The state of CAPTCHAs

Update (April 11, 2020): hCaptcha is now a viable replacement for reCAPTCHA.

I use Google’s reCAPTCHA v2 on my website’s contact form to prevent spam from automated systems. It seems to work fine – the only spam I get is manually produced by real humans trying to convince me to post their garbage on my blog.

Long-term it looks like Google is moving to reCAPTCHA v3, which apparently should be run on every single page of my site to be most effective and uses the presence of a Google cookie as a signal to identify humans from robots.

I would prefer to not run extra mystery-meat JavaScript on every page of my site and penalize humans who don’t stay signed into Google services, and I’ve found recent reCAPTCHA v2 challenges increasingly difficult and inconvenient. Because my site is not a magnet for targeted spam attacks, most likely any sort of CAPTCHA would work fine – I don’t strictly need the high sensitivity of reCAPTCHA v2 or v3.

I spent a bit of time looking at alternatives, starting with this “Ask HN” post and then doing some research on my own. I turns out there are pretty much no alternatives to reCAPTCHA. The few that were mentioned on “alternative to reCAPTCHA” lists seem to be shut down, their websites returning 404 errors or (ironically) taken over by spam.

The one possibly viable option I found was TextCaptcha, which according to Pinboard I first found back in 2013 and subsequently forgot about. However, their API is not available over HTTPS so I can’t use it on my HTTPS-enabled site without either a proxy or setting up a server-generated contact page.

Therefore my options are:

  1. Write my own CAPTCHA in JavaScript (would be effective but might have usability edge cases)
  2. Replace my static contact form with a dynamically generated page (adds complexity and maintenance to my website, will be slower to end users than a static page)
  3. Continue using reCAPTCHA v2 for now, while I work on a solution for using TextCaptcha that gets around the HTTPS issue.

The last option seems the best for me. I wish there was a non-creepy state-of-the-art CAPTCHA option, but I suspect these attributes are mutually exclusive for large websites today.

Max Masnick @max

© Max Masnick. Views expressed here are mine alone.