Joe BananaAug 20, 2023
 -> [email protected]
Great news! Humans are now slower and perform worse at solving Captchas than machine-learning bots!

Article here:
https://arxiv.org/abs/2307.12108
An Empirical Study & Evaluation of Modern CAPTCHAs

For nearly two decades, CAPTCHAs have been widely used as a means of protection against bots. Throughout the years, as their use grew, techniques to defeat or bypass CAPTCHAs have continued to improve. Meanwhile, CAPTCHAs have also evolved in terms of sophistication and diversity, becoming increasingly difficult to solve for both bots (machines) and humans. Given this long-standing and still-ongoing arms race, it is critical to investigate how long it takes legitimate users to solve modern CAPTCHAs, and how they are perceived by those users. In this work, we explore CAPTCHAs in the wild by evaluating users' solving performance and perceptions of unmodified currently-deployed CAPTCHAs. We obtain this data through manual inspection of popular websites and user studies in which 1,400 participants collectively solved 14,000 CAPTCHAs. Results show significant differences between the most popular types of CAPTCHAs: surprisingly, solving time and user perception are not always correlated. We performed a comparative study to investigate the effect of experimental context -- specifically the difference between solving CAPTCHAs directly versus solving them as part of a more natural task, such as account creation. Whilst there were several potential confounding factors, our results show that experimental context could have an impact on this task, and must be taken into account in future CAPTCHA studies. Finally, we investigate CAPTCHA-induced user task abandonment by analyzing participants who start and do not complete the task.

arXiv.org
Aug 19, 2023 at 6:18pmWeb
Show thread -> [email protected]Aug 19, 2023
Some of these gulfs are incredible. The median time for hcaptcha is 25 s, which is over 10 s slower than bots and for a nearly 25 percentage points (at median) difference.
Show threadVeryAug 20, 2023
@yassie_j because hcaptcha is 
Show thread -> [email protected]Aug 19, 2023
The best accuracy of a human (85%, recaptcha click) is the same as the worst accuracy for a bot (recaptcha image). I know that’s not directly comparable, but it just shows how actually useless these tests are becoming. Bots are moving faster than humans can design new tests to fool them.
Show thread -> [email protected]Aug 19, 2023
BTW the funniest part is that the very classic distorted text captcha was completed by the bots SO QUICKLY that the researchers could not actually time them, hence why it appears as “less than 1 second” on this table.
Show threadVox and the Pack Aug 19, 2023
@yassie_j does that mean the end of captcha's is near? That'd be great news honestly.
Show thread -> [email protected]Aug 19, 2023
@alexocado I don’t think so. Not because they’ll get better — but because we’ve been using them for so long that it will be difficult to get out of the habit of using them. The protection they offer now is a paper shield, but who is going to stop using them first?
Show threadjfml - Jonas LaugsAug 20, 2023
@yassie_j @alexocado Also we could now just flip it: you're so good and fast at solving this captcha you're probably a bot. No account for you!
Show threaddabblecodeAug 21, 2023
@jfml @yassie_j @alexocado honestly, I thought a fair amount of how these worked was just that: if you answer / click in a fraction of a second, or even just a few seconds, you must be automated
Show threadPatrikNov 11, 2023
@yassie_j @alexocado I stopped using them on sites I administrate more than 10 years ago. To prevent bots from automatic registration, a simple custom barrier (e.g. „2 plus 6 = …“) performed well enough.
Show threadXerz 💗Aug 19, 2023
@yassie_j welp

guess it's time to stop doing signups, it's been fun while it lasted, everyone
Show threadHaelwenn /элвэн/ Aug 19, 2023
@xerz @yassie_j Well if you relied entirely on captchas for signups your stuff was designed broken.
Because you still need moderation, spam filtering, caching, rate-limits, …
Show threadLudovic Archivist LagouardetteAug 22, 2023

@xerz @yassie_j

The sheer cryptographic cost of logins is making me consider to only use some form of T-OTP or something like that

Most of my game's server resources are just for authentication and it is absolutely maddening

You either make a classic weak auth that is fast secured with a captcha that is worse for humans than for bots (not to mention the ones that color blind or just blind people cannot solve), hard and secure classic auth that is ruinous to run, or annoying T-OTP

Show threadInsane Aug 19, 2023
@yassie_j In reality, captcha is used to train bots. Thus, their higher accuracy rate makes sense. 🤔
Show threadvascorsdAug 19, 2023
@yassie_j why did we really want captchas in the first place?
Show thread -> [email protected]Aug 19, 2023
@vascorsd to stop bots from accessing websites, but uh. Well, now that’s kind of ruined.
Show threadFnord PrefectAug 20, 2023
@yassie_j @vascorsd Will be interesting to see how the net will change, now that bots are finally able to access it. Oh wait.
Show threadRiley S. FaelanAug 19, 2023
@vascorsd Out of anti-robot prejudice. @yassie_j
Show threadLukáš JelínekAug 20, 2023
@vascorsd @yassie_j Captchas often indicate wrong designs.
Show thread Why Not Zoidberg? 🦑Aug 20, 2023
@vascorsd @yassie_j I mean they're there primarily to TRAIN AI so... I guess they are finished now?
Show threadCrystalsAug 19, 2023
@[email protected] @fluffery we have officially no reason to keep forcing people to train hcaptcha AIs
Captcha be-gone
Show threadfluffery Aug 19, 2023
@Crystals fine @[email protected]
Show threadNorm MikotoAug 19, 2023
@yassie_j captchas have outlived their usefulness
Show thread -> [email protected]Aug 19, 2023
@mikoto literal empirical evidence to prove this ❤️
Show threadgrayrattusAug 19, 2023
@yassie_j there is still one thing AI can't do. Future ultimate captcha will ask you to donate 1$ to charity on every login.
Show threadgrayrattusAug 19, 2023
@yassie_j never mind, scammers would probably create scam charities...
Show threadPaul Wilde  :dontpanic_nobg:Aug 19, 2023
@yassie_j I mean this partly as a joke, and partly as a question about the statistics.... but since when has speed of solving a captcha been a requirement of proving humanity?
Show threadDavid RadcliffeAug 19, 2023
@paul @yassie_j The speed is a measure of the cost of solving the CAPTCHA, since computing time is a limited resource.
Show threadPaul Wilde  :dontpanic_nobg:Aug 20, 2023
@davidradcliffe @yassie_j that answers why it is an important statistic for a computer, but I was alluding to why "a computer can solve a captcha faster than a human" would be a useful statistic.
anyway, as I said, it's only bit of a joke, no answer is necessary, you can stand down, no explanation has been asked for or is necessary
Show threadMiles  Aug 19, 2023
@[email protected] Cool, we can get rid of them now
Show threadagatha  Aug 19, 2023
@yassie_j soon the bot detection will be reversed, if it's correct and too fast, it's a bot
Show threadEva ChandaAug 19, 2023
@yassie_j
Soon the internet will be a wasteland of #bots and #AI, scraping websites, acing #Captchas , generating mendacious "content" (as a human writer, man, do I hate that term) based on other AI-generated mendacious content, mining bitcoin, and launching nuclear weapons at the burned and flooded remains of humanity. #AIhype #Bots #CaptchaCatastrophe
Show threadRiley S. FaelanAug 19, 2023

@yassie_j 

Coming next: somebody will claim to have a working Voigt-Kampff Empathy Test.

Ten years later, his unauthorised autobiography will come out, and everybody realises that he himself will not have been having absolutely any empathy at all. Kind of like a reincarnation of Jack Welch.

Show threadIAGAug 19, 2023
@yassie_j @freeplay conspiracy theory: captchas were a way to train machines on text/object/audio recognition
Show threadjake lazaroffAug 19, 2023

@iagondiscord that’s not even a conspiracy theory! it was officially the point of recaptcha: https://en.wikipedia.org/wiki/ReCAPTCHA

@yassie_j @freeplay

reCAPTCHA - Wikipedia

Show threadFrozen Leo ❄️🇺🇦Aug 19, 2023
@iagondiscord Yes but also Google and whoever didn't share the models they trained with those captchas, so the researchers's models would have to be independently derived
Show threadpedro 🍉Aug 20, 2023
@iagondiscord @yassie_j @freeplay conspiracy theory?
Show threadDavidAug 20, 2023
@iagondiscord @yassie_j @freeplay
Not a conspiracy. It's widely accepted fact:
"The original iteration of the [reCAPTCHA] service was a mass collaboration platform designed for the digitization of books, particularly those that were too illegible to be scanned by computers."
https://en.m.wikipedia.org/wiki/ReCAPTCHA
https://www.ted.com/talks/luis_von_ahn_massive_scale_online_collaboration
reCAPTCHA - Wikipedia

Show threadIAGAug 20, 2023
@idbrii I figured as much regarding reCAPTCHA (because Google) but I'm referring to all CAPTCHAs
Show threadNicolás AlvarezAug 21, 2023
@yassie_j @freeplay @iagondiscord don't captchas predate deep learning?
Show threadIAGAug 21, 2023
@nicolas17 @yassie_j @freeplay machine learning has been around for far longer than captchas
Show thread‮‮‮‮‮‮‮‮‮‮‮‮‮Aug 21, 2023
@iagondiscord @yassie_j @freeplay That's not a conspiracy theory it's just a fact. It is neither a secret or a hidden truth. It was always the case.
Show threadLexxy 🦊Aug 19, 2023
@yassie_j I've been using bots to solve CAPTCHAs for a while. Has reduced the number I've needed to do by a good amount!
Show threadkira :3Aug 19, 2023
@yassie_j The really cool part is gonna be when this creates a feedback loop where the bots solving captchas mistakenly make the same distinctions as the bots evaluating the captchas, causing them to no longer be able to recognize stairs or traffic lights
Show threadKevin Karhan Aug 19, 2023

@yassie_j In fact, a lot of non-#CAPTCHA - based #bot detection systems use the fact that people - even if they were to copy & paste stuff from Password Managers with keyboard shortcuts will be slower than #bots.

The even go so far as to check if the delay is actually stochastic and not some pre-set & consistent delay like 10240ms per form or 1280ms per field...

Show thread -> [email protected]Aug 19, 2023
@kkarhan I knew you of all people would come in with some interesting tidbit like this, that’s so amusing
Show threadKevin Karhan Aug 19, 2023

@yassie_j I mean I hate #CAPTCHAs as they are #ableist af and don't even work for anything but exclude #blind and #VisionImpaired people.

But since #bots are a problem, I can't just complain about #ValueRemoving #RentSeekers like #CloudFlare without proposing any alternative methods...

Show threadJørnAug 20, 2023

@kkarhan @yassie_j I remember visiting some danish government website to get travel information during regarding COVID.

I was presented with a Cloudflare CAPTCHA.

The CAPTCHA page’s “why is this happening” had more content behind it than the actual informational page being protected by it.

Then what are they protecting against? If it’s too many requests, well they operate a cache don’t they? If it’s against bots, why can’t anyone spider public government information?

Just don’t do CAPTCHA’s.

Show threadKevin Karhan Aug 20, 2023

@jornane @yassie_j +9001%

There are less intrusive methods to prevent skiddies from DDoS'ing a site:
Like rate-limiting the amount of requests to something reasonable like 1 per second for every element.

Even the most impatient F5-masher won't get banned, crawlers won't get blocked and everything works just fine.

Show threadKevin Karhan Aug 20, 2023

@jornane @yassie_j Mind you that said info on said site is vital and may save lives.

And by putting it behind a shitty CAPTCHA it's basically state-endorsed discrimination against disabled users and privacy concious ones like @torproject / #TorBrowser users.

#DontBlockTor

Show threadBobby BallerdAug 20, 2023
@kkarhan @yassie_j I was under the impression that captchas already implemented that as additional verification parameters. Or I am at a non-conscious state 30% of the time, when solving captchas. Or @linuzifer 's #trolldrossel has more widespread usage than I thought.
Show threadjnbhlrAug 21, 2023
@kkarhan @yassie_j what about passwords stored in browser?
Show threadKevin Karhan Aug 21, 2023
@jnbhlr @yassie_j never store credentials in browser - use an external password manager!
Show threadjnbhlrAug 21, 2023
@kkarhan @yassie_j so with a password manager integrated in the browser? Still slower than a bit though...
Show threadKevin Karhan Aug 21, 2023
@jnbhlr @yassie_j same: Browsers are THE main attack surface, so using another password manager that isn't the browser like https://enpass.io is best practise...
Enpass: Secure Passkey & Password Manager That Keeps Your Data On Your Cloud Storage

With Enpass, choose where your passwords and passkeys are secured and synced – on your personal or business clouds (or even offline). Not on our servers

Enpass
Show threadjnbhlrAug 21, 2023
@kkarhan @yassie_j that looks like what I meant: a separate piece of software that plugs into the browser. I'm using keepass, without any plug-in connection to the browser.
Show threadGuillaume RossoliniAug 19, 2023
@yassie_j I thought it had been this way for years already
Show threadCarlos GuerreiroAug 19, 2023
@yassie_j
Show threadHugoAug 19, 2023
@[email protected] This should be the end of the Captchas