") is simple and makes for blank forms at worst, total block at best.

Only a spammer would wish for the demise of captcha; honest folks will be content if it evloves just a little faster than the average spammer.

You don't expect to win against spamers; just hope to stay ahead. There's always been cheats in all walks of life, and likely there aways will be.

Putting & and ? in field names stops a huge portion of bots dead in their tracks.

<input name="email&address" value="">
ends up as:
?email&address=spam@attempt.foo

Future of Captcha = reCaptcha
reCAPTCHA is a free CAPTCHA service that helps to digitize books.

[recaptcha.net...]

We have implemented this on majority of sites and easilt able to fight back more then 95% of spam registrations.

No, there is no future in image-based CAPTCHAs and there never has been. See W3C.org/TR/turingtest. Everyone using eyetests to lock out some humans as well as robots deserves to be spammed to hell.

reCAPTCHA has an audio alternative (my hearing is imperfect too), but seems to require scripts and cookies and other undocumented things in most implementations, so still doesn't work.

If you want to fight spam, please fight spam. You can score keyphrases and RBL hits, add preview steps, include time-limited hidden form tokens, sleep() in your form action script and so on.

Please don't fight imperfect humans.

MJR, a human with imperfect eyesight.

For the last couple of years I have been successfully using a simple question on my forms and since doing so I have not had a single problem.

This has been discussed before but all I do is ask a simple question, not mathematical but something obvious only to a human e.g, "What colour is blood"? If you want to ask a more complex question you can do so and even provide the answer in the text comments on your form. AFAIK there is no automated process that can beat this?

I am no expert at these things but is there any way to crack this other than have a human entering the right answer? If so, isn't this better than any captcha?

Stands back waiting to be corrected. ;)

Hi BeeDeeDubbleU - yes, that's a better CAPTCHA than image-tests. However, people with poor English-language skills will struggle with them. That may be less of a problem for your application, but in general, it's still not a real anti-spam tactic - it's anti-spam-by-proxy.

However, people with poor English-language skills will struggle with them.

This need not be a problem. There is an infinite number of ways of offering the answer in a way that is oblique enough to hide it from spammers and language need not be a problem. For example put an image or a word somewhere obvious on the page and ask the enquirer to input that word to the required form field.

it's still not a real anti-spam tactic

Why ever not?. If it stops spam then it it is anti-spam and it has worked for me for more than two years without a single problem.

It is very temporary solution. Imagine a big service that is specifically targetted. Unless they come up with changing questions constantly, the answers to such questions are just given to bots and 100% get through rate. Any automatically generated questions (items assosciated with colors, sentence strutctures used, etc.) can also be automatically solved.

The next level of captchas might well be "Choose which one of these ten images is out of ordinary" with one of them having a huge shoe shopped to be next to eiffel tower to rival it in size...

But all captchas can be broken and all bots pretend to be people. If by no other ways, get a few humans to do 14 hour days cracking captchas for bots to get them past registarations and pay them a few dollars a month.

I think that the community reviewing is the only way. For example, wordpress blog platform has Akismet plugin. Akisment prevents anyone from commenting if others using that plugins have marked those addresses as spammers. Prevents spamming quite efficiently.

[edited by: engine at 12:41 pm (utc) on July 17, 2008]

I figure the only way CAPTCHA will work in the long term is when there are legal teeth behind it and a way to get serious compensation from the owner of the machine running the bot.

It might not be a silver bullet deterrent for spam but I think there is still some value in CAPTCHAs. I think sites with CAPTCHAs appear more legitimate. Also I like to use relevant keywords for CAPTCHAs so it sorta helps branding (ok not really). It also hampers the low level spammers and non-tech competitors who are looking to sabotage. Let's not forget the search engines are getting better at crawling forms and CAPTCHAs might be a good hurdle to add if you don't want them doing that.

As for stopping the high level spammers I would use CAPTHCHAs in combination with an email field that should be left blank. Those bots love to fill in email fields even when there is an image on the page saying to leave it blank.

Any automatically generated questions (items assosciated with colors, sentence strutctures used, etc.) can also be automatically solved.

The key is having a unique question, for example on one form the company has a two word name and you ask whats the first word in the company name. Keep the question simple to answer but unique.

I used this on phpbb2 before switching to phpbb3 and all my forms. There wasn't a single bot registration on my forum for better than a year that I had it implemented nor have I seen any spam through the forms.

Those bots love to fill in email fields even when there is an image on the page saying to leave it blank.

I would think a lot of real people would get caught in that, phpbb2 had a great mod that used a similar technique though. You removed the website field from the form, since the bots were automated they never loaded the form and directly posted the fields. Any registration that had the website field would get the IP banned immediately.

I like the idea of stacking solutions Using CSS to hide the bot-trap field is simple and relatively effective. Add in a non-ridiculous CAPTCHA and a human question, and you'll knock out masses of bots.

Really, there are two levels of solutions. A site like Yahoo needs a different approach than a smaller site that won't get a lot of individual human spammer attention.

CAPTCHA is still alive and working, though it is fading in relevance over time.

It is best used in combination with other techniques, such as required blank form fields, Akismet, and a good crew of moderators. The goal isn't to block 100% of Spam registration, posts, or comments. The goal is (for me at least, in the cases where I use it) to keep the Spam down to a slow enough trickle that the Moderators can keep a grip on things.

Couple of key ways to keep CAPTCHA kicking for another few years on your site (if you are so inclined):

#1 Replace the library of images and answers you got when you downloaded the CAPTCHA system you're using. 90% of all bot based CAPTCHA defeating systems rely on the limited question/response list. There are stunningly few CAPTCHA libraries out there, and if you just implement the stock library you got with your CAPTCHA software, you're making life easy for the bots. They already have that library, trust me.

#2 The other %10 of CAPTCHA defeating bots rely on rapidly improving OCR technology, and there is still a way to defeat this with image based CAPTCHA. Instead of using distorted text in the CAPTCHA image, leave the text as bold and readable as you like (which even helps Usability for people like Slef). The trick? Animate the text. Using an animated GIF that has the text slide back and forth or up and down, defeats OCR software in almost every case.

Just my 2cents.

Like BeeDeeDubbleU I've found the unique question approach to be very effective. You have to be quite careful about wording, however, and sometimes you even have to set up the code to accept alternative answers. So if you ask what colour blood is, you might accept scarlet and crimson as well as red, and also typos. Also, it's not a bad idea to test out your questions on a few people first: you might think you're asking something obvious, but other people have a different idea.

I agree that anyonewho uses a captcha needs to include an option for those who have limited sight, but - at this time - captcha (including the various permutations described above) is a key component in blocking bot spam; it's simply a fact that sites using them have better spam protection than those that don't, so dismissing captchas on that basis is like saying "no lock will keep out every burglar, so I'll leave the front door open".

Don't lose soght of the fact that many bots are feeble, most spammers are lazy and / or stupid (why else would they pst on nofollow sites?), and / or opportunistic.

No line of defense can be dismissed ... until a better one comes along.

So if you ask what colour blood is, you might accept scarlet and crimson as well as red, and also typos.

Actually I usually offer the answer CAPITALISED on a drop down list to make it obvious. I realise that this could make it less effective but it has always worked for me.

Incidentally I have built small websites for some people without this technique and the spammers almost always find them. This proves (to me anyway) that it does work.

The problem with any captcha that is multiple choice, drop down, or "pick one of these" in nature is that the bots have 1/n chance of just randomly choosing the correct solution. Have 10 pics to choose from? 1/10 chance to guess it. These are prone to brute force techniques.

The linked article (like all the others over the last few years claiming CAPTCHA is dead) shamelessly ignores the fact that no one has ever created a bot that can break any CAPTCHA it comes across... Or come remotely close.

Even the most sophisticated OCR is so far away from this goal that it's not even really possible to guess when it will get there.

Yes it's possible to create a bot that can get past an individual CAPTCHA from a large site or software package, and even to create one that will break certain similar generic CAPTCHAs, but that's it.

If you use custom a CAPTCHA instead of mass distributed software then it will work just as well as it would have 5 years ago.

If by some chance a hacker decides to target your CAPTCHA specifically then you change it and the problem is again solved.

In addition, because OCR isn't any good at reading text that has been obfuscated, even successful CAPTCHA crackers often rely on some level of brute force, which can easily be detected and blocked.

Also should be noted that a CAPTCHA doesn't have to be an image. Examples like the one BeeDee posted are also CAPTCHAs. There are so many different possible ways to implement a CAPTCHA that, even if travellers from the future give us advanced OCR technology, CAPTCHAs will never be dead.

I remember in the days before napster to download music you'd have to find an FTP host and then go to a sponsor site to find a word or phrase to type in. If people are genuinely interested in a free service I think most will jump through a few hoops to get it. It shouldn't be too hard to come up with some dynamic questions that are beyond a bot's capabilities but still easier for a human to answer than nearly unreadable CAPTCHA.

Using an animated GIF that has the text slide back and forth or up and down, defeats OCR software in almost every case.

wouldn't they just scan the first frame of your animated gif - so moving around would annoy a human being but not the bot?

Why ever not?. If it stops spam then it it is anti-spam and it has worked for me for more than two years without a single problem.

Eyetests, general knowledge questions, treasure hunts or similar are not anti-spam. There is nothing in them which is trying to detect or combat spam for being spam in any way. They are anti-simplistic-bot at best. Even a moderately customised bot can beat them, as others have pointed out. The BBC has reported on porno being used to reward dumb humans for cracking them for spammers, too.

Any spam reduction effect from CAPTCHAs is merely temporary, a side-effect of making your site less easy than some other site. As soon as enough other sites deploy real anti-spam, making it impossible to get links quickly from them, they'll be back to your site. After all, you've got no anti-spam protection.

For what it's worth, I have built some CAPTCHA-free sites, with tricks like multi-stage form submission with small delays, tokens and keyphrase-scoring. They get ridiculously little spam. Telling Computers and Humans Apart (the TCHA of CAPTCHA) is a red herring.

Not so.

Whatever the 'theory', CAPTCHA works. Maybe not in 100% of cases - but close enough for 99% of sites.

Alternatives that ARE 100% ('at this moment in time') are usually far more complex, code heavy and / or expensive.

By all means propose alternatives that work - the more the merrier - but why the need to pretend that captcha doesn't work, when it so very obviously does?

Your arguments simply don't make sense.

For me the only benefit is that it stops the most lazy spammers/scrapers. So the CAPTCHA needs to be there, sorta like a first line of defense.

It clearly isn't a viable security measure though - not just because it's easily cracked. If the information/asset/resource the CAPTCHA is protecting is valuable enough it's pretty simple just to hire someone willing to work for $5 an hour to sit there, look at the CAPTCHA and enter the code. This cracks CAPTCHA's, secret questions and anything else around today designed to prevent non-humans from filling out a form.

it's pretty simple just to hire someone willing to work for $5 an hour to sit there, look at the CAPTCHA and enter the code

if (!from_target_market($remote_ip)) fake_success_page();

I don't know about you... but in the places where valid customers come from, you don't get too many computer literate applicants at $5/hour.

if (!from_target_market($remote_ip)) fake_success_page();

True - but in my area the concern isn't fake orders, it's scraping of information.