Remove captchas

[dessalines]

I think its safe to say bots have pretty much beaten captchas, and they're not very useful for signups anymore. We might as well remove them. Registration applications and email verification are already in place anyway.

[Nutomic]

Sounds good, and saves me a bunch of work because I was moving the captcha storage from chatserver to db.

[sunaurus]

Several instances are reporting mass signups by users with random-number-emails. Anecdotally, I have 0 of such sign-ups on lemm.ee with captcha enabled. It may just be a coincidence, but maybe the captcha is actually acting as at least a small deterrent for low-effort spammers?

[dessalines]

Unfortunately captchas don't stop those signup bots either. We know from experience. They probably have no signup IP-rate limiting on their server, which is causing all the signups.

[lflare]

Unfortunately captchas don't stop those signup bots either. We know from experience. They probably have no signup IP-rate limiting on their server, which is causing all the signups.

IP rate limits are naive at best. If someone has a simple captcha bypassing mechanism, do you really think they won't have proxies to bypass it? If anything, industry-standard captchas like recaptcha (or hcaptcha) will probably fare better than whatever cursed captcha solution (seriously, some of the words are completely illegible) is already implemented currently.

If anything, having both a good captcha solution, and email verification, will help to alleviate the spam issue at least a couple folds.

[maltfield]

See also this ticket to implement hashcash as a better alternative to graphical CAPTCHAs.

• https://github.com/LemmyNet/lemmy/issues/3204

Hash-cash is a cryptographically proven method to rate-limits by session, which cannot be bypassed like graphical CAPTCHAs and doesn't harm at-risk users of VPNs and Tor like IP rate limiting.

Please do not implement recaptcha or similar. It would be an abomination for the privacy of lemmy users.

[alyazabirze]

If anything, having both a good captcha solution, and email verification, will help to alleviate the spam issue at least a couple folds.

i'd like to second, at least, this. i don't care for CAPTCHAs, and am perfectly fine with them being replaced by something better down the road, but as far as i can tell:

1. their impact (particularly when accompanied by additional measures such as email verification and an application to approve) is currently non-trivial and;
2. there are only four anti-spam measures currently in place total including CAPTCHA. the other three are email verification, closing registrations so every user has to apply, and defederation. for instances not like my own (Beehaw) where the standard for entry is intended to be less rigorous and open-to-all, that presents some really obvious future headaches because CAPTCHAs are the most trivial for users.

with that in mind, unless i'm missing something--or until that "something better" i just described is implemented--i think removal is currently a really bad idea. it'll give us less options collectively to work with in a time where we need more.

[cloventt]

There is an open issue to bring back captcha: #3200 , I'd suggest posting feedback there rather than on this closed ticket.

[ForbodingAngel]

I think its safe to say bots have pretty much beaten captchas, and they're not very useful for signups anymore. We might as well remove them. Registration applications and email verification are already in place anyway.

No offense, but this take is a bit braindead imo. Captcha aren't perfect, that is correct, but they do serve as a barrier.

Consider the swiss cheese approach to signup security where you have captcha as one layer, email verification as another, and signups as a third.

Individually, each one has holes, but if you put them together, each layer catches things that another misses. Is it perfect? No, but it's pretty damn good.

Don't let perfect be the enemy of good.

[dessalines]

Seconded, lets continue the discussion there.