views:

3229

answers:

5

I'm looking for a replacement for JCaptcha, which doesn't seem to be maintained any more, and isn't very good to begin with. The replacement has to integrate nicely with JavaEE webapps.

As I can see it, there are three options:

  • JCaptcha - No longer maintained, crude API
  • SimpleCaptcha - much nicer API, nicer captchas, but seems to be Java6 only
  • ReCaptcha - easy to use, uses remote web-service to generate captchas, but not much control over look and feel

Has anyone used any others, that they'd recommend?

+2  A: 

ReCaptcha is the only captcha you should use, because it's the only captcha that makes the world better (improve OCR results to old text), with almost unlimited database.

All other captchas are usually limited by its database, or do nothing good to this world.

Francis
OK, but benefit to humanity wasn't really on my list of priorities :) Also, JCaptcha and SimpleCaptcha generate randomised captchas, so database size is not an issue.
skaffman
All randomized captchas are proved to be easily attacked in comparison to pre-generated databases, that's why almost all good captchas use databases.
Francis
one more thing - many captchas with colorful / rotated backgrounds / lines / images, are too complex for majority user (ex, the famous Cat Number used by rapidshare).recaptcha, on the contrary, is based on real English words so it's eaiser for most people. You won't want to apply a captcha that 90% people will send you the mail saying that "I can't pass the cpatcha)...
Francis
I question the statement that randomized capthas are more easily attacked than database backed captcha. On the subject of ReCaptcha, one benefit is that what it puts in front of the human is a word which a quality OCR implementation has already failed on.
Software Monkey
@Francis: based on english words may be a benefit for english speaking people yes but there are others too. btw. maybe add this link to your answer: http://recaptcha.net/
Chris
+2  A: 

What happens when ReCaptcha is down/unavailable? Does your service simply stop? Do you simply stop signing people up when it's down? Do you allow users to sign up even if ReCaptcha isn't running? If so, what are the security implications of this? Especially if you use CAPTCHA for more than just signup, e.g. reset password forms, login forms, ... which would not be acceptable to use without the CAPTCHA component.

The Java world of CAPTCHAs is in a sad state, with SimpleCaptcha seemingly the best solution for those of us out there that cannot accept a hosted service.

Mike
You make a good point.
skaffman
Come on, do you really think your service is more stable than ReCaptcha, especially when google accuired it? Even Facebook is using ReCaptcha, so don't worry unless you are running a bigger service than Facebook...I still don'think there's any captcha system better than ReCaptcha.
Francis
Google has been down several times before (Not just Gmail, but search as well). If you have your own service, that is only used by you, then you can comfortably say that when your captcha is down, your whole system is down.I do wonder what Facebook would do in the event of an outage - would they have to bare it until fixed? Do they have a backup plan? Is an outage even that important to them? If you provide services more important than viewing who poked you, or you have a SLA requirement, then the solution is not as simple as 'just wait it out'.
Mike
+2  A: 

I created http://kaptcha.googlecode.com before recaptcha became as popular as it is today. It also offers you the ability to host it yourself, which may be necessary in some situations.

Kaptcha is a heavily modified and updated version of SimpleCaptcha and supports JDK5/6.

Jon Stevens
A: 

Hi Jon Stevens,

I am not sure why, I couldnt get Kaptcha to work on google app engine.

Regards, Xuwei

xuwei
A: 

Kaptcha is a nice alternative to Recaptcha if you are looking to host your own captcha service instead of relying on a third party captcha service (like recaptcha).

Sasi