Update (April 11, 2020): hCaptcha is now a viable replacement for reCAPTCHA.
I use Google’s reCAPTCHA v2 on my website’s contact form to prevent spam from automated systems. It seems to work fine – the only spam I get is manually produced by real humans trying to convince me to post their garbage on my blog.
Long-term it looks like Google is moving to reCAPTCHA v3, which apparently should be run on every single page of my site to be most effective and uses the presence of a Google cookie as a signal to identify humans from robots.
I spent a bit of time looking at alternatives, starting with this “Ask HN” post and then doing some research on my own. I turns out there are pretty much no alternatives to reCAPTCHA. The few that were mentioned on “alternative to reCAPTCHA” lists seem to be shut down, their websites returning 404 errors or (ironically) taken over by spam.
The one possibly viable option I found was TextCaptcha, which according to Pinboard I first found back in 2013 and subsequently forgot about. However, their API is not available over HTTPS so I can’t use it on my HTTPS-enabled site without either a proxy or setting up a server-generated contact page.
Therefore my options are:
- Replace my static contact form with a dynamically generated page (adds complexity and maintenance to my website, will be slower to end users than a static page)
- Continue using reCAPTCHA v2 for now, while I work on a solution for using TextCaptcha that gets around the HTTPS issue.
The last option seems the best for me. I wish there was a non-creepy state-of-the-art CAPTCHA option, but I suspect these attributes are mutually exclusive for large websites today.