The Curious Case of the Bizarre, Disappearing Captcha

Captchas have largely vanished from the web in 2025, replaced by invisible tracking systems that analyze user behavior rather than asking people to decipher distorted text or identify traffic lights in image grids. Google launched reCaptcha v3 in 2018 to generate risk scores based on behavioral signals during site interactions, making bot-blocking technology "completely invisible" for most users, according to Tim Knudsen, a director of product management at Google Cloud.

Cloudflare followed in 2022 by releasing Turnstile, another invisible alternative that sometimes appears as a simple checkbox but actually gathers data from devices and software to determine if users are human. Both companies distribute their security tools for free to collect training data, and Cloudflare now sees 20% of all HTTP requests across the internet.

The rare challenges that do surface have become increasingly bizarre, ranging from requests to identify dogs and ducks wearing various hats to sliding a jockstrap across a screen to find matching underwear on hookup sites.

To sliding a jockstrap across a screen

[anoncoward69]

LMFAO. Sniffies plug.

Re:

[Powercntrl]

I haven't seen the jockstrap one, so methinks those invisible tracking systems that analyze user behavior might know something about the author's online habits.

And before someone goes "but aren't you gay?", yeah, I am - but I'm in a committed relationship. So, just like how some of you straight folks grasp the concept of fidelity, I'm not browsing around on hookup sites, and I guess the algorithms truly have gotten smarter. Funny how that works.

Re:

[Powercntrl]

Captchas are usually served by a 3rd party service, so unless the hookup site rolled their own, it's possible it'd pop up elsewhere. If it truly is specific to just one site, then it's just a strange example to include, since it's kinda like saying:

"My kid flushed a towel down the toilet and the plumber I called showed up riding a Bird scooter. Have they given up driving work trucks?"

Nope. That's a strange life experience just for you. The rest of us aren't getting plumbers on rental scooters and jock s

Re:

[apparently]

there's literally nothing in the article saying that it's shown to some users and not others -- how fucking dense are you that you don't understand that the reason it's mentioned is because it's a funny anecdote?

nothing to do with securty

[Anonymous Coward]

In this article and others I constantly see captchas and liveness checks presented as a "security measure". They are not. Scraping and bots are a cost and reputational risk, not a security risk.

I guess presenting it as a security issue makes people more accepting of the inconvenience? Or maybe executives more willing to pay to introduce friction to their sites? weird.

Re:nothing to do with securty

[Comboman]

It was never even about bots that much. Deciphering distorted text was actually training AI to read poorly scanned documents. Clicking traffic lights and bikes was training AI to analyze photographs. AI doesn't need our help for those tasks any more so those "bot tests" have disappeared.

Re:

[omnichad]

Public free CAPTCHAs weren't a charity. It was a win win that they had a way to pay the bills and we got something useful out of it too. I do wonder what we are training when we pass these invisible tests. At this point, it's probably just a way to get a cookie to feed data to Adsense. They do still technically let developers use recaptcha.net instead of a google domain, but this just decouples the data somewhat. It's still being collected.

Re:

[thegarbz]

It was never even about bots that much. Deciphering distorted text was actually training AI to read poorly scanned documents.

Completely one dimensional thinking. No it was exactly about bots. The fact that training AI was something that bots couldn't do was a happy coincidence that efficiently addressed one problem by solving another: Using natural content from the world that machines didn't generate made it intrinsically harder for machines to reverse engineer a result.

The "bot tests" disappeared not because AI doesn't need help, it's that AI became good enough that the bots started solving them. The problem reemerged in a way t

Re:

[arglebargle_xiv]

And the current spate of invisible "CAPTCHAs" are nearly 100% effective at keeping out disabled people using assistive technology, which the human-guessing technology identifies as bots. That's not some random gripe, it's data from people working with assistive technology.

Re:

[omnichad]

fail2ban might be great at blocking a single IP, but botnets aren't just for DDoS, you know. A CAPTCHA might help protect against a distributed dictionary attack.

Also, security means protecting against someone getting access to something valuable. If you think scraping doesn't hurt security, you're not looking at it right.

Re:

[Anonymous Coward]

As yes, the critical necessity of protecting things so valuable you give them away for free to everyone else.

I get that AI scraping is an IP risk, but the way to solve it is with an evolved IP legislation; not expensive middleware that pisses off your "customers" and barely keeps up with the whack-a-mole bot game.

Doomed

[TwistedGreen]

Yes, in case you haven't been paying attention or your Internet browsing is so straight-and-narrow that you've never encountered this... We've evolved beyond text-based Captchas and now have what are essentially browser minigames that try to gauge that you're human. How much of it is just security theater, we don't know, but it's all based on the vain hope that it would be too tedious or expensive to get a bot to solve these en masse. However I'm sure they will all be cracked eventually. The object rotation puzzles I've seen are probably particularly challenging, but not insurmountable.

Re: Doomed

[easyTree]

Pretty soon (if not already) the bots are going to be better at solving puzzles than humans. What then? "Demonstrate your humanity by being unable to solve our puzzle"?

Re: Doomed

[easyTree]

Yes, I'm aware of mouse-movement monitoring but when this can be faked too, what then?

Think of the time before COVID - so much push-back for those who chose to work from a location which suited them; "it's not possible, blah blah, blah" then COVID hits and it's not only possible but mandatory. Of course now we're supposed to forget that it's possible and beneficial in terms of productivity.

So, once we can't distinguish between bots and humans, will bots suddenly be welcome? Will scraping turn into an additi

Re:

[TwistedGreen]

I think the arms race is already over. At this point it's security theater. Sooner than you think, it will be ONLY bots viewing your content, and at that point the question is... who pays for the traffic?

In the future, I can see every packet being signed to identify the billable party. You'll see aggregate charges for every API request that your AI Agent-based browser makes on your behalf, with overages if you exceed the quotas allowed by your monthly fee. You'll never interact with a website directly, exce

Re:

[gweihir]

On the tech-side? Yes. All that stuff can be faked or it will be keeping too many real people out. But these may still help to keep the more stupid bots out.

Re: Doomed

[easyTree]

Not ONLY bots - there'll be the holdouts who want to view the actual web pages not the bot-filtered view. Think antiques fans, users of: VIM, mechanical keyboards, vinyl records, normal toothbrushes.

At the moment, many sites are ad-supported - perhaps the LLM context window will be the new battleground for an automated ad bidding war - perhaps the LLM will take one for the team and sit through the same freaking ad in a foreign language for products no-one (not just the nominal viewer) wants, a million times

Re:

[crgrace]

Good Lord. I feel called out. I just checked and I have 41 vim windows open, and I'm typing this comment on a mechanical keyboard. I also brushed this morning with a normal toothbrush.

Well, actually I don't have a record player or any vinyl (sold all my records in the early 1990s) so you aren't talking to me specifically.

Re: Doomed

[easyTree]

I'm a VSCode user and love the editor.

Judging by the adoration towards (showing ignorance of the difference here) VI/VIM, I've really wanted to grok what the big deal is with them but didn't make it past the entrance to the learning curve :-/

Re:

[crgrace]

A lot of my colleagues love VSCode. The thing about vim is once you are proficient with it a lot of the commands become muscle memory. If you remember the days of vi vs emacs, I tried emacs a few times but kept coming back to vi because of the learning curve.

I learned vi in my first programming class 32 years ago and have been using it ever since. There are some things which are actually faster in vim than a GUI editor, but you have to have the muscle memory.

Re:

[sysrammer]

Heh.

There's a comedian that has a bit about the Harry Potter franchise. He mentions that, while it's wonderful that they get all the classes about magic, what about everything else in the world, like history, math, etc.? He said something to the effect that people in Harry Potter's world don't need magic to lock a door, they just need a math equation.

Re:

[GuB-42]

It is not about making it impossible for bots, it is about making it more expensive than hiring an army of human captcha solvers in a low-income country.

They will be cracked eventually, and I believe that most of them already are, that's why they are constantly changing them. It is a cat-and-mouse game.

Re:

[allo]

Like and subscribe to show you're a human.

PC Master Race?

[Strangelover]

Somewhere between once and ten times per week, Cloudflare decides I'm not human; and Im not allowed to visit some site. Safari on Mac. No need for sterilisation, already unix. :-|

Re:

[Powercntrl]

Somewhere between once and ten times per week, Cloudflare decides I'm not human; and Im not allowed to visit some site.

Every once in awhile I get Cloudflare's delay interstitial, where it has to sit there for a second and think about whether or not I'm human. Sometimes. I feel like I should return the favor by taking a moment to consider whether I'm actually dealing with a machine.

Cloudflare squints at you through a frosted glass pane, whispering, “Hmm human?”
And you, with equal suspicion, glance back at your screen thinking, “Hmm machine?”

We live in strange times.

These Are CAPTCHAS

[omnichad]

In fact, these fit the name even better:

Completely Automated Public Turing test to tell Computers and Humans Apart

Previously, they were only completely automated on one side. Now they are automated for the visitor too. Seems silly to call it something else, though.

Re:

[allo]

But they are no longer turing tests either.

Re:

[omnichad]

Yeah, probably can't work around that without just subbing the word Test for Turing (and the word is already there). The acronym for DVD changed over time too. It's still DVD but went from Video to Versatile.

I don't think it's fair to say that acting alive is a measure of intelligence. Unless you count fine motor skills as a form of humanlike intelligence.

Re:

[allo]

Huh, I thought it was always versatile. Anyway, in the end it mostly tests an authentic browser. Some are just doing proof of work, that doesn't even confirm a browser just a compliant JS/WASM engine and that you're willing to invest some CPU power into visiting the site.

NO THEY HAVE NOT!

[G00F]

There is still tons and tons of captchas going on. Sure, some of those have been replaced with doing a checkbox, but I am seeing captchas as a whole more now than say 5 years ago.

Re:NO THEY HAVE NOT!

[93 Escort Wagon]

I still see captchas too. I'm wondering if a lot of this "post-captcha" stuff is Chrome only, since that browser still supports a lot of end-user-hostile activities while Firefox and Safari do not.

Re:

[AmiMoJo]

Your user-agent being Firefox seems to be a red flag for a lot of these captchas, along with blocking ads, blocking canvas fingerprinting, blocking third party cookies, and basically anything that isn't Chrome's default settings.

Re:

[thegarbz]

There is still tons and tons of captchas going on. Sure, some of those have been replaced with doing a checkbox, but I am seeing captchas as a whole more now than say 5 years ago.

You may be seeing more, but the proportion of captchas is reducing. A vast majority of the time (unless you're acting like a bot using a VPN endpoint) you will see little more than a "verify you are human" notification that disappears as quickly as it showed up and proceeds you to the content. I see that far more than I see captchas, while also acknowledging that I still see a whole lot of captchas.

Be thankful, it could be much worse.

AI Can do them

[gurps_npc]

AI has reached the point where it can do most the CAPTCHA's that we used to test humans on.

So it makes little sense to use them any more.

Yep, under-the-hood works well

[JustAnotherOldGuy]

I use a psuedo-captcha on some of my sites, but I also use a lot of invisible under-the-hood stuff like timing, speed of response, 'special' fake form fields, and few other goodies I won't reveal. All those measures reduce spam to basically nothing. And I mean that literally.

Passing the 'captcha' pretty much requires an actual human operator, and even a lot of those human spammers don't make it through. I know because I look at the logs, and it's working damn well, with a literal 99.999%+ success rate.

The bots never, ever make it through because they don't have human eyes, which works against them nearly every time- they can't decipher the HTML-trickery to see what a human sees, so they fuck up and fall into the pit every time.

Re:

[AmiMoJo]

How many visitors does it cost you? I often just close sites that demand a captcha, they aren't worth the effort.

Re:

[JustAnotherOldGuy]

How many visitors does it cost you? I often just close sites that demand a captcha, they aren't worth the effort.

Very few from what I can tell. The vast majority that pass the captcha go on to do actual, legit stuff on the site. They create entries with valid info and reference relevant services that exist. (The legit traffic isn't overwhelming so I can check each one to see if it's bogus or not.)

The nice thing about my captcha is that it's very simple for a human with eyes to pass it, but even simpler for a bot to fail it. No misshapen numbers and letters, no photos to interpret, no slide-the-puzzle-piece tests. For

Wish it were true

[Anonymous Coward]

In the last couple of weeks Google Images has started throwing up CAPTCHAS while scrolling through the search results.

Recaptcha is garbage

[Spazmania]

Turnstile hasn't turned on me yet but Recaptcha is utter garbage. It get the "pick the boxes with these things" one regularly. And when I pick the things it tells me I picked wrong. And again. And again. Google's quality control is... non-existent.

Re: Recaptcha is garbage

[alantus]

That's what a bot would say.

Re:

[Spazmania]

More likely it's the bots that trained google with the wrong answers. I wouldn't be surprised if Recaptcha is more likely to find a bot correct than a human.

I still see them far too often.

[samdu]

I wish captchas were a thing of the past. I run across them routinely. Had one presented on X yesterday and GOG regularly makes me "solve" one. The GOG ones are terrible. They are of the "click on all photos with a crosswalk/bus/bicycle" variety. And you run into issues like, "do they consider that a bus or not?" or "I can't quite make out whether there's a crosswalk at that corner or not because it's not 100% clear." And don't get me started on the ones with a photo broken down into a grid and you have to click on all of the panels that contain a bus (what's the fascination with buses???). Does that mean that if there's a single pixel that has part of the bus' bumper on it is a panel with the bus in it? The worst.

Re:

[sysrammer]

I too would wonder at those ambiguous pictures and waste cycles trying to decide. I finally wised up after my upteenth attempt to do it right but getting rejected, even if the pics were unambiguous. I took to clicking vaguely a few times in the general area of the items that they were looking for, then "ok". It would reject it, as usual. I would do the same thing a second time, where it would then allow me to proceed.

Ofc, I imagine this means that there is an entry, somewhere in my profile in the metanet, t

Re:

[PaddirN]

By far the worst one I've ever encountered is on Roblox. I have a parent account for my kids and whenever they inevitably have account problems I absolutely hate it and usually have to do a captcha for something or other. It's something like 10 really annoying captchas that you actually have to take some amount of time on. Half the time I quit out because I'm in a hurry and didn't realize I needed to dedicate that much time on it. That probably makes it more secure than any other site, but my kids still cla

Re:

[Anonymous Coward]

I do Teams meetings with another organization. They have the captchas turned on for all non-members. It is insanely annoying to have to type a seven symbol thing while rushing to a meeting and then failing about 1 in 10. I'm logged into Teams too! They told us they'll only turn it off if our organization signs a memorandum of understanding with theirs about this one stupid issue.

This sucks big time

[dwater]

They are a significant hurdle that needs to be jumped in many web sites and apps. For example, Microsoft Copilot uses Cloudflare and it challenges me almost every time I attempt to use it, and, often, it only does so in the middle of me entering a prompt...crazy irritating.

ORLY

[Suripat]

Largely vanished? There's not a single day I don't have to fill at least some 10 different websites's Captchas.

not so sure

[groobly]

I've been seeing many more find a bus captchas lately, after seeing none for years.

Have not encountered a puzzle captcha for months.

[Fly Swatter]

The most I ever see now is the little 'please wait while we verify you are human' and if that fails for whatever reason it then shows a checkbox 'click here to prove you are human'. I use adblockers as much as I can.

These I don't mind, even if it's a bit insulting. But such is the current web 3.0 or whatever the inventor calls it now. BTW his invention has devolved into a mess.