Recently (yesterday? today?), a hosting provider I inhereted when I took over a web site decided to add a CAPTCHA to their login page. That is, every time I want to log in to their control panel, I have to do their CAPTCHA, which is one of the harder ones to read that I’ve seen. Mind you, I already dislike this provider because they only allow FTP access (no security whatsoever) and because the only way to access the MySQL databases is through through their control panel. Oh, and it really didn’t help their case when they said that CAPTCHA is an acronym for “Completely Automated Turing Test to Tell Computers and Humans Apart”–there are just a few too many Ts in there.
(Oh, and unrelated to CAPTCHAs, I am right now grateful for the autosaving of drafts in WordPress, since, when I went to the hosting provider’s web site to check that I was correctly quoting them, I experienced the fourth crash of Firefox 3b5 tonight, all four of which have occurred when clicking on some part of this hosting provider’s control panel.)
I hate CAPTCHAs, but I think they are (in some instances) a necessary evil. I have, in fact, even written my own in PHP, using a lot of the CAPTCHA-defeating research as a guide for building a computer-resistant but human-readable CAPTCHA, but again I’m getting away from my intended point. To me, a CAPTCHA is a roadblock of last resort. It’s annoying to your users, so if you decide to employ a CAPTCHA, either you don’t care about your users or you’re overrun with bots that cannot easily be stopped any other way. The only places I’ve employed CAPTCHAs are on guestbook-type pages where the volume of spambot comments were such that I was hitting a disk quota issue and on account signup pages. This hosting provider, however, wants me to deal with a CAPTCHA whenever I want to do anything with the account at all because, they say, they want to prevent automated login attempts. Wouldn’t rate-limiting be a much better solution? Maybe looking at user agents? Javascript? How about using something like Bad Behavior?
Ahh, well. I’ll transfer the domain name out now, and when the hosting plan is up in about 16 months (2-year auto-renew, happened just before I took over), I’ll be moving that web site elsewhere.