[FEATURE] Remove Captcha

[natrius]

Is your feature request related to a problem? Please describe.
Captcha is annoying. There are multiple other ways to combat spam-bots. The question is - did this get implemented "just because" or because it was a growing problem?

Describe the solution you'd like
This article has some ideas on what to do https://datadome.co/bot-management-protection/stop-bots-without-captcha-anti-spam-honeypot/

A regular honeypot-field should be enough to get plenty of spam-bots, of course it will not reduce manual registrations. See https://www.getvero.com/resources/add-a-honeypot-to-website-forms-to-reduce-spam/ or https://wordpress.org/plugins/registration-honeypot/ for example.

So, think of some steps that may be possible to take and include an open source captcha as last resort as well. Start with honeypot form and time-detection for example. That should get rid of a lot of bots without having to use captcha.

[Nonononoki]

Do honeypots even work with open-source? Anyone can just read the source code and determine the correct fields that way.

You only need a captcha when login in with email every 2 weeks, resetting your password and deleting your account.

[natrius]

Thats more captcha than its good :D

Sure, why not? Its just a field of the form thats made invisible to the regular user through various forms. Same colour as the background. Or just display:none or whatever you can think of. You could even make two different one in case one will be missed, because it does not matter and bother anyone when registering. The wordpress plugin i linked is open source as well btw.

[ctlw83]

There are already people manually setting up catfishing accounts with the captcha in place. I'd be careful about making a decision to remove it because bot signups would increase.

Yes, there are other ways to get around it, but for better or for worse, CAPTCHA is one of the more common ones.

[natrius]

Well, this issue is about captcha and bot-accounts. Honeypot forms are a proven possibility to reduce the bot-registration by a high margin. Depending on how the captcha is integrated it would be possible to disable (not remove yet) captcha, integrate a honeypot field and monitor the registrations for a bit.

Honeypot combined with a "that was too fast for a human" would probably plenty enough to get rid of bots.

[ip6li]

For a possible solution see: ip6li@c995bfe

[ip6li]

Captchas seems to be obsolete now because AI solutions are able to solve captchas better than humans can do.

[peterzen]

Maybe a captcha could be added to the signup page and removed from the login?
Bots can currently create accounts - they're unable to make use of them but still spam the DB.

[ip6li]

If my pull request will be accepted I can modify code to make captcha configurable for each page which uses captcha.

[peterzen]

That would be awesome!

[ip6li]

See #310

[Nonononoki]

Currently only password related services require CAPTCHAs. I plan on removing all passwords, and therefore CAPCHAs, see #314. Moving all future discussion there.