Captcha is only effective at annoying legitimate users. If there is any incentive to do so, bots have no problem bypassing/solving them.
Captcha is only effective at annoying legitimate users. If there is any incentive to do so, bots have no problem bypassing/solving them.
Seconding this. Many sites are broken or inaccessible to me in qutebrowser lately due to Cloudflare captchas. I'd rather allow some bots in than lose the ability to use the site my preferred way.
Is this your experience as a sysadmin or a user? As a sysadmin, this is an absurd statement in contradiction of my everyday reality.
There are dozens, if not far more, of captcha solver API's for extremely cheap. Captcha is very shallow bot "security" theater, they just deter the cheapest attempts.
latest greatest versions of captcha are more resilient to these types of services, but it's a cat and mouse game. I would recommend that you, as a sysadmin, learn at least the most basic things about this stuff.
> I would recommend that you, as a sysadmin, learn at least the most basic things about this stuff.
This sort of language is inappropriate and unnecessarily combative.
In any event, no filter screen is perfect. Getting rid of 80% of bot traffic is a good thing, even if you can't rid yourself of 100% of it. You can't let perfect be the enemy of "pretty good."
People use CAPTCHAs because they work--even if imperfectly. Of course, you have to stay on top of the latest implementations.
The GP comment was appealing to their own authority in a condescending way, I feel the tone was matched, but thanks for the feedback.
What you’re saying is true, although you can do simple blocks on user agent + geo ip alone and accomplish blocking a majority of bots anyway without captcha - but I’ll digress - that is not the topic of discussion. I’m not at all arguing that CAPTCHA doesn’t stop bot traffic - in fact my first comment says the opposite. Most bot traffic is extremely “dumb.” A mistake people make, which the gp comment seemed to, is that it stops bots dead.
I think it depends on how determined the actor is. I see all the range from your simple scripts to full on mimicking real user behavior that I can only really spot from the honeypots they hit.
You'd probably catch most the low hanging fruit for sure, but you would cause friction for real users.
I say this as someone who has enabled captcha on some of our more critical endpoints, there's definitely a place for it.
My website's contact form has a reCAPTCHA and it still gets spam sent through it (though vastly less). They pass the reCAPTCHA somehow. My contact form literally only emails me and they still do it.
https://2captcha.com/