I was banned from the hCaptcha accessibility account for not being blind (2023)

Why are captchas even a thing still? If folks want to scrape something or build an automation around something, then why not let them do it? They still have to respect the system they're logging in. Not to mention the privacy perk of not exposing your visitors to some captcha service with a dozen or more data subprocessors.

Captchas are used for many things, and the reason they are still a thing is because they mostly work. Especially fingerprinting invisible captchas.

Try having a login form without a captcha and you'll realize you are capturing 100s of users every day that require you to send out a "please confirm your email address" email for each of them for no good reason.

> They still have to respect the system they're logging in.

Your trust in people is admirable, but in my experience running anything on the internet you'll realize that intentionally or not people will bombard your system until it falls over.

I had to add a captcha to a registration page a couple years ago. Bots were signing up for thousands of fake accounts with other people’s email addresses. The email confirmation we sent would then get reported as spam since the recipient didn’t sign up for our service. Our email provider suspended our account for high spam reports.

Because despite ZIRP being long over, there are still plenty of people/companies making money off "engagement" - aka wasting a human's time. Automation/scraping/etc would go around that.

There're also more good faith use cases like stopping credit card testing, ticket reselling and forum spam.

I assume you never tried to add a contact form to your website.

Explanation: I did, and within a few days bots started sending me spam using that form. I just added a trivial captcha (hardcoded '2+3=' question), but if my scale was bigger that would be untenable. Think also of PM spam, autoregistering accounts to abuse free tiers, etc.

If you have any input forms they will be overrun by bots immediately. At my last job, marketing built a website and didn't tell IT. They had a "contact us" form without any kind of captcha. Took about a month to be completely flooded by bot spam.

I guess I just wouldn't have an open unauthed form and require a CC to use the free-tier. The contact-me form can just be a mailto: link and let the spammers go through the spam filter like everyone else. There are places where captchas is all you can really do but it's not like common use-cases don't have other options.

I feel folks forget that whatever captchas do (or a large portion of), can be a library without the need for a strange, inaccessible 3rd party service call.

I think folks forget that we can add many of the safeguards a captchas provide as part of whatever "form serving app" is needed without torturing our visitors to prove they can count bicycles.

I hope the other lesson was the good email verification hygiene of making the user take an affirmative action and click a "verify email" button rather then send it unsolicited.

You essentially had an open public unauthed form that would send an email to any address you typed in it. Surely that alone raises some eyebrows.

> Why are captchas even a thing still?

Because it works, to some degree. It keeps away the annoying cheap bots and stupid kids. Smarter or more dedicated actors can still circumvent it, but even they are least slowed down to some degree.

But thinking about, maybe just putting a 20 second pause after which you have to push a button might be already good enough for all this. And every stupid bot avoiding it will get banned.

they don't work, robots have a higher speed and success rate than humans.

I think the times of the "count bicycles" type of captcha are already counted just because of the bad user experience. Now everything is about fingerprinting, as paying to get captchas solved by humans or AI is already used everywhere if it's worth it.

Indeed… and if it's really problematic, a client-side script can run some expensive calculations as well (the same way captchas do it), to make it extra uninteresting to target unless someone is really motivated and has the budget for it.

How do you authenticate a verify email button?

Not everything is black and white. If it's cutting down 50% of the spam that does not have captcha solving robots because the effort is not worth it, that's already something.

There's a reason many site still have very basic captchas...it's good enough for their use case.

It took me a while to understand what GP was trying to say, but I suppose they're thinking of one of those sites where they let you create an account, will let you in and then nag you for a while about "verifying your email address" by clicking a link that will actually send you an email. An unsophisticated spambot won't probably care enough to click through that.

Not a solution. Verification emails alone got a small web site I set up to be blacklisted within days. Most of the unwilling recipients presumably couldn't understand the language the verification email was written in and reported it as spam.

Simple distorted-characters captchas still do a good job of catching unsophisticated bots, which is most of them. They work even better when combined with hidden form fields because these bots don't support CSS.

Targeted attacks though? You're making your legitimate users suffer only so that you defeat 99% of bots instead of 95%.

Yes, hashcash.

There are less annoying alternatives. Things like honeypot fields are worked for me so far. There are more dynamic variations on your maths question.

You want to put a credit card form in front of a contact form?

What's is the play by the spammers here? Is it a direct attack on your website, perhaps because they were competitors? Or are they hoping that 1% of spammed email addresses will accidentally verify their email?

How would adding an extra button change anything? Right now when they register we send a “verify email address” email. Adding an extra step of “click a button” makes no meaningful difference.

No clue to be honest; I just added a captcha and moved on with life. It’s a small side project so it wasn’t worth investing.