bad, worse, worst, CAPTCHA, reCAPTCHA

Think what you will of Google products. I personally try to avoid them for privacy reasons.

But there’s that one Google product that is at the same time the crappiest and most ubiquitous Google product ever conceived. It’s called reCAPTCHA. The stated intent of CAPTCHAs, and allegedly also reCAPTCHA, is to tell apart human from bot. Any needy third-party website not afraid of the internet search giant (aka privacy black hole) and lacking own creativity, expertise or time to come up with alternatives that work for real humans, will slap some reCAPTCHA crap onto their website … of course embedded in an iframe, because those are oh-so-modern (like 1990s-modern or something funky like that).

How does it tell humans apart from bots? Well, in the past you were told to read some garbled up text and were allegedly helping Google with OCR of some books they had scanned into digital form. But these days reCAPTCHA is all about figuring out mountains, rivers and lakes, buildings, store fronts, street signs or similar stuff from photos.

Alas, all of the stuff these “geniuses” at Google ask about is culture-specific. I am supposed to tell apart a store front, from a house front where glyphs are plastered on the house front which I can’t read, let alone understand.

Suddenly towers and churches are no buildings according to Google. How am I to tell a lake from a river if you show me just a single shoreline? Oh, and of course they won’t tell you if you failed. As a human you may just as well stop after trying to solve the fifth reCAPTCHA dialog, or check the audio version to receive the confirmation that you have been (wrongly, but very confidently,) recognized as a bot.

Wow. Just wow. It’s running the gauntlet with that piece of bovine feces. It fails at the single thing it’s meant to do, which is to tell computers and humans apart.

I have wasted so much lifetime with this crap, so I hope some Google folks run across this some time in the future or perhaps some of said third-party website owners looking for something better than the ridiculously stupid reCAPTCHA method. But I won’t hold my breath. Especially given that Google dropped their original motto “don’t be evil” and wasting other humans’ lifetime clearly has an ethical component to it.

That said, here’s a method I’ve been using successfully for quite some time for sign-up and sign-in forms. You need some piece of data from the client, the IP for example will do. You then also need some salt value. Mix and match as needed, and be creative. Just be aware that if you use the current time/date with this method, you – well, actually your users – may run into issues around midnight.

Now use the name and ID of a form field, respectively, your selected piece of data from the client along with your salt and anything you deem reasonable is sent through a cryptographic hash function. Now prepend something like z_ to the hash. This ensures that the HTML element ID is valid. The more form fields you treat with this, the better. If you can treat other elements on the website as well, it will make it nearly impossible to determine the name/ID for a form field without rendering the page first and effectively “looking” at that (which is harder to do for bots). Admittedly, if bots get clever one also needs to randomize the order of the form fields.

Now when the user submits, the receiving script will know the names/IDs of the form fields it is looking for. It also has the same circumstantial information about the client (e.g. IP) and it knows the details about the salt. So it can determine the field names to look for a particular value. You can even obfuscate parts of the URL used for submit, using this method.

This, along with easy puzzles like “what is three times two as an integer?” will go a long way in preventing the most obnoxious automated and human spam. And yet, it’s solvable independent of the culture you hail from.

I wish upon every Google engineer having “contributed” to reCAPTCHA to have as many boring and futile tasks in their daily routines as possible for the rest of their lives. Just as a payback for all the human lifetime they wasted worldwide and are wasting as of the time of this writing.

// Oliver

This entry was posted in EN, Opinion, Thoughts and tagged , . Bookmark the permalink.

23 Responses to bad, worse, worst, CAPTCHA, reCAPTCHA

  1. Christian says:

    Well, in the early days of captchas, captchas were also intended to decrypt texts in books that could not be completely read by machines. However, these days are over and nearly all books can be read by machines more accurately than humans can do. So nowadays, the old captchas are just for making humans angry 😀

    I must say that I really like the ‘I’m not a robot’ checkbox captchas (https://www.google.com/recaptcha/intro/) . Just browse the page and usually a click on the checkbox is all you need. Of course, google collects all your actions to find out if you are human. Well, it does this anyways. Still, sometimes I must do these puzzles, and of course, you never find out if it was correct, or why you had to do two or four of them. At least I don’t have to give a blood sample….yet.

    https://nakedsecurity.sophos.com/2014/12/05/i-am-not-a-robot-google-swaps-text-captchas-for-quivery-mouse-clicks/

  2. Oliver says:

    I always thought the OCR was more of a useful side-effect rather than the primary purpose. But I’m aware of that. Although the logic behind it seemed flawed. Because in many cases I was convinced to have picked the right “translation” and yet failed the test.

    As for these I’m not a robot CAPTCHAs, that’s exactly the kind I mean. If you are concerned about your privacy, after clicking to check that checkbox you’re being subjected to a whole bunch of these image CAPTCHAs. Perhaps if you use Google’s other services and have whitelisted their servers anyway, you won’t notice. But I am avoiding Google services and reCAPTCHA is about the only thing I ever get to see from them. But it also means whenever I see the I’m not a robot CAPTCHAs, I know I have to solve some. Sadly you often don’t even get see them when using a broadband content blocker (uMatrix and uBlock Origin come to mind) and if the third party website didn’t include some extra hint, you’ll simply see a login form without a hint that some CAPTCHA needs solving. Because reCAPTCHA is embedded as iframe.

    And what’s worse, it’s the one thing that you usually can’t avoid since it blocks the access not just to some Google services, but to the third party service I was trying to access when reCAPTCHA interfered.

  3. John says:

    I hate re-Capture with a vengeance. I’ve taken to using the sound version if offered the chance where it says numbers in a freaky foreign way. You know when it ends because there are 10 numbers. But that sucks too. If it fails to provide a number, and you refresh, it thinks you are a bot and sends you to its help on a web site. Everything google touched it f***s up. youtube is a prime example.

    I urge website makers, if you want to prevent bots and things use something other than re-capture, and avoid anything google. It sucks.

  4. Paul says:

    Today when trying to buy a bundle of games from the Humble site I had more than ten pages of “click the boxes that contain traffic signs” and the alternative that asks you to click the ones containing cars. Whilst I accept that I could have got some wrong I do not accept that I could have got more than ten wrong. These things are driving me mad, I thought I had mastered them usually only getting one or two recently, until today.
    My main issue is that I have in the past given up and taken my hard earned elsewhere to spend so doesn’t that mean they do not work, are not fit for purpose.
    Apart from the usual “are the signposts a part of the sign” question I don’t see any difficulty in being correct but I suspect that is not the only criteria you need to fill. Are they assessing the way the cursor moves or something like that.

  5. Oliver says:

    Indeed the movement of the mouse cursor is supposedly one of the inputs they use for their assessment. Since they’re routinely wrong, however, I think we can confidently state that Google fails at the one purpose a CAPTCHA has to fulfill: telling apart human from bot automatically.

  6. Guy Gardner says:

    The latest vanishing images click roads and cars is most horrible. I never get a capitcha that does not involve dozen skips, then 2-3 sets of vanishing images then more skips despite a verify image exercise. The click images usually have very poor quality unidentifiable crap. Its punishment. Its slow to load and at times hangs up and forces refresh. Just 1 Verify exercise with 3 image clicks is enough to do why need more crap?

  7. Pom Fritz says:

    All is said here. This G00gle captcha is a total failure! An unusable crap! And a shame for webmasters using it!

  8. Paul says:

    I regularly buy books and games from the Humble Bundle site because of the superior quality of their bundles compared particularly to other games bundle sites and the % of their profits going to charity. After one particularly bad captcha event (10, yes 10 captchas and then I gave up as mentioned in my earlier post above) I emailed their customer services asking if anything could be done about it including this sentence “because of this on at least three occasions I have bought my game from the steam store instead, the couple of quid I save by buying from you is just not worth the hassle of going through these captchas). I’m not claiming that it was as a direct result of this but the captchas stopped a week or so later and none since. Let these sites know that it is affecting their profits and they will pay attention.

  9. Guy Gardner says:

    I get punished on gaming sites with 2 dozen unending captchas dozen skip steps then vanishing images then again skip step then logouts……..Its a punishment. same shit to login then claim something………….

  10. idriss says:

    google recapatcha is my worst nightmare, sometimes i ask myself if there is something wrong with me, am i transforming for a terminator or what, it’s shame for website to use this torture method, it’s a waste of time, i ve had enough seriously

  11. evandit says:

    hmm ithink some one that create it is crazy enough to make we crazy

  12. torif says:

    Yayyy…..and phew, finally, I know I’m not alone – I mean seriously, I was starting to ask myself what exactly is a street sign…or a car…or weather I’m actually starting to lose it…..but I’m not. Phew.
    #captchasucks

  13. needed2rant says:

    Recaptcha must die! What was once a noble goal to decipher unreadble text has now been gamified by Google for their evergrowing greed. I’ve been seeing how the ‘me no robo’ type mutated into something outrageous since it’s inception

    – At first they showed simple static images of simple objects fairly quickly. You needed one or two trials to get them right and then you were done
    – then they started a purposely and painfully slow animation
    – they came after those who browse incognito. Good luck getting thorough in anything less than 3 attempts
    – then they started gamifying things from street view and Google earth/maps.

    If you regularly clear cookies or use privacy shielding extensions in your browser, you are purposely penalized though big-G knows full well you’re no robo. I’m hoping one day it comes back to bite them.

  14. Hauptgewinn says:

    I’m fed up, because there are several issues who get worse every day:

    1.) I can’t argue back. The dialog wants me to click on street signs, and I have to give in and NOT click on signs in the background and DO have to click on advertizing boards which by no means are street signs.

    2.) If this is about training an AI then the humans are forced to do it wrong. The system does not accept corrections, objections and denials – it has a couple of wrong examples of street signs and just goes on CONFIRMING those bad examples by more of those incorrect decisions.

    3.) It trains humans to act like machines: learn from patterns, disregard exceptions. Shouldn’t it honor us for doing human things instead of punishing us for that? For pointing out that it just asks us something wrong?

  15. zatoichi says:

    Recaptcha serves at least 2 services for google
    1. It provides google with _even more_ analytics with the otherwise unnecessary & intentionally frustrating ‘mouse clicks’
    2. It punishes users for not signing in to google

  16. Oliver says:

    @zatoichi: agreed. Regarding your email address you might want to try 10minutemail.com and even spamgourmet.com … the “requirement” for leaving your email address when leaving a comment is owed to how WordPress works. I don’t care too much. The only added value is when commenters want to subscribe to further comments on the same blog article. Otherwise it’s pretty pointless to ask for an email address.

  17. wijadijw says:

    The sadest part is that Google/Alphabet doesn’t care.
    They don’t care about the user experience at all.
    Best proof here is how they keep rapeing YouTube.

  18. ketan parmar says:

    Well, i have few things to tell here, overall, google’s recaptcha v2 before was gr8 but now google has launched recaptcha v3 which is giving score of users from 0 to 1. its okey but i am getting 50-50% ration, even getting less than 0.5 score for legitimate user and i have tested it on receiving complains from my site’s visitors and stop using it.

    Well, most interesting thing here is, GOOGLE.. let me explain, who is telling everyone to visit which website ? (google search), who is giving you a state of your website ? (google analytics), who is telling you that if your user is legitimate or bot ? (google recaptcha).. i mean are you serious ? its your website and you are acting / dancing the way google wants you !? every webmaster should have to think on this. and as per my experience, most non technical users do purchases on website and they most likely don’t know about computer and everything and about 90% users are skipping the page when they get trouble in surfing the website. and google recaptcha is making that trouble. just try it yourself, just run you website with tradition captcha and check out for sells / earning you get and than run it back using recaptcha and check out for sales / earnings and you will find the difference yourself.

  19. Immer Eisenstein says:

    If approved as an independent study at my university, I’m going to spend the next semester creating a reCAPTCHA alternative that completely vaporizes the diabolical nightmare and its team of sons-of-b*&#$es(read: developers) once and for good. Who the f&*$ has time to play memory-cell match every time an important task is at hand. I just entirely gave up attempting to log into my HULU premium account after three failed reCAPTCHAS (poor example of important task…). In what reality does it make sense to place the burden of proof on the human instead of the bot. Or, you know, we can all comply with GOOGLE’s logic and continue to inconvenience ourselves with increasingly difficult “puzzles” as GOOGLE tries to match the rapid advancement of AI & bot tech. Accordingly, I predict each reCAPTCHA to take on average 11 hours to complete and consume more energy than does the entire nation of Wakanda in a year’s span come August. Again, to reiterate, this downward self-defeating trend will inevitably need to come to an end, there is no possible way that we can continue to pair the growing complexity of bots with an increase of workload for human users. At some point the two have to separate and the focal point will have to be entirely on the bot and not the human. Let us be to do what we already do best; give you money and allow ourselves to be purged from any trace of human privacy rights. Wish me luck, thanks.

  20. Geof says:

    Why would a website go to Google, the largest bot in the world, for a resource to prevent bots? reCAPTCHA is only one of many reasons why ABC and Google are despicable overly powerful corporations abusing their power (I will not get into reasons other than reCAPTCHA as they are not the subject here). Come on! The “product” is almost unusable to people who do not wish Google to track them at all times. Gee, why would someone not want a gigantic creepy advertising corporation tracking him? He must be a robot… They are simply punishing people for having the audacity to browse in a private manner. It has little to do about determining if you are a bot as I can spend upwards of eleven minutes playing their game. How many captchas have I done successfully in that time? Somehow this is not good enough and I am sometimes told that I am a bot and should try later. This is pure punishment as this does not occur when logged into a Google service.

    My SOP on the internet is using either Linux or Windows, Firefox in a private window with uBlock Origin, Ghostery, and when in Windows NoScript (I am yet to see a compelling reason to use NoScript with Linux). I am not logged into Google services and reCAPTCHA does not like this one bit. Probably it is compounded when I am working from home as I use a VPN to access my company’s network.

    That said, I just now successfully completely three reCAPTHAs in a reasonable period of time (less than 7 seconds). I was using Windows/Firefox/private window/NoScript/uBlockOrigin/Ghostery. Before attempting the reCAPTCHAs I logged into a GMail account and did a couple of Google searches such as “Why is reCAPTCHA so awful?” This very unscientific study shows that perhaps you will not be treated as some sort of an evil person if you sign into a not often used Google account and have some sort of search history. Firefox remembers your private window searches until you close the private window. Then all is forgotten. This might be a workable solution, but what a hassle!

    In conclusion reCAPTCHA blows donkey balls and so does Google.

  21. Peter Higgins says:

    each of the people who designed this should be locked in solitary for ever. They get food for every 200 solved, but with a 2 minute delay if they make an error. They get 1 minute of human contact for every 1000 solved correctly. Luis von Ahn should be fed to ISIS, unless the risk is too high that they will use him to bring down civilisation as a whole.

  22. Peter Higgins says:

    I actually look forward to the multibillion dollar fine the EU gives google for market abuse. I think about USD30 billion would cover my deep hatred of this product.

  23. Pale O'Pterix says:

    Completely agree! reCAPTCHA is the stupidest thing google has ever come up with, no doubt about it. The sad thing is that this piece of absolute retarded shit is up for a few years now and there is no sign anyone “up there” (google, are you even listening?) would even care about the ton of frustration it creates among internet users. I don’t even try now to solve that shit.. I simply refuse to use any website or service that uses it. And from time to time I send a hate mail to the retard called Luis von Ahn who allegedly came up with this crap (probably after a good binge or something, or maybe he was born with a frog brain). I really hope he hangs himself or die in a horrible car accident.

Leave a Reply

Your email address will not be published. Required fields are marked *