Literally. Social engineering 101. Grab a clipboard, put on a hi-viz, speak in an authoritive, directive voice and people will absolutely do what you ask at the sound of the word "security". Social engineering defence 101: teach scepticism and not being intimidated by the word "security"... ask "whose security?", "security from what?", "security to what end?", and "show me your ID and the written policy".

Except captcha is not supposed to be security for the user, but security for the website.

But in the end it is not (effective) security for a website, is an antifeature for users and is profit for google.

As a website developer and host, I can assure you recaptcha works very well to stop spam and automated login requests. It is not perfect, but no system is.

As a website developer and host can you compare running your own CAPTCHA in place of any CAPTCHA-as-a-service? In my experience even a simple static how much is 3 + 39 stops the flood of spam in a form... It is also not perfect, but as you say no system is, and it does not pilfer my users' data...

I had a great conversation about this last week. I'll just casually leave this [0] here for anyone who has time (50 mins - ausio only) for a deep-dive into machine learning to protect sites (APIs). TLDR - a lot of serious defenders have given up on PoW/CAPTCHA human filters because the cost to AI solve them has dropped to almost nothing. YMMV.

[0] https://cybershow.uk/episodes.php?id=39

yeah, a sufficiently motivated attacker can deploy some countermeasures to bypass it, but only really worth it for targeted attacks. Anyone who has a form on the internet knows that without any sort of captcha, you get lots of stupid bots just typing in jumbo. Likely you could tone back the captchas and still get a similar result in stopping the dumb bots[0]

[0] on my contact page my email is protected via a custom cypher. if the bots execute javascript and wait 0.5s they can read it, but most don't. It’s the dumbest PoW imaginable, but it works

> Anyone who has a form on the internet knows that without any sort of captcha, you get lots of stupid bots just typing in jumbo.

I recall a form of "CAPTCHA" that involved a text input which was hidden via CSS, but which bots would fill in anyway. Any text in the input caused the entire form to be rejected. I wonder if that style still works today.

I've had an issue with this approach -- many browsers (via autofill/autocomplete) and many password managers (when filling in password, e-mail, etc.) tend to also get trapped in this honeypot... The spam does still get stopped though.

> It’s the dumbest PoW imaginable, but it works

Nice one! I guess you mainly need to get above a certain novelty threshold, because all ML is based on what has already been seen/learned rather than actually outsmarting the defence.