We recently upgraded the Atlassian intranet to a pre-release build of Confluence 2.2. In the spirit of eating our own dogfood, we turned on the new CAPTCHA support, even though it's completely unnecessary on a private wiki. This led to the following internal email conversation:

Jonathan

Captcha on page create is INCREDIBLY ANNOYING. They're very easily mis-interpreted. I am generally pretty good at this sort of thing, and I keep getting words wrong.

Tom

Hi, Jon.

Looking at the 'engines' jcaptcha uses they are all pretty tough. Perhaps we need to find an easier one.

Jonathan

Wow. No kidding. Those are hard.

Generally, I vote for the ones that use real words instead of random-pseudo-word-like-things. The brain is pretty good a filling in the blanks to construct words -- in fact, people often read just by recognizing the shape of a word. However, if you have a word-like shape that's not actually a word all of that hard-wired, human-specific reading ability goes for naught.

Matt

Using real words means you can use an automated dictionary attack (or OCR combined with dictionary), thus rendering it useless.

Personally, I'm in favour of a variation on kitten-auth called 'hoff-auth'. I'm sure Jens can provide us with enough pictures.

(kitten-auth is a form of CAPTCHA that presents the user with nine photographs, and requires the user to click on the three that contain kittens. You can find a demo here.)

Jeremy

I second that suggestion! The customers will love it. ;)

I can see the caption now: "Click 3 pictures of the sexiest man alive to submit"

Tom

And all of the pictures which weren't the Hoff would be Chuck Norris

Matt

That makes sense. Noone clicks on Chuck Norris and lives.

Chris

I'm sorry but nine pictures of the Hoff and Chuck Norris together would be too much Awesome for any application.