I hear you, but do you have another solution to fix spammers invading a system? reCAPTCHA is annoying but I understand what it solves, I do type away.. And it’s true, sometimes I give up too.
What is your thread model? What’s the worst thing a spammer can do if they sign up? For most websites, what spammers can do is very limited so why are you expecting spammers to sign up in the first place?
If you really think a captcha is necessary, limit it. For example, require that a captcha is required for two account registrants with a 24h period from the same ip. Don’t require captchas for logins unless a reasonable limit of attempts has been exceeded (5 wrong passwords within 24h by the same ip for example).
If your site is small, a captcha is often overkill. A hidden input can trick pretty much any automated spam bot (if input empty, real user, otherwise bot). Just make sure you do enough research so accessibility readers also work with that field properly.
If a spammer targets you, you can always active a captcha manually, although by the time you realize it, it might be too late.
Keep in mind that a captcha only adds friction to the spammer (and users). Bypassing reCAPTCHA is possible for any motivated spammer for only a few cents/captcha. There are services that have humans in developing countries solve them for you. Coupled with a headless chromium, you can easily build a reputation so that google will let you through. For testing credit cards, this setup is definitely used and most likely worth it. So a captcha will not always save you from bots.
Also keep in mind that hacker news does not have a captcha and the amount of spammers is minimal.
1. Identify a large number of email newsletter signup pages that don't use captcha and which either send an opt-in confirmation message or a welcome message on signup.
2. Identify a target for some kind of account takeover attack. (Assuming you have other details needed for takeover.)
3. Rent botnet.
4. Perform thousands of signups for the target's email address starting shortly before your attack.
If the account's only security notifications (e.g., password reset, etc.) are in the form of emails, the flood of spam will usually keep the target from seeing them until too late.
These are real attacks, frequently seen in the wild.
They must have not been around when proboards/ezboards/phpbbs were regularly taken over by spammers. It could single-handedly kill communities if the admins couldn't keep up.
It's hard for me to take people seriously who rail against recaptcha yet don't seem to realize why we use it nor pitch a real alternative. Or that spammer protection is overrated because their obscure blog doesn't get much spam.
It's easy to enumerate what sucks about something, but you can't just stop there.
>>> What’s the worst thing a spammer can do if they sign up? <<<
Depends on your size and resources. Imagine you're basically scrappy with a very small and tight budget and still trying to validate your idea, and you're using one of those providers that gives you a free quota (like Google App Engine), you don't want 'spammers' to drain your free allotment of resources. I know someone who has a small niche blog in the health sector whose blog was repeatedly targeted by spammers/bots. He repeatedly saw increases in his bills till he had someone audit his blog and try to block the bots
For a lot of sites, as you mention, it's payments and testing credit cards.
I have found that simply throwing a reCaptcha onto your form forces you to make a bad choice between protecting the user's privacy and creating a mostly-seamless experience: if you don't want most of your users identifying school buses, you need to send all their behavior to Google.
To get around that, I've tried layering a number of different approaches. These include outright throttling/blocking repeated form submissions from the same ip; using a honeypot field; using a third-party email verification/validation service; showing captchas only under certain very restrictive circumstances (heuristics that make a guess/overall traffic patterns); etc. It's more work, and still a bit cat-and-mouse but at least I don't feel like I'm pissing off every potential customer
> What’s the worst thing a spammer can do if they sign up?
I have seen spammers signing up just to send short message via welcome email ("Hi firstname," -> "Hi check this foo.com,") to their targets. The worst thing that can happen from that is that your domain/email servers end up in the blacklists.
If you send a validation email being targeted by spammers already means cost increase, messy databases / analytics and maybe even a ban for having sent to many emails at the same time.
reCAPTCHA can already be configured to be invisible and only display if it suspects the user could be a bot.
For the majority of users, they won't see a captcha challenge and it is a seamless experience with no added friction.
Those who have lots of tracking/privacy protections however will more likely be flagged as a potential bot and usually have tougher challenges as a result.
There are other options. Cloudflare just switched to hCAPTCHA [0], and proof of work [1] can be effective enough. Aside from those, there's always the option of just leaving it open if there's nothing costly a spammer can do. They're unlikely to use the service itself and associated resources.
I don't have much experience with hCAPTCHA, but my biggest complaint with reCAPTCHA aside from the privacy aspect is that it quite literally tells me I'm wrong on a puzzle when I've done it correctly. It forces me to go through sometimes a dozen or more iterations before finally allowing me through.
With ReCaptcha 3, most users won't notice any captcha at all. Reducing friction to zero for the majority of users is a huge advantage vs other solutions.
That's true, although google's own recommendations are to add the scripts on every page
>reCAPTCHA works best when it has the most context about interactions with your site, which comes from seeing both legitimate and abusive behavior. For this reason, we recommend including reCAPTCHA verification on forms or actions as well as in the background of pages for analytics.
A privacy minded programmer/company might restrict the scripts to the minimal set of pages, but I'd imagine most sites would blindly follow that advice and put it on every page because they think more data = better.
I used to run a forum for an indie videogame with a small but passionate userbase. Unfortunately it was completely overrun by spambots to the point that moderators couldn't keep up and they drowned out the real posts. We had to shut it down.
Anything with a chat/comments section will be overrun with spam-bots and be rendered unusable and unwelcoming. The difference between a bot-ridden comments section in a blog and a clean one is huge.
There are lists of companies with workflows like this that get used in spam campaigns. You can put any email address in and now they will get a signup notice and multiple 'hey you didnt complete our workflow!' marketing messages. Easy way to put a lot of useless messages that mostly pass spam checks in any mailbox you desire.
I recently had an incident with Chime Bank like this, where someone enrolled every public email address at my company with them. I sent them an abuse report and they told us to block their domains. Real great solution, guys.
True that! Had a discussion along that line just earlier today about the contact us function on my website. Worst case, I get some more mails in my spam folder. I can live with that, checking it every two weeks or so doesn't hurt.
If you really think a captcha is necessary, limit it. For example, require that a captcha is required for two account registrants with a 24h period from the same ip. Don’t require captchas for logins unless a reasonable limit of attempts has been exceeded (5 wrong passwords within 24h by the same ip for example).
If your site is small, a captcha is often overkill. A hidden input can trick pretty much any automated spam bot (if input empty, real user, otherwise bot). Just make sure you do enough research so accessibility readers also work with that field properly.
If a spammer targets you, you can always active a captcha manually, although by the time you realize it, it might be too late.
Keep in mind that a captcha only adds friction to the spammer (and users). Bypassing reCAPTCHA is possible for any motivated spammer for only a few cents/captcha. There are services that have humans in developing countries solve them for you. Coupled with a headless chromium, you can easily build a reputation so that google will let you through. For testing credit cards, this setup is definitely used and most likely worth it. So a captcha will not always save you from bots.
Also keep in mind that hacker news does not have a captcha and the amount of spammers is minimal.