HACKER Q&A
📣 bocytron

Any good FOSS alternative to Google's reCAPTCHA?


Google's reCAPTCHA is everywhere, they seem to have the monopoly of checking if the user's not a robot.

CAPTCHA systems are essentials to the web, and it seems important to me to have a (good) FOSS alternative, but I can't find any.

Are all CAPTCHA closed-source to make it harder for attackers? Am I missing something?

  👤 simongr3dal Accepted Answer ✓
Cloudflare recently moved away from Google's reCAPTCHA to hCaptcha.

Announcement: https://blog.cloudflare.com/moving-from-recaptcha-to-hcaptch... Discussion on HN:https://news.ycombinator.com/item?id=22812509

👤 vortico
What is your use case? I get exactly 0 spam on my website (of 100,000s of users) by simply writing my user registration page in a nonstandard way that bots aren't familiar with filling out automatically. It uses JS to `fetch()` a custom API endpoint and then redirects to the homepage.

Or for example, a fixed question "What color is the sky?" or something can reduce spam by orders of magnitude relative to nothing at all.

👤 rapnie
Here are some [0] and if your submission is not on there, pls consider PR'ing it. OP is right, we need more alternatives.

[0] https://github.com/ZYSzys/awesome-captcha

👤 web007
Do you need a CAPTCHA? Or do you need to slow down / stop spammers? Consider hashcash [1] instead of CAPTCHA if #2 is your goal. It can be used in any place where real users interact with your site at almost zero effort on their behalf, and can slow down spamming enough to make you an unattractive target.

I have a terrible / incomplete / janky proof-of-concept version at [2] that you could build from, or you could find one that was built for your CMS / language du jour.

[1] https://en.wikipedia.org/wiki/Hashcash

[2] https://github.com/007/hashcash

👤 tmlee
We are trying out https://www.hcaptcha.com/ in our application.

It's not FOSS, but seem to be a viable alternative to give a go. So far it does the job, though the images load a little bit slower than recaptcha

👤 tyingq
If you aren't a big target, sometimes just a visually hidden form field that shouldn't contain anything is good enough.
👤 beshrkayali
Previous reCAPTCHA discussion, with some alternatives https://news.ycombinator.com/item?id=20158386
👤 alexandernst
A quick search revealed the following:

* https://github.com/Lokno/click-captcha

* https://www.phpcaptcha.org

* https://source.netsyms.com/Netsyms/Captcheck

👤 moviuro
What's your threat model? Maybe a CAPTCHA is not your only or not even a good solution. What about blind users? or with some other disability?

Think: rate-limit, IP rating/scoring, your own filter on messages, etc.

👤 majkinetor
I just did research few days back, and there are none that aren't passable with some OCR/tensorflow tech. Anything simple and the question is why do you need it ? Anything hard enough for bots not to beat it will also fail many humans.

Add rate limiter instead and put CF infront or something similar. Way better experience then any captcha.

In case you still want it here is solid one:

https://github.com/dchest/captcha

👤 LaurentS
Not exactly answering the question, but I recently used aliexpress.com and their captcha system is super easy: it shows a sliding button like the one to answer a call on a phone. The prompt just asks you to slide it to validate your input. Not sure how it works, but it sure is a much better UX than when I have to spend 3 minutes identifying for hydrants. Maybe we could make a FLOSS version of it?
👤 zzo38computer
What some wikis do is just asking a question (in text) that you can then type in the answer (and if you don't know, can look it up in a book, Wikipedia, Google, or whatever you want to look it up, or ask someone who does know the answer). I think that work much better than reCAPTCHA.
👤 LordHeini
I would say it really depends on your use case.

Lets say you have a comment section on your site where any user can write stuff.

More often than not a hidden field which should not be filled (the honeypot method) and a spam filter gets the job done no problem.

For registrations it can be more problematic because the spam filter does not work that well.

I have yet to find a good alternative to commercial captchas as well but rolling your own solution is possible.

And probably even the best idea because if every site has its own weird system it would make the life of bots quite hard.

In the end a dedicated attacker can always hire people to fill the captchas and circumvent any system for an astonishingly low amount of money.

👤 false_kermit
I just want a version of captcha that isn't tied to my google account. This is particularly an issue on anonymous message boards like 4chan. If google wanted to, they could tie pretty much every 4chan post to a google account.
👤 nerdbaggy
Problem is CAPTCHA is a hard problem to solve now days. It’s not like before when you can just display and image and ask what the letters are. It takes machine learning, lots of training data, etc.
👤 ParadisoShlee
I've found https://github.com/koto-bank/kocaptcha
👤 three_seagrass
Latest reCAPTCHA isn't even detectible. It runs in the background of the browser and gives predictions for bot traffic.

The days of reading images as validation are going to be one of those "remember when" moments on the internet.

👤 bjoli
It is not really a captcha, but I used email for people to submit comments to my website. You could rely on a third party mail provider for for filtering, which would make it even simpler.
👤 flatiron
I wonder what all those darkmarkets use. I assume they are pretty resilient!
👤 econcon
Cloudfare should run captcha service and not sell the data acquired as such.

Data can be used by their ddos protection scheme but that's all about it, not to be sold to advertisers or other firms.

👤 modzu
captcha is the cancer of the web