[GuB-42]

It mostly depends on what you are trying to protect with your CAPTCHA.

When I managed a small phpbb forum, all I had to do was to change a few lines in the register page to make it non-standard and it stopped all bots. Better than the built-in CAPTCHA. Simply, no one cared enough about our forum to write a specialized tool, no matter how easy it was.

If it is all you have to protect, go ahead with your clever ideas, it can add a bit of flair to your website and stop bots effectively. For accessibility, you can always deal with special requests manually.

The problem is entirely different if you are Google. People will spend months trying to break your CAPTCHA for fun and profit. Hand crafted problems will be solved faster than they can be written so "bot vs bot" is essentially your only option.

[qixv]

When I managed a purely Danish forum, i simply added a textbox and asked the user to write ‘æ’ in it. Never saw any spam after that.

[dude187]

I feel like you could have just asked them to type 'a'. If the threat was automated bots, all generic ones are defeated by a simple "do X" request. Especially if the request was in text, where a lazy human attacker could just copy paste.

[dahjkol]

One of our public facing systems I put up a silly "what is the capital of x country?" While we waited on some other stuff. I think it's still in production.

And to my knowledge no bot has gotten past it or even bothered.

[Geee]

That filters out all Americans as well.

[geoduck14]

American here. I've never heard of country X!

/s

[jrnichols]

we ask similar questions in my EMS (Paramedic) job to patients to determine if they're alert & oriented. Most providers ask name, year, location, president or something similar and many patients are used to being asked routine questions. I like to see if they can answer stuff like "Name a large city in Florida."

Human captcha. :)

[dahjkol]

Springfield! Never can be wrong with that name.

[Gravityloss]

And to keep out all the Swedes and Germans...

[ASalazarMX]

They couldn't copy-paste 'æ'?

[immibis]

Again, it blocks people who are not going to tweak their bot specifically for YOUR forum.

[Ntrails]

I am on a forum with like 20 other posters and bots were stopped by the addition of a call/response field. Nobody who wanted to register would forget the classic response, but no bot was going to be able to answer it without some pretty specific google fu

[thedrbrian]

How does that work if you want to grow your hobby or group?

And if it’s something between friends why not use a private whatsapp group or IRC

[GuB-42]

Speaking for myself, if was a little bigger than 20 members (around 100). The thing is that we wanted to keep the forum open to everyone, at least for the public parts. That's why I went with invisible tweaks (mostly just renaming fields) instead of a challenge.

But I could have came up with a challenge that anyone interested in our forum would have known. We were a rhythm games club, so a questions could have been "We organize a tournament for this game, in 3 letters". Anyone who heard of us would know it is DDR (it was our main event), and for those who didn't, all it took was a quick look at our website.

And even if it is just a hobby, you don't get the same thing from a forum compared to a WhatsApp or even a Facebook group. In fact, a few years after me and all the geeky admins left, they switched to Facebook, which completely killed the already dying online community.

Maybe nowadays we could use a Discord server, which does a bit more for a community than an WhatsApp group, and is more accessible than IRC, and saves history.

Another great thing about the forum is that I still have a backup from the time I still had admin rights, and I could bring it back to life on a private server with some friends, even though the club is now completely dead.

Memories are not lost, except for most of the external links (ImageShack...).

[girvo]

> Anyone who heard of us would know it is DDR

Heck, I've never heard of you lot but I immediately guessed DDR. Man I miss competing with randoms at the arcade in Brisbane city

[RedHobbit]

My first thought would have been Osu or EBA (Elite Beat Agents), different type of rhythm game.

[yoz-y]

ITG is three letters as well though.

[dankwizard]

The one's I've seen are not difficult questions. I.e if it was a forum for some TV Series fandom, a question could be 'What is the main character's name?'

[Ntrails]

It's an offshoot forum of a video games guild subforum built from another larger forum. It's not going to grow (indeed, it is dying / dead at this point).

All things must pass and all that.

[slacka]

I can confirm that just a simple modification to the standard registration form keeps out all bot spammers. If your forum or bug tracker is small enough, that will eliminate all spam. The built-in spam countermeasures like CAPTCHA's seemed worthless from my experience.

[zzt123]

Small enough being the operative word, since it only takes one person to write an OpenBullet config for that form.

[ganafagol]

This is the best comment, by far. Of course we can have lots of brainstorming about other fun captcha-ish constructions, but the key question is whether they satisfy their purpose, which is to filter machines out and only those.

In low scale settings, if it's a place almost nobody knows, then this works, but many approaches work like just asking "What is 1+1?". Scale is low, no bot writer will bother to adjust.

In high scale, high visibility, none of this works. The incentive to break your captcha is so high that you'd need to basically construct a reverse turing test. You need to assume that the attacker is very powerful and very smart and will spend months custom tuning their solution to vreak your captcha. This is really hard and how to do it is the interesting discussion.

In summay, the setting matters. If it's the first one, we can debate toys all day long but they only have entertainment value. If it's the second then this is really hard and state of the art is to click pictures with traffic lights.