[janpieterz]

Thought the same, had a pleasant signup form for a small SaaS platform nobody really knows about, with no captcha. Then someone or some group found it and there's been a barrage of attacks varying in intensity, vectors etc. Cost us so much money in vendor costs the small company is now in danger of going bankrupt.

I appreciate the sentiment, as I had it, but rest assured any future publicly accessible form I build will get at least a CAPTCHA in front of it.

[newaccount74]

I have a bunch of publicly accessible forms and none of them have captchas.

I did once run into an issue where a signup form was abused by a spammer, but that was a simple fix (tip: in verification emails, do not include any information that the user typed in the form).

If you are careful with your forms, you don't need captchas. Captchas add a lot of friction for some users, so if they can be avoided, they should be.

[mpalmer]

Many captchas add friction for some users, but some types don't; there are relatively fast "proof of work" captchas that aren't surfaced to the user at all.

[AnthonyMouse]

CAPTCHA: Completely Automated Public Turing test to tell Computers and Humans Apart

Proof of work isn't a CAPTCHA.

[throwawaymobule]

can you explain what you mean by that tip? was this spammer using your verification emails to send spam or something?

or was it more complicated, like not needing to store which fake account had which details?

[newaccount74]

The registration form had a name and an email, and I sent a message similar to the following:

Hi <name>, thank you for signing up...

The spammers put their spam message in the name field, so my server started sending messages like this:

Hi Get free cialis now http://example.com, thank you for signing up...