Brett Delmage writes:
On Thu, 26 Aug 2021, Stephen J. Turnbull wrote:
However, it turns out that bots are almost as good at solving captchas as humans, and they can retry a lot faster. Captchas are also really horrible from an accessibility perspective.
I have to disagree.
I previously put a captcha on a Joomla website which stopped 100% of all bogus account signup attempts.
What was it ? "How many letters are in the word 'jazz'"? This captcha is fully accessible, too.
Of course, point taken. I've done similar things, and know quite a few such anecdotes. It's a good method, as long as *only a few of us use it*.
But if enough people use it, patterns will show up, and we'll get into a "proof of waste" race with the spammers as we try to come up with logic puzzles people can solve but spammers' ML can't. I don't think it really addresses the issue that attackers can solve it easily if they want to, and will eventually automate that solution, although it does address the issue of accessibility (mostly -- I am not an expert but I wouldn't be surprised if long-time screen reader users are relatively poor spellers!)
And it's not a satisfactory solution for a lot of our users. We can't safely add enabling functions to Mailman, because I'm sure there are a dozen Spamming as a Service (SpAAS) groups out there with Mailman 3 clone repos. So you need a skilled admin to implement custom CAPTCHAs.
If there's a captcha problem out there, it's because too many people just use the same old, same old -
Of course they do. After all, that's what software is for -- very cheaply using others' solutions for common problems. In this case, though, the "problem" is smart -- it's human attackers and their tools.
which is worth the bots cracking because it is used everywhere.
That evaluation is close, but not exact in the age of SpAAS. If they want you, they'll get you, it's trivial for an open-subscription site. And if they need a human to crack your trivial CAPTCHA, a smart spammer (or even somebody who hates you for banning them from your comments) will add it to their box of tricks. I bet you'll get tired sooner than they do. Eventually it will make it into kiddie-scripts.
The other thing is that if such simple captchas become popular, you know that the pros will start scanning sites for them just to make a database of patterns, and add hacks for any popular ones (or if they're smart, for every pattern they find -- I bet on a regular basis they'll get as lucky as I did when I stopped Klez, and then Fretham too, with just "iframe.*height=1").
Steve