[RFC] stop distributing worthless CAPTCHAS in 3.1

[Kamahl19]

It does not matter who ate the Red. I dont understand it anymore, it was some time ago. Of course, the Q is right, but I forgot it. Maybe it was Who did the wolf ate? It does not matter, my point is to use QaA as default captcha and use good Q.

[leschek]

leschek, most difficult picture captcha is also able to broke and it is very annoying for people. Even I with good sight am not able to read many captchas. And reCaptcha is broken, so why should we keep it? I had reCaptcha on 2 my boards and I had 100 bots per day. Totally useless.

I know that good QaA is better than picture captcha (on my forum it's working very well), but I don't think that default QaA would be better than picture captcha. If it is used in phpBB it would be broken soon.

If there are on your forums 1000 spammers per day and 100 of them get through is not so bad to say it doesn't work.

OT ideas - would help to use two different questions/captchas at once, so spambots would have to solve two tasks? Or would be possible to write question into the picture, so user will not have to rewrite what he see on picture, but answer the question written on it and would help it?

[Master_Cylinder]

Kamahl19:
It DOES matter "who ate Red" because that's a good example of a bad Q&A pair if the answer was "wolf" as posted. If the Q was "who ate grandma in the story, Little Red Riding Hood?" then that would be a good pair but that brings us to the problem of making sure the pairs are good or it'll either be broken just like captcha or people won't be able to solve it due to the defined answer actually being wrong.

leschek:
Right, good Q&A pairs *are* better than the regular captchas but how do we make sure that the admins write good pairs? I don't think it's possible and default or random pairs would be broken too.


There has to be a solution for something better but I don't know what it is. I liked the java one because bots aren't going to drag anything with a mouse but the java issue eliminates that one as a default too. Can something similar be done with AJAX? Maybe instead of drag and drop it uses left/right arrow buttons to move the selections? I don't know...

[DavidIQ]

Why would we care if the question is good or not at this point? We are only interested in removing CAPTCHAs that will be broken by bots no matter what the settings are. Arguing about how to prevent an admin from entering a bad Q&A pair does not really belong in this topic.

If Q&A was to be made the default then the simplest thing to do is add it to the initial setup, ask the admin to fill out the needed information, and we leave it at that. Since we love giving people choices perhaps the admin can be presented with the option to use a different CAPTCHA at that point and we just reuse the entire CAPTCHA ACP area for that. Right now we do nothing of the sort. We simply set the default broken image CAPTCHA and continue on our merry way so a change there is really needed.

Further extending the Q&A CAPTCHA to have some built in artificial intelligence should be a separate topic of discussion.

[Master_Cylinder]

Why would we care if the question is good or not at this point? We are only interested in removing CAPTCHAs that will be broken by bots no matter what the settings are. Arguing about how to prevent an admin from entering a bad Q&A pair does not really belong in this topic.

If Q&A was to be made the default then the simplest thing to do is add it to the initial setup, ask the admin to fill out the needed information, and we leave it at that. Since we love giving people choices perhaps the admin can be presented with the option to use a different CAPTCHA at that point and we just reuse the entire CAPTCHA ACP area for that. Right now we do nothing of the sort. We simply set the default broken image CAPTCHA and continue on our merry way so a change there is really needed.

Further extending the Q&A CAPTCHA to have some built in artificial intelligence should be a separate topic of discussion.

To me, we should care because bad Q&A is just as worthless as broken captchas but if *that* is beyond the scope of this RFC, I don't want to hijack it.

You do have a point that it's not for us to hold an admins hand and *make* them use good pairs though.

[Pony99CA]

Rehashing that isn't a bad thing since there wasn't agreement whether the random Q&A would be solvable by bots.

Yes, but if you want to rehash it, there's already a topic for that.

leschek, most difficult picture captcha is also able to broke and it is very annoying for people. Even I with good sight am not able to read many captchas. And reCaptcha is broken, so why should we keep it? I had reCaptcha on 2 my boards and I had 100 bots per day. Totally useless.

I know that good QaA is better than picture captcha (on my forum it's working very well), but I don't think that default QaA would be better than picture captcha. If it is used in phpBB it would be broken soon.

I'm not sure that it would be broken that quickly. How long did it take Xrumer to add a database for Q&A CAPTCHAs? Q&A came into phpBB in 3.0.6, I believe, and the database didn't become available until 2012 or 2013.

And, even if it is broken eventually, so what? Blocking spammers is a cat-and-mouse game anyway, but if we don't do anything, the spammers have already won. As David said, pretty much any bot can get past the default CAPTCHA today. Yes, we may have to do something else later, but that's to be expected.

Further extending the Q&A CAPTCHA to have some built in artificial intelligence should be a separate topic of discussion.

Yes, like that Q&A topic that I linked to yesterday, where that discussion was already taking place.

You do have a point that it's not for us to hold an admins hand and *make* them use good pairs though.

Not exactly. We could have some help text in there to suggest what "bad" questions are and what "good" questions are. In the end, though, the admin is responsible for this.

Anyway, as I probably said here before, I'm for getting rid of all current CAPTCHAs except for Q&A (obviously, which would be the default) and (possibly) ReCAPTCHA (in the hopes that Google can continue to work on it and boards that use it will see improvements automatically if they do). Maybe we could also put a link in the ACP that takes people to additional CAPTCHAs in the MOD DB.

Steve

[emosbat]

this is just an idea. an image captacha should use logic questions within image. a bot can not easily read an scrambled question and then find its answer. this can be very difficult for a bot.

[Kamahl19]

That might be good idea but.. phpBB is widely used. All bots would be updated to break this captcha easily. They would read the instruction and they would know what letters to choose. The problem is that there would be limited amount of colors / shapes so it would be easy to learn the bot to understand this.

[Master_Cylinder]

Couldn't the Sortable CAPTCHA that was mentioned earlier be adapted to use AJAX instead of javascript? I know there is talk of drag and drop re-ordering of forums, custom profile fields and other "sortable" fields so maybe that would work with CAPTCHA too. I don't think that spambots can drag things with a mouse. I can make a "Sortable AJAX CAPTCHA" RFC, if we need to.

Or maybe even just left/right buttons to move the selections if drag and drop can't be done?

[EXreaction]

Ajax is javascript.

It might be possible to use buttons and refresh the page if the users do not have JS support.