[rbritton]

Know your target audience too. I'm not sure if I'm it, but reCAPTCHA gives me enough friction that I often abandon pages with it. Simply using Firefox's antifingerprinting feature plus some ad/tracker blocking is enough for it to be miserable every time.

[RonanTheGrey]

Nobody here is talking about the elephant in the room where reCAPTCHA (and hCAPTCHA has the same problem) is concerned:

The other day when Google was having issues (the same day that a bunch of Android apps were crashing due to a bad map data push), I was unable to log into my bank, unable to pay my electric bill, and a half dozen other things I needed to do that day.

Because Google's servers were down, core service providers were unable to do anything either because they block access to their site without recaptcha approving the entry.

To me, as a technologist, as a builder of software, this is absolutely and entirely unacceptable. Captcha needs to be something you can self host.

I don't understand this habit of handing Google a knife and then telling them where to stab you.

[colinmorelli]

I'm going to guess people aren't typically talking about it for a few reasons:

- We started out with self generated and self hosted captcha. It was too easy to beat. Complexity of the image generation turned up until eventually it was easier to just outsource it to someone else. Going to throw out a guess here that reCAPTCHA is far from simple, and likely exceeds what most teams would want to run internally.

- Google has an uptime that's significantly higher than most companies. I'm not defending any of Google's habits or business practices, but I personally wouldn't bet that most companies can run software more reliably than Google.

- As someone else mentioned, fail open is an option in situations like these (depending on the threats you're trying to protect against). For something with a high probability of failure, this could make sense, but I would have a hard time imagining a team allocating time to deal with the case "when Google is down" unless it's truly life or death software (think: surgical robots, autopilots, etc)

[unnouinceput]

Why was self-generated and self-hosted captcha easy to beat?

I found that generating math questions in a captcha style (curved / with other noise drawing over) and requiring that questions to be answered in a box is unbeatable. The bad actor would require very good OCR and after that also good math parser to answer. Easy for human, very hard for automation. And the script was like 50 lines long that did that.

[colinmorelli]

"easy for human" is very subjective. Users very regularly have a hard time with all forms of image captcha for a whole bunch of different reasons: visual acuity, color deficiency, learning disability, unclear instructions, visually similar characters, etc. If you allow users to refresh the image until they see an easy one they might be able to overcome it themselves but some percentage of those users will get frustrated and leave. Not to mention allowing regeneration of images also makes it easier for bots to cycle until they find one they're confident in. Surely if there were a dead simple for humans, difficult to beat for bots, 50 line script option for CAPTCHA generation that could be self hosted it would be in wide use.

reCAPTCHA changed to its current model to try to significantly reduce friction in the "hopefully normal" case (down to just a check box if all goes well) because every ounce of friction you add to critical inflection points in your product translates to meaningful lost opportunity.

Even if this wasn't a problem, and it were trivial to create something that's easy for humans and hard for computers, it's just not worth most companies' time. Would they rather spend a few days properly implementing and testing a captcha solution, then whatever unknown time on future bug fixes and support, or setup reCAPTCHA in 30 minutes and move on to things that produce value for their customers?

[unnouinceput]

I see that as an absolute win. If you're having problems understanding simple math questions then I won't want you as my user in the first place. Morons out.

As for visual impaired ones, I agree this one is harder to crack. Usually you do it by audio, which in itself is more then 50 lines of code, but here is my personal approach. Absolutely none is stopping you to have, for visual impaired ones, a separate step like the one described in OP, where you have mail activated. You see visual impaired users have infinitely more patience then normal "visual" ones. They are used for web to not be friendly, so they won't mind going through extra hoops if they want your service. So a checkbox saying "I am visual impaired and I want registration by e-mail" or something equivalent and you're good to go.

[twic]

A sensible person would implement the use of the captcha to fail open - if Google is down, then let the user in without passing a captcha.

Was this a mistake on the bank's part, or Google's?

[wpietri]

Only if the probability of failure makes the extra effort worth it. Since this is a pretty rare event, a sensible person could well wait until they see actual impact before putting in the work. Hypothetical problems always vastly outnumber actually experienced ones.

[vosper]

It's surprising to me that on-prem reCAPTCHA isn't a service that seems to exist (based on a quick search).

Even if it's not Google's reCAPTCHA - is it so hard to make something like this that only Google can provide it? Surely the big players would want this component under their control exactly for reasons like "we don't want to have an outage due to a provider outage". Or at least, fail over to a less-preferred backup. Like if Cloudflare had such a service.

[fragmede]

Cloudflare looked at the options (including building their own) and moved to hcaptcha (but mostly because Google wanted to charge them money), so it must be hard at that kind of scale, since bot writers are monetarily incentivized to defeat the captcha.

https://blog.cloudflare.com/moving-from-recaptcha-to-hcaptch...

[jraph]

Spread the word. The more we are saying this, the more developers will think "We have a problem, but reCAPTCHA is not a solution for this problem. reCAPTCHA spies on our users and makes them waste their time, while our first goal is to respect them. I support people who run away from tracking and reCAPTCHA makes their lives miserable. We can't use this. And by the way, I myself hate checking road signs and shop fronts, I'm definitively not inflicting this curse to even a very small fraction of my users".

My bank once required me to fill a reCAPTCHA to change my password. Yes, Google's tracking on my bank's website. I asked my financial adviser to reset my password for me to increase the cost of using reCAPTCHA for my bank. I told them it didn't work because of reCAPTCHA not working on my computer, which is actually true because I block it.

[sandworm101]

>> reCAPTCHA spies on our users and makes them waste their time, while our first goal is to respect them

Some are using reCAPTCHA to detect bots, but I see many sites that appear to be using it specifically to slow down users. Users are to be respected but customers are to be mined for their money. Sometimes that means making things more difficult than is strictly necessary. If an onerous reCAPTCHA is required to delete an account or qualify for a price discount, so be it.

There is a reason it is so much more difficult find one's way out of a casino than it is to walk in.

[rattray]

Is there another solution to this problem that is a sufficient replacement for 90% of situations?

[derefr]

You could embed a very-lightweight crypto-miner script into the page, with explicit UI acknowledgement (i.e. it starts when the user presses the "Verify" button, it displays that it's working and how hard it's working; and it runs until it produces exactly one target hash, at which point it clearly stops), and targeting an artificially-tuned difficulty such that a regular PC should be capable of completing in a minute or two (rather than trying to actually mine for any real blockchain network, which would require absurdly-high hash power.)

This is basically how "e-stamp" system proposals were supposed to work for email; but they never took off because email is an ossified system. The web is not ossified; individual websites are free to implement something like this.

If you're worried about spammers just throwing a GPU farm at the problem: the overlap between spammers and people who own crypto-mining operations is small; and the people who own crypto-mining operations have much-more-profitable things to point them at. So this should mostly stymie spammers—individuals will be okay with sitting around on the page for a couple minutes to complete the action, but it'll throttle spammers' actions way down, to the point where it's mostly not worth it to attack that site any more, vs. some other site (i.e. it'll have the same relative-deterrent effect that putting a club on your car does.)

You could even frontload the work, turning it from a proof-of-work system into a proof-of-stake system. Have the user "buy in" with a large hash workload during user registration; and then trust them from then on. (This is the better approach for a mobile app: direct them to register on the app's website on a PC, and then you can trust that user on the much-lower-powered mobile device, despite that device never generating a token.)

-----

An effectively strictly-equivalent approach is to just charge the user a dollar to complete certain actions.

One famous example of this is the SomethingAwful forums, where registrations cost $10. You can register as many times as you like—i.e. if your account gets banned, there's nothing stopping you from just coming right back again—but you'll need to pay another $10. Seems to work fine, in terms of making it too costly to keep doing anything the site bans people for.

[rattray]

I like the cleverness and simplicity of the bitcoin mining approach, but the tradeoff between "takes too long, damaging our signup flow" (where anything more than 5 seconds is likely to have a material impact) and "doesn't take long enough, making it too cheap for bots to proceed" may be quite tricky.

Charging a buck is extremely simple, and fair. The SA example tickles me.

I wonder if the folks who dislike reCAPTCHA would be willing to choose to pay $1 if given the option between the two.

[brokenmachine]

> I wonder if the folks who dislike reCAPTCHA would be willing to choose to pay $1

Another commenter said that the market rate for reCAPTCHA solving is 1c each, so $1 is probably more than most would pay.

[jraph]

My assumption is already that reCAPTCHA is not a solution. Your question would, then, be "Is there a solution".

You may not agree and I respect this, but this is actually my point (and I don't have an answer to this question - I wish I had, though, and you have a point!).

I wish that people stop thinking soon that reCAPTCHA is a solution at all.

Then, it will open people to start thinking hard on this problem and hopefully find good solutions that fits their exact situation. There may not be one size fits all, but many good solution for each situation. We would not know without thinking.

[rattray]

Got it. Bummer.

I wonder if you could ask the user to trace a shape/pattern with their mouse? Or you draw a few animating dots with a canvas, and ask them to click the blue ones?

Fundamentally, though, you likely either piss people off by challenging their humanity, or violate their privacy by silently tracking their behavior, or break accessibility by evaluating the way they interact with your site against "normal" (bad for folks with screen readers, lynx, etc I'd assume).

[hombre_fatal]

Now come up with accessible versions of those tests.

[fragmede]

And then, harden it against bots that actually are humans being paid by the bot-writers, via Mechanical Turk.

[bluGill]

There won't be a solution for long. Ai is making great progress on this part of the Turing test. You can only solve this (for how long?) by making the test harder for real humans and that adds friction.

If you want to solve this legal is your best bet. Make the things bots are doing illegal, and then track down the owners. It is hard but the criminal system is the only thing we have.

[xur17]

Since solutions for recaptchas can be purchased, I'm starting to wish I could just pay the market rate (< $0.01 each) instead of having to solve the damned things.

[mister_hn]

I abandon every website that promotes free trial period but asks directly for your credit card.

Absolutely a no-go: let me first try it for free and then I will add the credit card details, if I'm interested

[mushufasa]

Then you may not have the problem deeply enough to need the solution. It depends on a lot on the context B2B vs B2C, but I've experienced that the B2B customers who won't sign up without an absolutely free trial are much much less likely to convert anyways, to the point where it's not necessarily worth the effort for sales + support.

[capkutay]

Yeah I think there’s a general lack of understanding that leads inexperienced product people to believe that friction is always bad.

Good friction (verifying emails, asking a question in the signup form, collecting a CC upfront) can result in more paying customers as you’re optimizing your experience towards people who are actually interested in buying your service.

Rather than trying to cast a wide net and wasting resources on poor leads who want zero friction.

[paulie_a]

I typically disagree with free trials for B2B. The user has no skin in the game and the account will go by the wayside.

[baddox]

I don’t understand. The only reason it would be beneficial to ask for the credit card now instead of later is if you’re hoping the customer simply forgets to cancel. It signals to me as a customer that you’re not confident that your free trial will convince me to pay.

[dangrossman]

Suffice it to say, this has been heavily tested by thousands of businesses, and there's hard data behind many of those that land on requiring a card on file up front that has nothing to do with hoping people forget to cancel. It's about activation rates. If your service requires the user do some initial setup work to get value from it, like integrate your whatever into their website, they're MUCH more likely to follow through on that work after having given you a credit card to sign up (and perhaps had to discuss with their boss or IT dept or whoever to approve using the company card).

[hombre_fatal]

I have yet to use a service with this pattern that requires you to click an "Alright, start charging me $15/mo" button once their free trial expires. That would obviously be the most user-friendly thing to do.

So, without that step, you can't say "has nothing to do with hoping people forget to cancel."

[fasteddie]

As someone who as implemented similar CC blockers before: people who forget to cancel leave after one month, leave a bad reviews which affect future growth, and make churn numbers bad. I do not want many of those people, and will both send multiple reminders that they will be charged and refund them no questions asked.

But for any business that requires some amount of human support for users, it can be much easier to convert 15 out of 100 signups than out of 1000.

[mgreenleaf]

Sometimes it is used as a verification of "uniqueness", since someone could sign up for multiple free trials using different emails. Not a problem for most products, but can be a pain.

[mister_hn]

In that case, something like electronic ID or webauthn might solve the problem?

[jjeaff]

We ask for the cc now, but then still get a final confirmation before charging. The idea being that we won't charge you for forgetting, but you are also showing some interest by being willing to put the card in, and when it comes time to decide to pay, it's only a button press away and they don't even have to dig out their cc.

[travisjungroth]

The ease of conversion is definitely a component. And that has a few parts. Maybe you hope that people forget they don’t want it (like you said). There’s also hoping they don’t forget they do want it. People are pretty lazy and forgetful.

There are other components. Credit card entry acts like a captcha, but it’s actually a useful part of the process (unlike clicking street signs).

And the marginal cost of a free trial is low, but it’s not zero. If I can have less free trial customers but end up with similar paying customers, that’s a win.

There’s not only one reason.

[Retailer]

In B2B, it could be that the person who wants to try out the service is an employee of a company. He/She needs to first test the service before trying to convince their manager (or the company) to subscribe. Such people might not have a corporate credit card to put in, could be company policy that such subscriptions are handled by a different department. They might also not wish to use their personal credit card for corporate services.

[fragmede]

For large values of B, in B2B, employees have corporate cards, with discretionary spending, so that's something to consider. A SaaS product with annual purchasing, priced just under the discretionary spending limit (read: an employee can buy this and their boss will just rubber-stamp the request and not even give it a second thought), is far easier a purchase. However, if corporate has to get involved, the effort is approximately the same wether it costs $1,000 or $10,000 because a bunch of people have to get involved, committees formed, and studies done.

[randall]

Also files under #chargemore for B2B, etc.

[macu]

This issue came up for me recently when signing up for Audible. You get 1 free audiobook/month but have to verify a credit card before the free trial month. I imagined this was to cut down on users who sign up with throwaway accounts to get free books. What gets me is you can buy $10 prepaid credit cards and sign up repeatedly anyway, spending your $10 elsewhere. Completely opposed to the practise, however, when it enrols you in automatic payments which you have to opt out of before your free trial expires.

[mgbmtl]

Have you tested this? Prepaid cards usually don't support subscriptions, which is a way of avoiding that. (I work with handling online payments, and tried this before, but it failed for my test-case)

[gramakri]

Do you know if stripe supports identifying these cards?

[mgbmtl]

I haven't tested it with Stripe, but according to their docs, yes: https://support.stripe.com/questions/find-the-type-of-card-a...

[onemoresoop]

I hear you, but do you have another solution to fix spammers invading a system? reCAPTCHA is annoying but I understand what it solves, I do type away.. And it’s true, sometimes I give up too.

[Matt3o12_]

What is your thread model? What’s the worst thing a spammer can do if they sign up? For most websites, what spammers can do is very limited so why are you expecting spammers to sign up in the first place?

If you really think a captcha is necessary, limit it. For example, require that a captcha is required for two account registrants with a 24h period from the same ip. Don’t require captchas for logins unless a reasonable limit of attempts has been exceeded (5 wrong passwords within 24h by the same ip for example).

If your site is small, a captcha is often overkill. A hidden input can trick pretty much any automated spam bot (if input empty, real user, otherwise bot). Just make sure you do enough research so accessibility readers also work with that field properly.

If a spammer targets you, you can always active a captcha manually, although by the time you realize it, it might be too late.

Keep in mind that a captcha only adds friction to the spammer (and users). Bypassing reCAPTCHA is possible for any motivated spammer for only a few cents/captcha. There are services that have humans in developing countries solve them for you. Coupled with a headless chromium, you can easily build a reputation so that google will let you through. For testing credit cards, this setup is definitely used and most likely worth it. So a captcha will not always save you from bots.

Also keep in mind that hacker news does not have a captcha and the amount of spammers is minimal.

[massaman_yams]

1. Identify a large number of email newsletter signup pages that don't use captcha and which either send an opt-in confirmation message or a welcome message on signup.

2. Identify a target for some kind of account takeover attack. (Assuming you have other details needed for takeover.)

3. Rent botnet.

4. Perform thousands of signups for the target's email address starting shortly before your attack.

If the account's only security notifications (e.g., password reset, etc.) are in the form of emails, the flood of spam will usually keep the target from seeing them until too late.

These are real attacks, frequently seen in the wild.

[the_af]

> What’s the worst thing a spammer can do if they sign up?

In any site that creates a community or has any kind of interaction between its users, spammers and spambots will ruin the site for everyone else.

[hombre_fatal]

They must have not been around when proboards/ezboards/phpbbs were regularly taken over by spammers. It could single-handedly kill communities if the admins couldn't keep up.

It's hard for me to take people seriously who rail against recaptcha yet don't seem to realize why we use it nor pitch a real alternative. Or that spammer protection is overrated because their obscure blog doesn't get much spam.

It's easy to enumerate what sucks about something, but you can't just stop there.

[Retailer]

>>> What’s the worst thing a spammer can do if they sign up? <<<

Depends on your size and resources. Imagine you're basically scrappy with a very small and tight budget and still trying to validate your idea, and you're using one of those providers that gives you a free quota (like Google App Engine), you don't want 'spammers' to drain your free allotment of resources. I know someone who has a small niche blog in the health sector whose blog was repeatedly targeted by spammers/bots. He repeatedly saw increases in his bills till he had someone audit his blog and try to block the bots

[whakim]

For a lot of sites, as you mention, it's payments and testing credit cards.

I have found that simply throwing a reCaptcha onto your form forces you to make a bad choice between protecting the user's privacy and creating a mostly-seamless experience: if you don't want most of your users identifying school buses, you need to send all their behavior to Google.

To get around that, I've tried layering a number of different approaches. These include outright throttling/blocking repeated form submissions from the same ip; using a honeypot field; using a third-party email verification/validation service; showing captchas only under certain very restrictive circumstances (heuristics that make a guess/overall traffic patterns); etc. It's more work, and still a bit cat-and-mouse but at least I don't feel like I'm pissing off every potential customer

[buzer]

> What’s the worst thing a spammer can do if they sign up?

I have seen spammers signing up just to send short message via welcome email ("Hi firstname," -> "Hi check this foo.com,") to their targets. The worst thing that can happen from that is that your domain/email servers end up in the blacklists.

[LunaSea]

If you send a validation email being targeted by spammers already means cost increase, messy databases / analytics and maybe even a ban for having sent to many emails at the same time.

[mobjack]

reCAPTCHA can already be configured to be invisible and only display if it suspects the user could be a bot.

For the majority of users, they won't see a captcha challenge and it is a seamless experience with no added friction.

Those who have lots of tracking/privacy protections however will more likely be flagged as a potential bot and usually have tougher challenges as a result.

[rbritton]

There are other options. Cloudflare just switched to hCAPTCHA [0], and proof of work [1] can be effective enough. Aside from those, there's always the option of just leaving it open if there's nothing costly a spammer can do. They're unlikely to use the service itself and associated resources.

[0]: https://www.hcaptcha.com/

[1]: http://www.hashcash.org/

[eyelidlessness]

I just tried hCAPTCHA's example and it was basically indistinguishable to me from ReCAPTCHA. I'm unclear on how it's less friction for an end user.

[rbritton]

I don't have much experience with hCAPTCHA, but my biggest complaint with reCAPTCHA aside from the privacy aspect is that it quite literally tells me I'm wrong on a puzzle when I've done it correctly. It forces me to go through sometimes a dozen or more iterations before finally allowing me through.

[dx034]

With ReCaptcha 3, most users won't notice any captcha at all. Reducing friction to zero for the majority of users is a huge advantage vs other solutions.

[gruez]

>With ReCaptcha 3, most users won't notice any captcha at all

And it achieves that by surveilling all user activity on your site, not just on the signup form.

[slivanes]

The owner of the site decides where the surveying occurs. I've chosen just the page where the captcha is needed and it works great.

[DenisM]

What’s the harm? Depending on your functionality there is hardly any downside to allowing multiple ghost accounts.

[jbay808]

I used to run a forum for an indie videogame with a small but passionate userbase. Unfortunately it was completely overrun by spambots to the point that moderators couldn't keep up and they drowned out the real posts. We had to shut it down.

[RyJones]

This is one of the reasons Begg Knives shut down his forums. We literally couldn't delete accounts fast enough.

[ValentineC]

When I used to manage web forums, I ask a hard question during signup and put the answer within the question itself (e.g. "hint: the answer is xxx").

This usually stops simple spam bots that are aimed at that particular off-the-shelf forum software.

[AQuantized]

Why not stop allowing registration except by manual whitelist? At least until the spammer lost interest.

[detaro]

Is that less friction than captchas?

[duxup]

How would that work?

Manually approve someone who registers ... then discover they're a spam bot?

[the_af]

Anything with a chat/comments section will be overrun with spam-bots and be rendered unusable and unwelcoming. The difference between a bot-ridden comments section in a blog and a clean one is huge.

[jabroni_salad]

There are lists of companies with workflows like this that get used in spam campaigns. You can put any email address in and now they will get a signup notice and multiple 'hey you didnt complete our workflow!' marketing messages. Easy way to put a lot of useless messages that mostly pass spam checks in any mailbox you desire.

I recently had an incident with Chime Bank like this, where someone enrolled every public email address at my company with them. I sent them an abuse report and they told us to block their domains. Real great solution, guys.

[hef19898]

True that! Had a discussion along that line just earlier today about the contact us function on my website. Worst case, I get some more mails in my spam folder. I can live with that, checking it every two weeks or so doesn't hurt.

[zitterbewegung]

I don't know about everyone else but a few months ago reCAPTCHA was getting so hard that I was routinely failing it . Now the hardness seems to be scaled down though. (they removed the addition of noise into the picture I believe).

[greenshackle2]

Same for me. I haven't been CAPTCHA'ed in a bit but the last few times were absurd. I had to solve 6-10 screens probably cause I was failing.

I was getting questions where I'm just not sure what the right answer is.

Which pictures have traffic lights? And then some pictures where I can barely make out a traffic light far away in the background. Does this count?

Which pictures have busses? Is the blurry white vehicle a large passenger van or a small bus? I don't know.

Then the most absurd one, I was asked to select tiles containing a bicycle, on a picture like this:

https://www.bikecleveland.org/wp-content/uploads/2015/04/Sha...

Does a representation of a bicycle count? I don't know.

And then when there is just a few pixels of an object going into a tile, am I supposed to select it?

[andrewstuart]

I've had recaptcha just go on for minutes.

Here's a video (not mine) of the sort of thing I mean: https://www.youtube.com/watch?v=GGBsopLvwwo

[nullc]

> I'm not sure if I'm it, but reCAPTCHA gives me enough friction that I often abandon pages with it.

Likewise. It's randomly difficult to get through, and if you have third party content blocking it just doesn't show up. I just hit back pretty often just counting the times I knew it was there any was a reason the page wasn't working.