New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Recaptcha alternatives?
So I have a semi-popular website with login/signup
pages and all the usual stuff you can expect.
Recently I’m seeing quite a few users who seem to be correctly solving the Recaptcha challenge, but then somehow fail the verification when I pass the challenge token to the server.
Since Google has notoriously bad support, this is effectively a dead end. I’m wondering if folks know of some alternatives to Recaptcha that can be used for spam and attack mitigation.
Honeypot fields don’t cut it in 2022. I did take a look at Arkose Labs and Recaptcha enterprise, but both seem to be quite pricey.
Comments
Nothing you'll find will ever be perfect but have you looked into hCaptcha? They're the "popular" alternative right now and I use them personally without much headache.
Mentally strong people do not waste visitor's time on stupid CAPTCHA.
We use OAuth sign-in from Twitter & GitHub.
Which can be fairly useless when the majority of your customers don't have Twitter and don't even know what GitHub is.
So captcha is a must.
Cause being financially strong is also a good addition to being mentally strong.
From the attacker's perspective:
What I'd suggest is a custom interactive CAPTCHA (something like "rotate a picture so it's upwards"). It doesn't have to be complicated or obfuscated to weed out every automated script that's not tailored to your site.
Or go with hCAPTCHA and tell us if they actually pay you for using their widget (they're supposed to).
Yes. Very effective but huge pain in the ass for many legitimate users.
@dane_doherty said:
Appreciate the recommendation, but as far as I’m concerned I really don’t like them:
Haha, I should know. I keep forgetting that a project of mine is also hooked up to 2captcha to bypass captchas. Still, it imposes a bit of a cost, which I think sufficiently mitigates the issue of brute force attacks.
I wasn’t looking forward to become a bot mitigation vendor, but it seems like there might not be a choice any more
This is true, and I think highlights a misunderstanding a lot of people have when it comes to captchas.
Having a captcha does not stop automated traffic to your web property. It will still happen. But it will be lesser, it will be slower, and it will involve the attacker putting in some effort.
In this respect, I treat it more as a deterrant than a prevention. When you add a captcha you can't get flooded with hundreds or thousands of requests a second anymore, and the most basic automation will give up. You only get left with the ones who actually want to put effort in.
?? They totally do.
Even if you're connecting via Tor, you get 2 pages of challenges, not fucking 25 to life with ReCAPTCHA.
They do, but the threshold is somewhat high (I only get waved through when I'm using throwaway VPSes).
Might be the accessibility mode then that doesn’t work with 3p cookies disabled.
The only issue is, my normal users aren’t usually using tor, so even getting the two pages of captchas is sufficient for some of them to give up.
Interesting, I’ve never seen them do this (they always provide a single page of captchas even on residential networks). But, you’re the expert on these matters, so I’ll take your word for it
Right on
10 squats left to continue
https://www.producthunt.com/products/squat-captcha
They can create a Twitter account for free, and then login to the target website.
Mentally strong people don't care about financials.
There's barely any advertisement on my website.
And get harassed by Twitter for a phone number, which they’d use for ad targeting. No thanks.
http://www.ftc.gov/business-guidance/blog/2022/05/twitter-pay-150-million-penalty-allegedly-breaking-its-privacy-promises-again
The moment you tell your customers that they need to register somewhere else, in order to be able to register at your site and purchase your product - you'd lose 80% of any potential sales.
I know that I, as a customer, would just wave the middle finger and go buy something similar, from a place that doesn't make me jump through hoops in order to give them my money.
Checkout friendly captcha.
https://friendlycaptcha.com/
Based on proof of work. The user doesn't need to click on any images, instead the user's browser solves the challenge.
The idea is to find a value such that its blake2b hash meets a certain criteria. Sure this can be solved by automation but highly resource intensive when done at scale.
I fucking hate filling in forms and going to submit and then it errors for captcha and then I have to allow in uMatrix and reload for it to work. My guess is ad/script blockers getting in the way of your verifications.
Given your obsession over cheap VPS, that checks out.
Up to this. The guy knows about what he talking about.
Moving by mouse something - much better than any captcha.
Extremely hard to solve by passing images/captchas to 3rd party services for solving captcha and returning where and how to click.
We're all here, we're all obsessing over cheap VPS, and unfortunately - yes, none of us are as mentally stable as we tend to believe we are.
The existence and popularity of the perfume king really pointed out how unstable we all are at the first sight of titties cheap VPS.
Some questions to use on LET:
involucrated.comdomain?Please read the post, it says that the ReCAPTCHA token is submitted correctly by the browser, but the verification fails once I submit this token to Google. Looking at the request characteristics though, I’m pretty sure these aren’t bots.
I know that deank is gone and you’re competing to be the next official troll, but I think you should stop it on this thread.
Interesting idea, this could actually work, and actually make it easier for users too. I'm not sure what made them bill even more than ReCAPTCHA at $0.004/assessment, though the concept seems simple enough to roll my own.
I use a question of "Are you going post spam? (enter yes or no)" and the spam disappeared
Friendly captcha is open-source too. Both the frontend and backend. Can be self hosted but they don't allow commercial use using the open source code
To save costs, I guess one can develop his own self hosted captcha system using the logic from the above repos which also respects their licensing.
On a different note there's an another captcha system GeeTest: https://www.geetest.com/en/
They have slider, icon types captchas but can be confusing for the users.
I always prefer to use custom captcha question.
Like maths custom question, or type "hello example" in a text box.
This also reduces dependency on any third party service.
https://www.solvemedia.com/
It's not that you can't solve rotate captchas or solve it with real humans and sell a api service that way. It's more of the popular "western" captchas not using rotate captchas. I think simply not using recaptcha/hcaptcha will probably make it slightly harder for people who simply pay for those captcha solving services (where they employ people from 3rd world countries for pennies to solve captchas). They probably won't bother making their own solution for some less known captcha service.
Even without those captcha solving services, you can easily bypass captchas with speech recognition (if audio is available). Otherwise, you can do image recognition but it takes more effort.
I think those rotate captchas are very common in china, and I am pretty sure the mjjs know exactly how to bypass those. Apparently, there's a simple script on github that is able to predict with 70-90% accuracy for baidu rotate captchas.
I like this idea. Something like rand(0,9) + rand(0,9)
Spin captacha is popular in "western" websites too, roblox uses it and since that has a huge bot problem I'm sure there is a way to bypass/solve for cheap
Personally, I say "bye, next" to those sites..
OAuth is all fun until your 'main' account gets suspended for some reason..
That's why you connect both Twitter and GitHub.
If you lose one, you have the other.