The issue isn't just that humans struggle with them or that bots are getting better or what not, it's because there's no way to make a captcha that works across multiple websites like a standard 'library' and expect it to remain uncracked. Anything that becomes common will be attacked and defeated, because there becomes a financial incentive for spammers and no gooders to do so.
The solution is to make captchas that are bespoke to each site, since it means the same bot or script can't be used on every one and spammers have to go out of their way to crack each one. You can already see this right now; sites with their own systems generally get no spam at all.
But given that most people aren't programmers, well it means they're stuck with mainstream captcha systems which present a giant target to the internet's never do wells.
Niche sites can avoid the issue with topic specific questions though.
1. It's not feasible for various website to implement their own custom CAPTCHA formats. Building custom CAPTCHAs is a lot of work.
2. The custom CAPTCHA tasks wouldn't be that different from each other. As the article discusses, image/text/audio recognition are some of the only universal tasks that can work for CAPTCHA.
3. Nothing is stopping a malicious actor from implementing a "check which type of captcha" function and then selecting one of several CAPTCHA cracking functions. Fragmentation of CAPTCHA format just delays the cat and mouse game.
1. As I said, this is a huge reason stuff like Recaptcha exists, and why custom ones can't work here, even if they're probably better if done correctly.
2. You can also use stuff like timing how long it takes someone to fill in the field, hiding form fields with CSS or JavaScript, randomising field input names, checking the referrer, etc. All these come up in tutorials about captchas.
3. You could ask them niche specific questions instead of requiring them to do general tasks. This is what I do with all topical internet forums and sites; have a wide array of custom written questions on the topic in place of stuff a bot can easily figure out. For instance, all questions on Wario Forums are about Wario Land and WarioWare games, not things meant to be 'culturally neutral'.
#3 (a rotation of specific questions) is definitely a measure some sites could use, but as you point out, it's incredibly niche -- I've only even seen it on forums. For example, what questions could Reddit ask you? Wario Forums is pretty much the ideal on the niche spectrum, so it's not a very useful baseline for comparison.
I rotated questions on the /register page for a large forum I run, but as my forum became more popular and more of a spam magnet, my attackers simply built a lookup table of my questions->answers. I regressed back to Recaptcha.
Another problem is that I was surprised how many legit users would be pruned out by a simple question like the equivalent of "what color is Wario's hat?" for, say, a forum that covers games in general. I did basic stat tracking on the pass-rate per question to know which were bad ones, and it seemed pretty random which ones users had trouble with. Or they'd accidentally be riddles like (made-up example) "How many triangles in a triforce?" 3? 4? 5?
And people would finally register and complain on the forum that a seemingly trivial question was too hard. Or they didn't know what "the website footer" was.
At a point, especially if you're not so extreme on the niche/theme spectrum, Recaptcha was the better trade-off.
I've said this in another comment, but I'd love to see an HN submission where we discuss anti-spam/anti-abuse strategies instead of just doing the easy thing of bashing Recaptcha.
You're right, it's only a solution for niche sites rather than ones aiming at all users. Obviously, Reddit/Facebook/Google/YouTube/whatever are out of luck here, their audience is basically 'everyone on the planet' and they don't have any real way to test that.
And you've also got a point that a certain percentage of legitimate users would be pruned out by a simple, topical question. There are probably a few people who couldn't register on Wario Forums cause of this sort of thing, and there were probably a few who couldn't join my previous sites cause of it.
So your questions would have to be very much tied to the audience. General gaming site? Asking who this is with a picture of Mario, Link, Pikachu or Sonic the Hedgehog would work pretty well. Niche site? A bit more obscure, to go with the audience likely to be visiting there.
That said, I think a few things will need to kept in mind:
1. Firstly, a lot of niche sites already have fairly strict requirements to get in, and have a more drawn out approval process than the norm. For example, quite a few I know of have you required to post an intro in an 'approval' forum in order to get access to the rest of the site or server. So I suspect users on these sites may be more used to having to think/research the process to join a forum than those on Facebook.
2. To some degree, it also filters for people who are genuinely interested in the topic to a more than average degree, which may overlap well with 'people likely to stick around for the long run'. For example, the people likely to remember King K Rool's guises in Donkey Kong Country 2 and 3 may be good users at DK Vine, someone who could identify Rawk Hawk or Flavio would be more likely to be a good Mario RPG forum member, etc.
It's a bit like the comments I've heard about Ling's Cars... the only people who shop there really, really need a car.
Actually, maybe a bit like Hacker News too. The people most likely to 'tolerate' the old school design here are well, web developers, old school hacker types, etc.
Either way, it definitely all depends on how niche the site is.
The solution is to make captchas that are bespoke to each site, since it means the same bot or script can't be used on every one and spammers have to go out of their way to crack each one. You can already see this right now; sites with their own systems generally get no spam at all.
But given that most people aren't programmers, well it means they're stuck with mainstream captcha systems which present a giant target to the internet's never do wells.
Niche sites can avoid the issue with topic specific questions though.