Request from a reader:

Are there good free open alternatives to Google's ?

It is very difficult to avoid recaptchas as so many sites seem to rely on them. It would be nice to have alternatives people could suggest to websites.

@switchingsocial also they work like shit when you got blockers on, i usually have to spend more than a minute on each of those, they never work properly and feel like some sort of punishment
@switchingsocial I know there is KoCaptcha but it’s quite limited. (Pleroma has a hook to use it)

@switchingsocial @thomasfuchs I'd use something like hidden fields which will be autofilled by bots, hidden submit buttons or something like that.

Not really an answer to your question, but captchas always come with significant accessibility issues. Why not suggest better ways to prevent bots from accessing sites, like

@switchingsocial there is a recaptcha-like alternative where you contribute to the commons, but I don't remember the name.

@switchingsocial We couldn't find any that suited our needs. That's why we built our own Captcha for Tutanota: 😉

@Tutanota @switchingsocial
I like the captchas that the #peng collective is using. unfortunatly I don't know where the code of it is to find.

they have it here in their page in use:

@switchingsocial Bad metaphor: “Why are you asking for a faster horse carriage instead of a car?”

The question I'd like to see is: “How can we do this without resorting to dehumanizing and inaccessible, discriminating measure where a human being has to successfully guess what a computer thinks that the answer to their question is, even though both, the question and the expected answer are bullshit and even formally and factually incorrect?”
AKA: What's the actual problem to solve?

@MacLemon you don't know which problem is captcha trying to solve?

@datione How would I? It highly depends on the site it is presented on and one ususally doesn't have any insight into their backend.
Some people throw CAPTCHAs at almost everything without having a clue of the implications.
Whatever the underlying problem is or was, CAPTCHAs are almost always not the solution. That's why I asked for (an example of) the underlying actual problem to solve.

@MacLemon how can you argue that captcha design is wrong if you don't even understand the purpose? The acronym stands for "completely automated public Turing test to tell computers and humans apart". So any time you have an internet-connected device where you want people to go in, but robots not, you can use a captcha for that. It doesn't have to be warped letters, it doesn't have to be selecting traffic lights, those are just some of the ideas people came up with. If you know better, tell us...

@datione Seems that the actal question I raised didn't reach you. It was way beyond expanding the acronym. Your unrequested lecture is almost insulting given that fact.

@MacLemon I don't suppose you'd be willing to point out what I missed, would you?

@datione Sure, why not? :-)

The original idea behind a CAPTCHA of course was to tell humans and automated bots/scripts/etc. apart.

Warped letters were replaced by images, because bots became better at reading them than humans.
These days, Google mixes noise into pictures, because their own image recognition can solve their own challenges.
Same for the audio challenge, their voice recognition is actively used to solve their own challenges.

Hence, CAPTCHAs completely miss their intention.

@datione And the question I was asking, is WHAT the actual underlying problem is that people want to solve with a CAPTCHA. Meaning why are they thinking they need a CAPTCHA in the first place?
Do they want to mitigate automated sign-ups or something else? Is that an actual problem or just a guess they've never verified?
This is why I heavily question why you'd want to use a CAPTCHA at all in the first place. They're mostly useless for their original purpose, annoying and mostly inaccessible.

@MacLemon I think you are too focused on just one type of captcha - the warped letters. It's slowly getting obsolete (there are some that are still unsolvable by OCR, such as But the point is that captcha is ANYTHING that can separate humans from machines. Google started using ML hard images, feed their own ML, which made it obsolete even faster - basically they can only use the adversarial examples and there are fewer and fewer of them. Finding a better captcha is hard

@MacLemon And the purpose is always to keep robots out. Signups mostly, but sometimes security features. The problem with automated signups is so widespread that it doesn't make a sense building a system without at least thinking about protecting against it. Look at fediverse - no captchas, thousands of automated accounts posting dickpicks in federated timeline. If fediverse ever gets as big as facebook, the russian troll army will be super happy here

@switchingsocial I HATE google recaptcha (last far more than usefull !) 

@switchingsocial the major logistical issue of a Free catch is the costly backend systems for something that works at scale. Google gives it away for free because it improves other products that they charge for, so for them it's a value add. I've seen some other generative captchas for sites like WordPress, but other commenters are right, there are accessibility issues with any captchas. Bot detection and honeypots might be a better option, but also have their own issues.


What about self-hosted options? Are they viable and do they scale better?

@switchingsocial my experience with self hosted captchas was with the WordPress add ons that were self hosted, and only marginally effective. The ease of machine vision has made traditional captchas moot, hence Google's continuing evolution of their no-recaptcha to the current check box that, supposedly, should only make you do the image recognition if a number of factors detected from your connection flag you as suspect.

Sophos security blog has a good look at this

@switchingsocial I've seen "manual" options employed on some sites/blogs where you need to solve some randomized riddle/problem like, "1+5=", & you enter a 6 in an answer field.

Then there's the federated/#OAuth-type #authentication options: outsource account/user #verification to a 3rd-party (which might have some #reCAPTCHA-like thing periodically, but otherwise once you're signed-into #Google/#Facebook/#whereeverelse, you can sign-in anywhere that recognizes that authentication #authority)

@switchingsocial The answer is no CAPTCHAs at all. This essay talks about some alternatives and I have a few ideas myself I'd be happy to discuss for specific situations.

@freakazoid @switchingsocial CAPTCHAs also keep people who need to use Tor or a VPN from accessing websites. I have had to avoid using certain services because I could not sign up with them over Tor. Many websites use CAPTCHAs to punish people for trying to protect their own security and privacy.
CAPTCHAs are also highly subjective. Does a moped count as a motorcycle? Does the pedestrian crosswalk light count as a traffic light? Does a large passenger van count as a bus?

@alana @alcinnz @switchingsocial Ah, thanks. Sorry about that. I removed the id= at the end assuming it was some kind of tracking parameter.

Coinhive used to have a captcha, I dont know if it was open source, I think now its discontinued, probably blocked by most ad blockers, just wanted to mention it.

Sign in to participate in the conversation
Mastodon is a microblogging site that federates with most instances on the Fediverse.