A dev initially suggested in the Lemmy GitHub to remove captchas from future releases altogether because “they’re easy to bypass”.

Here’s the thing though, the lemmy.world instance avoided the daily 10k+ bot signups per day the other instances are currently experiencing simply by activating captchas.

Yes basic OCR easily bypasses them, but the whole point is that you’re forcing the spammer to use it, and it costs CPU resources, meaning that for the same budget the spammer will be able to create LESS bot accounts, or none at all if he doesn’t know how to automate the use of an OCR. Compare that with the current situation where anyone who followed a Python crash course can easily write a small script doing tens of thousands of automated signups using just the requests module.

Please enable captchas by default in future releases. You can try out other proposed solutions like hashcash too but IMO focus on the low hanging fruit first and make captchas a default in 0.18 already. One barrier, no matter how weak it is, is much better than no barrier at all.

And to those who maintain websites that list instances and rank them by size, you are also contributing to this problem by adding an incentive for bad actors to inflate their own instances. Please either remove that ranking, or remove the spammy looking instances by hand.

Also, maybe change the user count such that only users having clicked on the verification link are counted.

  • PenguinLover@lemmy.ml
    link
    fedilink
    English
    arrow-up
    42
    ·
    1 year ago

    Completely agree, captcha’s aren’t gonna make it impossible to make bots, but it makes it more complicated. It will force bad actors to invest more time in it. Wich will turn some part of them away.

    On a positive note, I think the fact that we see so many bot signups shows lemmy (the fediverse in general) is growing and matters, otherwise people wouldn’t spend so much time and resources to make these bots. All big platforms have these kind of problems and need to learn how to deal with them.

    • 0xpr03@feddit.de
      link
      fedilink
      English
      arrow-up
      5
      ·
      edit-2
      1 year ago

      yeah it was never about making it impossible, only about making it inconvenient enough that it’s manageable

      • PenguinLover@lemmy.ml
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        I was only talking about captcha’s for account creation. To just log in they would indeed be to much of a hassle.

      • Nadya@kbin.social
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        The page is cached and your token expires after a bit. If you read a thread and then spend time typing up a post you’ve likely crossed the threshold. Copying your post and simply refreshing the page is all that’s needed - you shouldn’t have to sign back in again.

      • Ataraxia@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        Weird. I signed up for kbin two weeks ago and went back today and didn’t need to log in. It was still logged in.