There are multiple programs out there to defeat ReCaptcha. Not something I download specifically, but I know one specific program I use as a download manager has a plugin built-in for it, along with plugins for most other captcha variants.



If that's the case, then how does it work? What are they validating the human response against? For any similar turing test to work, the answer must be known ahead of time to validate the human's input. I always thought ReCaptcha used the first word for validation and the second word as the donation.

Captcha in general is a huge issue for accessibility. ReCaptcha has introduced a spoken word option to try and alleviate this issue, but I think it's useless. I've tried and and couldn't understand at all what was being spoken. I've also had to regenerate the words numerous times because even with perfect vision I could not decipher the globs of garbage on the screen. This is a greater problem with some other implementations, especially those that use mixed case and numbers. Both of which are asinine for this type of test.

IMO, this type of turing test is an engineering-less easy way out that puts undue pressure and discomfort on visitors to one's site. I'm against their use. If you need to protect your site's contact forms or comment forms, use a more clever solution that doesn't involve potentially pissing customers and visitors away.

I'll point out one huge problem with Jeff Atwood's article. He's ignored the facts. As everything he says and claims to be fantasy, is actually fact. A sweatshop for captcha could operate on $5 per day, not per hour. Porn-based gateways have been used and are in fact economically feasible. And there are programs out there now to defeat popular captcha implementations. There isn't one program to defeat them all, but unique solutions to each implementation. Choosing not to use captcha is also not due to believing the test is easily compromised - it's not and no one will compromise a custom implementation on a small site. It's about not treating your visitors and customers like douche bags.

After reading the KaPoW site, I'm lead to believe the only thing it tests for is a valid javascript interpreter in the client browser. And that this test would fail if a spammer were using some script-only connection method to your web host. IMO, that's not failure proof. Further, in the example of the comment system where it evaluates the comment contents and then decides on the strength of the PoW, another hassle. If the comment is decidedly spammy, just don't submit it and put back a message telling the visitor to post something less spammy. Causing the browser to sit crunching some problem for X amount of seconds just seems pointless in this case.

So I agree that a quick test to validate a javascript engine is a good painless exercise if you don't tell anyone hat you're doing, but the tests that take super-long aren't of any use to anyone IMO.