Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Recaptcha alternatives?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Recaptcha alternatives?

So I have a semi-popular website with login/signup
pages and all the usual stuff you can expect.

Recently I’m seeing quite a few users who seem to be correctly solving the Recaptcha challenge, but then somehow fail the verification when I pass the challenge token to the server.

Since Google has notoriously bad support, this is effectively a dead end. I’m wondering if folks know of some alternatives to Recaptcha that can be used for spam and attack mitigation.

Honeypot fields don’t cut it in 2022. I did take a look at Arkose Labs and Recaptcha enterprise, but both seem to be quite pricey.

«1

Comments

  • ErisaErisa Member

    Nothing you'll find will ever be perfect but have you looked into hCaptcha? They're the "popular" alternative right now and I use them personally without much headache.

    Thanked by 1szymonp
  • yoursunnyyoursunny Member, IPv6 Advocate

    Mentally strong people do not waste visitor's time on stupid CAPTCHA.
    We use OAuth sign-in from Twitter & GitHub.

  • edited June 2022

    @yoursunny said:
    Mentally strong people do not waste visitor's time on stupid CAPTCHA.
    We use OAuth sign-in from Twitter & GitHub.

    Which can be fairly useless when the majority of your customers don't have Twitter and don't even know what GitHub is.

    So captcha is a must.

    Cause being financially strong is also a good addition to being mentally strong.

  • dane_dohertydane_doherty Member
    edited June 2022

    From the attacker's perspective:

    • common solutions like ReCAPTCHA, ReCAPTCHA Enterprise, hCAPTCHA - they're all solved automatically for less than a penny
    • custom image-based CAPTCHAs can be solved even cheaper

    What I'd suggest is a custom interactive CAPTCHA (something like "rotate a picture so it's upwards"). It doesn't have to be complicated or obfuscated to weed out every automated script that's not tailored to your site.

    Or go with hCAPTCHA and tell us if they actually pay you for using their widget (they're supposed to).

    @yoursunny said: We use OAuth sign-in from Twitter & GitHub.

    Yes. Very effective but huge pain in the ass for many legitimate users.

    Thanked by 3yoursunny Chuck devp
  • bulbasaurbulbasaur Member
    edited June 2022

    @Erisa said:
    Nothing you'll find will ever be perfect but have you looked into hCaptcha? They're the "popular" alternative right now and I use them personally without much headache.

    @dane_doherty said:

    Or go with hCAPTCHA and tell us if they actually pay you for using their widget (they're supposed to).

    Appreciate the recommendation, but as far as I’m concerned I really don’t like them:

    • Doesn’t work with 3rd party cookies disabled, last I checked
    • Notoriously difficult challenges, and due to their business model, they don’t even allow users to bypass clicking images if they have sufficient reputation.
    • Goes around claiming how they’re supposed to be better than Google, yet they themselves engage in free labour extraction and are easily cracked by captcha solving services for the same price. (See https://www.hcaptcha.com/report-how-much-is-a-recaptcha-really-worth)

    @dane_doherty said:
    common solutions like ReCAPTCHA, ReCAPTCHA Enterprise, hCAPTCHA - they're all solved automatically for less than a penny

    Haha, I should know. I keep forgetting that a project of mine is also hooked up to 2captcha to bypass captchas. Still, it imposes a bit of a cost, which I think sufficiently mitigates the issue of brute force attacks.

    @dane_doherty said:
    What I'd suggest is a custom interactive CAPTCHA (something like "rotate a picture so it's upwards"). It doesn't have to be complicated or obfuscated to weed out every automated script that's not tailored to your site.

    I wasn’t looking forward to become a bot mitigation vendor, but it seems like there might not be a choice any more :)

  • ErisaErisa Member

    @dane_doherty said: common solutions like ReCAPTCHA, ReCAPTCHA Enterprise, hCAPTCHA - they're all solved automatically for less than a penny

    This is true, and I think highlights a misunderstanding a lot of people have when it comes to captchas.

    Having a captcha does not stop automated traffic to your web property. It will still happen. But it will be lesser, it will be slower, and it will involve the attacker putting in some effort.
    In this respect, I treat it more as a deterrant than a prevention. When you add a captcha you can't get flooded with hundreds or thousands of requests a second anymore, and the most basic automation will give up. You only get left with the ones who actually want to put effort in.

  • @stevewatson301 said: Doesn’t work with 3rd party cookies disabled, last I checked

    ?? They totally do.

    @stevewatson301 said: Notoriously difficult challenges

    Even if you're connecting via Tor, you get 2 pages of challenges, not fucking 25 to life with ReCAPTCHA.

    @stevewatson301 said: they don’t even allow users to bypass clicking images if they have sufficient reputation.

    They do, but the threshold is somewhat high (I only get waved through when I'm using throwaway VPSes).

  • @dane_doherty said:

    @stevewatson301 said: Doesn’t work with 3rd party cookies disabled, last I checked

    ?? They totally do.

    Might be the accessibility mode then that doesn’t work with 3p cookies disabled.

    @stevewatson301 said: Notoriously difficult challenges

    Even if you're connecting via Tor, you get 2 pages of challenges, not fucking 25 to life with ReCAPTCHA.

    The only issue is, my normal users aren’t usually using tor, so even getting the two pages of captchas is sufficient for some of them to give up.

    @stevewatson301 said: they don’t even allow users to bypass clicking images if they have sufficient reputation.

    They do, but the threshold is somewhat high (I only get waved through when I'm using throwaway VPSes).

    Interesting, I’ve never seen them do this (they always provide a single page of captchas even on residential networks). But, you’re the expert on these matters, so I’ll take your word for it :)

    Thanked by 1fynix
  • fynixfynix Member

    @stevewatson301 said: you’re the expert on these matters

    Right on

    Thanked by 1Erisa
  • yoursunnyyoursunny Member, IPv6 Advocate
    edited June 2022
  • yoursunnyyoursunny Member, IPv6 Advocate

    @NobodyInteresting said:

    @yoursunny said:
    Mentally strong people do not waste visitor's time on stupid CAPTCHA.
    We use OAuth sign-in from Twitter & GitHub.

    Which can be fairly useless when the majority of your customers don't have Twitter and don't even know what GitHub is.

    They can create a Twitter account for free, and then login to the target website.

    So captcha is a must.

    Cause being financially strong is also a good addition to being mentally strong.

    Mentally strong people don't care about financials.
    There's barely any advertisement on my website.

  • bulbasaurbulbasaur Member
    edited June 2022

    @yoursunny said:

    @NobodyInteresting said:

    @yoursunny said:
    Mentally strong people do not waste visitor's time on stupid CAPTCHA.
    We use OAuth sign-in from Twitter & GitHub.

    Which can be fairly useless when the majority of your customers don't have Twitter and don't even know what GitHub is.

    They can create a Twitter account for free, and then login to the target website.

    And get harassed by Twitter for a phone number, which they’d use for ad targeting. No thanks.

    http://www.ftc.gov/business-guidance/blog/2022/05/twitter-pay-150-million-penalty-allegedly-breaking-its-privacy-promises-again

  • @yoursunny said:

    @NobodyInteresting said:

    @yoursunny said:
    Mentally strong people do not waste visitor's time on stupid CAPTCHA.
    We use OAuth sign-in from Twitter & GitHub.

    Which can be fairly useless when the majority of your customers don't have Twitter and don't even know what GitHub is.

    They can create a Twitter account for free, and then login to the target website.

    So captcha is a must.

    Cause being financially strong is also a good addition to being mentally strong.

    Mentally strong people don't care about financials.
    There's barely any advertisement on my website.

    The moment you tell your customers that they need to register somewhere else, in order to be able to register at your site and purchase your product - you'd lose 80% of any potential sales.

    I know that I, as a customer, would just wave the middle finger and go buy something similar, from a place that doesn't make me jump through hoops in order to give them my money.

  • Checkout friendly captcha.
    https://friendlycaptcha.com/

    Based on proof of work. The user doesn't need to click on any images, instead the user's browser solves the challenge.

    The idea is to find a value such that its blake2b hash meets a certain criteria. Sure this can be solved by automation but highly resource intensive when done at scale.

    Thanked by 1bulbasaur
  • @stevewatson301 said:
    So I have a semi-popular website with login/signup
    pages and all the usual stuff you can expect.

    Recently I’m seeing quite a few users who seem to be correctly solving the Recaptcha challenge, but then somehow fail the verification when I pass the challenge token to the server.

    Since Google has notoriously bad support, this is effectively a dead end. I’m wondering if folks know of some alternatives to Recaptcha that can be used for spam and attack mitigation.

    Honeypot fields don’t cut it in 2022. I did take a look at Arkose Labs and Recaptcha enterprise, but both seem to be quite pricey.

    I fucking hate filling in forms and going to submit and then it errors for captcha and then I have to allow in uMatrix and reload for it to work. My guess is ad/script blockers getting in the way of your verifications.

  • @yoursunny said:
    Mentally strong people don't care about financials.

    Given your obsession over cheap VPS, that checks out.

  • @dane_doherty said: (something like "rotate a picture so it's upwards")

    Up to this. The guy knows about what he talking about.
    Moving by mouse something - much better than any captcha.
    Extremely hard to solve by passing images/captchas to 3rd party services for solving captcha and returning where and how to click.

    • Adding noframe - will solve the problem.
    • Also depends on the community, you can make pre-defined captchas (question/answer) with topics related to website/community. Where everyone knows what is it, and how it called for answering question
    • also i've seen some restrictions related to mail provider to only big 6 email providers in the world. I'm not sure if it will be okay, but for sure much less temp-mail registered users
    • adding some extra level of pre-moderation before confirmation is a thing too. For example: first 3-5 posts/some actions done in the community will be pre-moderated. If pass moderation -> group of the user changed from "visitor" to "member" with less restrictions (very popular method to fight spammers).
    Thanked by 1yoursunny
  • @TimboJones said:

    @yoursunny said:
    Mentally strong people don't care about financials.

    Given your obsession over cheap VPS, that checks out.

    We're all here, we're all obsessing over cheap VPS, and unfortunately - yes, none of us are as mentally stable as we tend to believe we are.

    The existence and popularity of the perfume king really pointed out how unstable we all are at the first sight of titties cheap VPS.

  • yoursunnyyoursunny Member, IPv6 Advocate

    @desperand said:
    Also depends on the community, you can make pre-defined captchas (question/answer) with topics related to website/community. Where everyone knows what is it, and how it called for answering question

    Some questions to use on LET:

    • Which provider has involucrated?
    • Who owns involucrated.com domain?
    • Who is purple daddy?
    • Which provider calls customers stupid?
    • Who is the founder of 16TB Club?
    • Who is a MJJ?
    • What's the "benchmark" program made by the so-called Benchmark King?
    • Who operates Deep Atlantic Storage?
    • Which provider has the Ryzen migration button?
    • Who is the leader of MetalVPS sorority?
    Thanked by 1cadddr
  • @TimboJones said:
    My guess is ad/script blockers getting in the way of your verifications.

    Please read the post, it says that the ReCAPTCHA token is submitted correctly by the browser, but the verification fails once I submit this token to Google. Looking at the request characteristics though, I’m pretty sure these aren’t bots.

    @yoursunny said:
    Some questions to use on LET:

    I know that deank is gone and you’re competing to be the next official troll, but I think you should stop it on this thread.

  • @rattlecattle said:
    Checkout friendly captcha.
    https://friendlycaptcha.com/

    Based on proof of work. The user doesn't need to click on any images, instead the user's browser solves the challenge.

    Interesting idea, this could actually work, and actually make it easier for users too. I'm not sure what made them bill even more than ReCAPTCHA at $0.004/assessment, though the concept seems simple enough to roll my own.

    Thanked by 1yoursunny
  • I use a question of "Are you going post spam? (enter yes or no)" and the spam disappeared

    Thanked by 1AlwaysSkint
  • @stevewatson301 said: bill even more than ReCAPTCHA

    Friendly captcha is open-source too. Both the frontend and backend. Can be self hosted but they don't allow commercial use using the open source code

    To save costs, I guess one can develop his own self hosted captcha system using the logic from the above repos which also respects their licensing.

    On a different note there's an another captcha system GeeTest: https://www.geetest.com/en/

    They have slider, icon types captchas but can be confusing for the users.

    Thanked by 1mrTom
  • raviravi Member

    I always prefer to use custom captcha question.
    Like maths custom question, or type "hello example" in a text box.

    This also reduces dependency on any third party service.

    Thanked by 1AlwaysSkint
  • NoCommentNoComment Member
    edited June 2022

    @desperand said:

    @dane_doherty said: (something like "rotate a picture so it's upwards")

    Up to this. The guy knows about what he talking about.
    Moving by mouse something - much better than any captcha.
    Extremely hard to solve by passing images/captchas to 3rd party services for solving captcha and returning where and how to click.

    It's not that you can't solve rotate captchas or solve it with real humans and sell a api service that way. It's more of the popular "western" captchas not using rotate captchas. I think simply not using recaptcha/hcaptcha will probably make it slightly harder for people who simply pay for those captcha solving services (where they employ people from 3rd world countries for pennies to solve captchas). They probably won't bother making their own solution for some less known captcha service.

    Even without those captcha solving services, you can easily bypass captchas with speech recognition (if audio is available). Otherwise, you can do image recognition but it takes more effort.

    I think those rotate captchas are very common in china, and I am pretty sure the mjjs know exactly how to bypass those. Apparently, there's a simple script on github that is able to predict with 70-90% accuracy for baidu rotate captchas.

  • @ravi said:
    I always prefer to use custom captcha question.
    Like maths custom question, or type "hello example" in a text box.

    This also reduces dependency on any third party service.

    I like this idea. Something like rand(0,9) + rand(0,9)

  • @NoComment said:

    @desperand said:

    @dane_doherty said: (something like "rotate a picture so it's upwards")

    Up to this. The guy knows about what he talking about.
    Moving by mouse something - much better than any captcha.
    Extremely hard to solve by passing images/captchas to 3rd party services for solving captcha and returning where and how to click.

    It's not that you can't solve rotate captchas or solve it with real humans and sell a api service that way. It's more of the popular "western" captchas not using rotate captchas. I think simply not using recaptcha/hcaptcha will probably make it slightly harder for people who simply pay for those captcha solving services (where they employ people from 3rd world countries for pennies to solve captchas). They probably won't bother making their own solution for some less known captcha service.

    Even without those captcha solving services, you can easily bypass captchas with speech recognition (if audio is available). Otherwise, you can do image recognition but it takes more effort.

    I think those rotate captchas are very common in china, and I am pretty sure the mjjs know exactly how to bypass those. Apparently, there's a simple script on github that is able to predict with 70-90% accuracy for baidu rotate captchas.

    Spin captacha is popular in "western" websites too, roblox uses it and since that has a huge bot problem I'm sure there is a way to bypass/solve for cheap

  • kevindskevinds Member, LIR

    @yoursunny said:
    We use OAuth sign-in from Twitter & GitHub.

    Personally, I say "bye, next" to those sites..

    OAuth is all fun until your 'main' account gets suspended for some reason..

  • yoursunnyyoursunny Member, IPv6 Advocate

    @kevinds said:

    @yoursunny said:
    We use OAuth sign-in from Twitter & GitHub.

    Personally, I say "bye, next" to those sites..

    OAuth is all fun until your 'main' account gets suspended for some reason..

    That's why you connect both Twitter and GitHub.
    If you lose one, you have the other.

Sign In or Register to comment.