Why Captchas Are Useless: A Reality Check
reCAPTCHA: Security or Illusion?
Did you know that 13 million websites use reCAPTCHA? (Thanks, builtwith.com). It’s the go-to anti-spam tool, and website owners generally think it’s doing a great job. But is it really that hard or costly to break it and swamp a competitor’s support system with spam?
Well, I spent $10 on hacking services so you don’t have to. Spoiler alert: It was ridiculously easy.
The Fort Knox That Isn’t
Google’s reCAPTCHA comes in two flavors: the older reCAPTCHA v2, which makes you solve puzzles, and the newer reCAPTCHA v3, which tries to detect bots automatically without bothering you.
Surprisingly, only about 1.3 million websites use reCAPTCHA v3—just 10% of the reCAPTCHA pie. Why? Because it’s about as effective as a chocolate teapot. According to DataDome, fooling reCAPTCHA v3 is easier than convincing a dog to eat bacon:
“We created a Headless Chrome bot, used the Puppeteer extra framework to forge its fingerprint, and had it screenshot its reCAPTCHA v3 score. It achieved a nearly ‘human’ user score of 0.9: a perfect intruder.”
Source: DataDome
So, breaking reCAPTCHA v3 is so simple you could do it with open-source tools like Puppeteer. But let’s focus on the more popular and seemingly tougher reCAPTCHA v2.
Calling in the Hackers
Breaking reCAPTCHA v2 is tougher since it uses visual puzzles. A quick search for “anti-captcha service” led me to anti-captcha.com, which promises to crack Captchas from various providers, including reCAPTCHA. For about $0.95 - $2 per reCAPTCHA v2 solution, I was ready to give it a go.
I signed up, bought $10 in credit, and implemented their example code. In 15 minutes, I had a working setup breaking reCAPTCHAs. The only hitch? A 3-minute wait for each solution. But running several jobs in parallel got me at least 10 requests a minute.
Now, I could open 10 spammy support tickets a minute on competitor websites. At $0.0015 per Captcha solution, sending 10,000 spam messages would cost about $15. Not bad for potentially crippling a competitor’s support system with 10,000 tickets in about 16 hours.
They even offer browser extensions to bypass reCAPTCHA automatically, no coding needed.
Update: There’s an even simpler way to crack reCAPTCHA v2—using speech recognition to solve reCAPTCHA audio challenges. This method can be implemented locally, as open-source speech recognition tools are readily available (such as Whisper). Check out the Buster browser extension for an example of how this works.
Small Protection, Big Frustration
reCAPTCHA offers only moderate protection against spam and abuse. The newer reCAPTCHA v3 is limited, which is why many website owners stick with the older reCAPTCHA v2.
But with services capable of cracking reCAPTCHAs, even the older puzzle-solving method is easily bypassed with minimal resources.
While reCAPTCHA’s protection capabilities are moderate, its power to frustrate users is off the charts. Visual puzzles create unbreakable barriers for visually impaired users and often challenge everyone. The real question: Does it make sense to use these methods for spam protection when they don’t work well and only create user obstacles?
Even Google realized this, hence reCAPTCHA v3’s attempt to eliminate these barriers. However, Google’s automatic bot detection approach can be considered a failed experiment.
A Smarter Alternative
Enter ALTCHA, an accessible and privacy-first alternative to Captcha and visual puzzles. ALTCHA doesn’t distinguish between humans and bots. Instead, it introduces complexity using a proof-of-work mechanism.
Proof-of-Work
ALTCHA’s core principle is its Proof-of-Work mechanism, an accessible and invisible method of verifying capable devices. It’s comparable to reCAPTCHA v3 in accessibility. From DataDome’s tests, bypassing reCAPTCHA v3 is easy without computationally-heavy methods. In contrast, ALTCHA’s PoW requires significant computational power, slowing down bots and making ALTCHA more effective.
Here are some benchmarks:
| Device | Performance | Time to Solve |
|---|---|---|
| MacBook Pro M3-Pro (2023) | 3 ops/s | 0.33 sec |
| iPhone 12 mini (2020) | 1.2 ops/s | 0.83 sec |
| AWS EC2 (c6a.xlarge) | 1 ops/s | 1 sec |
| Samsung Galaxy A14 (2023) | 0.4 ops/s | 2.5 sec |
| AWS Lambda (1GB) | 0.12 ops/s | 8 sec |
These benchmarks measure 100,000 SHA-256 cycles on consumer devices and AWS cloud instances. The number of operations per second indicates how many ALTCHA challenges the device can solve per second while using 100% CPU.
This shows that cloud servers are underpowered compared to modern consumer devices. Bots typically run on servers, not consumer devices. The AWS EC2 instance (c6a.xlarge) in these benchmarks costs $127 a month—expensive and inefficient for this task. On AWS Lambda, it takes about 8 seconds to solve a challenge. (Benchmarks executed using the JS library.)
One operation per second might seem good, but it means 100% CPU utilization for the whole second. It’s like when your computer freezes for a second, and you can’t do anything. For a bot trying to send spam at scale, this is a problem. But for a real user, it’s nothing.
Test the performance of your device
It’s easier to grasp complexity when it’s translated into dollars and cents. Let’s take a look at AWS Lambda, a popular and cost-effective runtime for spammers. Normally, a typical contact form without any spam protection (or with reCAPTCHA v3) processes in under 300 milliseconds. That’s also the time AWS charges for when using Lambda to send spam.
Now, let’s throw ALTCHA PoW into the mix. On Lambda (1GB version), computing 100,000 SHA256 hashes takes about 8 seconds. That’s a massive jump in execution time. Here’s the cost breakdown:
| Without protection | With ALTCHA PoW (100k) | |
|---|---|---|
| Execution duration | 300 ms | 8 seconds |
| Cost per 1M executions | $5.20 | $133.36 |
Adding ALTCHA proof-of-work to the form increases a spammer’s expenses by a staggering 2,500%.
In other words, ALTCHA takes spammers from bargain bin to premium prices in no time.
Spam Filter
A crucial part of ALTCHA’s effectiveness is the Spam Filter, which evaluates several factors about the user and submitted data to determine if it’s spam using intelligent approaches powered by natural language processing and machine learning. It’s similar to email spam filters that automatically filter out spam without user interaction.
This spam detector is completely invisible to end-users, ensuring smooth interactions without interruptions. In common use-cases like contact or registration forms on websites, the Spam Filter offers higher protection than reCAPTCHA v2 (or other puzzle-based Captchas) thanks to comprehensive data and context analysis while maintaining a seamless user experience.