Hand on my heart: I've been in a very secure (national security) facility and witnessed someone struggling with Google's captcha thing for hours. They were trying to make a change in a system used for soldier's flights. 200+ Accounts needed a single number swapped on a form. 200+ google captures to solve. Nothing is as frustratingly pathetic as someone in uniform, a trained soldier, screaming about whether "traffic light" includes both sides of the hanging light.

Passwords, access cards, biometrics, hardened doors, guards carrying machine guns, rooms without numbers, and on the inside of all that: google captcha.

That's puzzling.

Were they accessing a secure government site that was serving CAPTCHAs?

Or were they accessing a public site from a government facility with browsers that were so locked down that they triggered CAPTCHAs?

The first would be kinda stupid. The second would be funny. Or tragic, I suppose.

Speaking as someone with some military experience, almost certainly the second. Military computers are locked down excessively, often in ways that are actually counter to real security. Policy is reactionary, and is all-too-often simultaneously too narrow and too broad (in orthogonal ways) which ends up impacting usability while not really adding any security.

Wasnt a military site. It was a civilian service's site, not a public site like travelocity, but one biult for use by government agencies.

What is a good alternative? I'm going to be looking I to our login system soon and have been meaning to read about the options

If there is no way for users to spam other users then there is no need for a captcha at all. Just add rate limiting and alerts to see if one user is using too much resources. If your users can disturb each other than the best solution is to make your system invite only and remove invite perms from anyone who is inviting bots or alternatively have some way where users must add other users as friends before they communicate using an external service so for example someone wants to add a friend they send an email with a friend code then you are using the existing anti spam system of whatever external system the user picks.

Maybe none of these are convenient for you but for some websites they work quite well. Invite only communities often have far less trolls and virtually no spam.

Even if this is true, the problem is that Google reCAPTCHA is way easier to slap on anything, and for the few hurdles it imposes it is very effective at stopping bots.

I'm not in a position to decide on a human verification mechanism, but I used to do WordPress and Drupal CMS work as a freelancer. The number of non-technical people setting up their own sites on these platforms vastly outnumbers the people who even are aware of some of the downsides to Google reCAPTCHA. Until the mechanisms you described implementing are as easy as installing a plug-in, Google reCAPTCHA is here to stay.

github has a good one

you can test it by trying to create a new account

its dead simple and looks to be pretty secure

you have to orient an object so that its not upside down

https://octocaptcha.com

EA use a variant of this for their FIFA app and it was legitimately the most frustrating CAPTCHA I've ever tried to solve. They overlaid several objects at the same time in an attempt to make it harder and it took me 9 minutes to solve them all. Example: https://imgur.com/a/x8x4amL

This is definitely easier. While I don't mind reCAPTCHA on many resources, commercial entities which charge money for you to use their products, should try to make the login process as easy as possible and reCAPTCHA isn't one of them, as at times you have to iterate several times of identifying all cross walks or store fronts.

Are there a fixed number of objects?

I'm more worried about the small state space. Even if there are many possible images, randomly guessing lets in 1/8 of the bots. Is there something to protect against this?

i found this but i dont know if it answers your question

https://blog.jscrambler.com/preventing-automated-abuse-with-...

In my experience, email verification gets you 99% of the way there.

Strategically-placed honeypot form fields get you to 99.5%.

I run a site that gets ~1.2 million visitors a month. YMMV.

Not sure you need to make sure the user is human on a log-in form. Just limit the number of attempts per day per account, perhaps with email verification to pass it.

At even small to moderate scales you will end up with legitimate users being locked out of their accounts en masse with this approach.

Well, most log-in forms do not have any captcha, so I wonder how they do it.

Meanwhile in developing nation's captcha work from home schemes are becoming quite common. Where for a few pounds day/dollars/euros a worker at home will identify 1000's of captcha. From my understanding it's popular work as mum's and those at home can do while caring for children.