I understand why people don't like captchas - specifically recaptcha - but I believe it's a 'necessary' evil. Many small startups and hobby sites don't have the resources to roll their own bot prevention/detection or subscribe to paid captcha solutions. Without recaptcha, these sites likely wouldn't exist or would be few and far between.
> Your service could still be at risk, even with a CAPTCHA in place. Advances in computer imaging and the use of CAPTCHA farms means some bots will still be able to access your service.
I don't think anyone will tell you that captchas are a 100% effective method at preventing automated/falsified actions. The main reason they are so widely used and generally the 'one stop shop' for bot prevention is that it increases the cost of attacking your service. Without them, an attacker could set up a simple loop that gets a site's csrf token and attempts a username/password combination. With them, an attacker does have to have a bot with "advances in computer imaging" or will have to rent a click farm. ReCaptcha is fairly good at preventing these two anyways since they will often blacklist a client[0] while still collecting the known good captcha answers for their car NN.
> Alternatives to CAPTCHAs
Transaction monitoring can be effective, but costly. Honeypots are only effective against non-targeted attacks, as an attacker can just submit one form themselves and see the browser's network request and know what to send to look like a regular browser. Rate limits are also pretty easy to bypass, new IPs are easy to obtain since every VPS provider I know hands them out like candy (the only cost to this is not getting kicked off the provider).
For the UK government, I do expect them to employ better mechanisms than captchas to protect their services. But without them, there would be even less small communities than there are now. They may be up at the mercy of Google, but nothing is done without the permission of the biggest companies.
A captcha might be a necessary evil. A ReCaptcha is not.
Despite all the FUD about AI & machine learning breaking conventional captchas, I have yet to find an off-the-shelf tool that I can just point at a good old "squiggly letters" captcha and have it work.
If you need a captcha, just make a custom, self-hosted "squiggly letters" one. Nobody is going to design & train a custom AI to break it, and if someone has the means to do so they will realise it would be much cheaper to pay humans to solve them so even ReCaptcha won't save you against a determined attacker.
[ edit: I want to point out that at this point in time, captcha means reCaptcha and my comment is regarding that ]
Good point. But I like to point out that, captcha is Ok, but need not be as complex and user hostile as reCaptcha!
The "advanced bot in computer imaging" excuse is questionable, as if you provide something so valuable to warrant advanced spammer bots, you definitely have resources to develop your own captcha/rate-limiting, but in most cases it is likely just lazy engineering team and overinflated ego.
If you try to bruteforce giants, like Google/Amazon, you'll be greeted by age old "squiggly captcha". Only in gmail signup forms you may face a reCaptcha but much simpler one, but on logins it is squiggly 9/10 times in Google and Amazon is only squiggly. There is a lesson to be learned here (my 2cents)
In most cases, nearly all reCaptcha hostility is waved away from google side with same old excuse "the site using reCaptcha service has the ability to adjust the aggressiveness, so if you face very hostile behavior, please report to that site owner to make adjustments". What happens in most cases is, lazy engineering team just throws in the reCaptcha and sets everything to ultra hostile. During testing, they probably disable it, so the hostility is not visible to them.
Rant begin --
All sites I come across with a captcha on login/signup page, always have the issue of "login/signup session/token expired, try again" once I have solved recaptcha, so need to reload page, but recaptcha detects that I just solved it seconds ago, so probably bruteforce and gets more aggressive and reaching to a point of impossible to login/signup anymore. I have emailed plenty services regarding this hostility and the response is almost always along the lines of "we added captcha to protect your data and privacy, we value security blah blah plenty bs... we are sorry for your inconvenience". So in protest, I just leave the service/deregister whenever it is viable.
Rand end ---
For those who have no resources rate limiting still works better and easier than captchas. You shouldn't do rate limiting per IP though, do rate limiting per /24 subnet, /16, /8, /0 per http method per URL, etc. Typically it takes just a few lines of nginx configuration.
> Your service could still be at risk, even with a CAPTCHA in place. Advances in computer imaging and the use of CAPTCHA farms means some bots will still be able to access your service.
I don't think anyone will tell you that captchas are a 100% effective method at preventing automated/falsified actions. The main reason they are so widely used and generally the 'one stop shop' for bot prevention is that it increases the cost of attacking your service. Without them, an attacker could set up a simple loop that gets a site's csrf token and attempts a username/password combination. With them, an attacker does have to have a bot with "advances in computer imaging" or will have to rent a click farm. ReCaptcha is fairly good at preventing these two anyways since they will often blacklist a client[0] while still collecting the known good captcha answers for their car NN.
> Alternatives to CAPTCHAs
Transaction monitoring can be effective, but costly. Honeypots are only effective against non-targeted attacks, as an attacker can just submit one form themselves and see the browser's network request and know what to send to look like a regular browser. Rate limits are also pretty easy to bypass, new IPs are easy to obtain since every VPS provider I know hands them out like candy (the only cost to this is not getting kicked off the provider).
0: https://news.ycombinator.com/item?id=16164549
---
For the UK government, I do expect them to employ better mechanisms than captchas to protect their services. But without them, there would be even less small communities than there are now. They may be up at the mercy of Google, but nothing is done without the permission of the biggest companies.