In order for the Internet system to be less fraudulent and various kinds of unscrupulous users, there are different systems protection, one of which is a request - to decrypt the distorted code and write it in an empty line, that is, you need to enter the so-called captcha.
- How to write regular and complex captcha
- Automatic programs to bypass captchas
Nothing complicated and difficult in this process no, it will take you no more than a few seconds to write such a code, so you will not waste too much time on this kind of verification.
It should also be noted that such a protection system is quite reliable, but still there are options for hacking it, that is, you can make the captcha enter automatically, that is, it is recognized by the robot, in this case the program, and the user continues to perform various processes without the distraction of recognizing and writing captchas.
If you are a typical user and do not plan anything forbidden, then you will not often come across such captchas, which means that you do not need a program to hack this protection system.
It won't be difficult for you to devote once a day, for example, a few seconds, to recognize such a code?
Such programs are popular among those who, for example, make money by establishing a large number of likes in social networks or, for example, in the process of recruiting a large number of people into a group. It turns out that the system asks you to write the code if it doubts that this process is performed by the user, and not by an automatic program. When you enter a captcha, you confirm that you are a simple user, not a robot.
How to write regular and complex captcha
So, an ordinary captcha is a window in which at the top there is a distorted image, most often symbols: a set of letters and numbers, and at the bottom there is an empty line where you will have to enter the decoded code. As you can see, there is nothing complicated in this process.
The user should be aware that there are different types of captchas:
- alphabetic;
- digital;
- letters + numbers;
- Russian captchas;
- English captchas;
- captchas with pictures (where it is necessary to correctly position the picture, turning it in different directions;
- captchas as examples (subtraction, multiplication, etc.). Here it is necessary to solve some kind of arithmetic equation, it is very simple, like 2 + 2, etc .;
- complex captchas with tasks.
Consider the last three options, they are more complex than the other captchas listed above. You won't be able to write the code in the case of a captcha-picture, because you don't need to write a captcha here, you need to rotate it so that the picture looks logical, that is, it is correctly placed. If you see a captcha with an example, then you just need to solve it, that is, in an empty line, you must drive the correct answer, and not rewrite the example itself in the graph.
As for the complex captcha, here you will need to complete the task. Usually write in a string, some kind of answer is needed. You may be given a link on which you will have to go and find, for example, a phone number of some company. Find and enter it into a line, captcha. It will take no more than a minute, besides, such captchas come across very rarely, most often they are on serious commercial sites, where you just can't go.
Watch the video - How you can write a complex Japanese captcha
Automatic programs to bypass captchas
Today, almost every site has a security system under review. The funny thing is that site creators believe that today it is possible to have such protection, and they install it precisely for this reason, but not because of the desire to secure the resource they have created. An ordinary user increasingly starts to face requests in the form of captchas, and as a result, this becomes an annoying action. That is why many users are looking for ways to avoid captchas in order to automatic program recognized them.
There are programs that can save you from these annoying codes. The most popular are considered free programs, which anyone can download and install, but the most effective are latest programs recognition of captchas, for the installation of which the user will have to pay.
I decided to take a short break in publications about this PHP framework and switch to something else as an "outdoor activity".
Therefore, I decided to talk to you about one very common cyber defense mechanism that allows you to prevent many automated attacks on websites and is used today up to 320 million times daily.
Do you have any idea what this will be about?
All of the above is about CAPTCHA, which was seen and used by probably 90% of all Internet users, but, unfortunately, not everyone knows thoroughly what a CAPTCHA is and what tasks it allows to solve.
What is captcha?
In search engines, a lot of people enter the query "CAPTCHA translation" every day. However, you will not find the correct answer to this question either in this or in other similar articles.
CAPTCHA is not just some specially made-up term, but an abbreviation of the words Completely Automated Public Turing test to tell Computers and Humans Apart, which literally means "fully automated public Turing test for recognizing computers and people." Therefore, this word is correctly written in capital letters.
In the Russian-speaking segment of the Internet, it is often called "captcha", because This is how the CAPTCHA is pronounced in Russian. At the same time, capital letters are omitted, which is why for some readers the described history of the occurrence of the word "captcha" may be a novelty, but at the same time it helps to trace the logical connection between it and the "automated Turing test".
I think the decoding of the abbreviation itself perfectly tells what a CAPTCHA is. The only ambiguity may be the Turing test ... If you think that at this place I will load you with a bunch of formulas and definitions, then you are wrong π
I'll tell you a couple of words as clearly as possible to broaden your horizons, otherwise suddenly you get a word in a crossword puzzle, but you won't know what it is π
There was in the world (namely, at the beginning of the XX century) one English mathematician named Alan Turing. A personality, by the way, is quite well-known in narrow circles, who came up with a lot of good things, for which they even began to shoot films about him (this is exactly the man played by Benedict Cumberbatch in the film "The Imitation Game").
So, once the thought occurred to him "can a machine think?" Since Alan Turing was not a stupid person, as you may have noticed, the result of his reflections was a test, the purpose of which is precisely to determine which of the interlocutors is a human and who is a computer.
The test was first described back in 1950 and was named after its creator, by which it is known to this day - the Turing test.
The classic Turing test is a situation when a person (judge) communicates with a computer and a real person text messages... If the judge cannot determine "xy of xy", i.e. who of the interlocutors is a human, and who is a computer, then the machine is considered to have passed the test.
But it is wrong to think that exposing a computer is very simple and easy π
Various tricks are used to confuse the judge. First of all, myself text format communication so that a person cannot recognize a car by voice or some other signs, and the computer can demonstrate its intelligence, and not the ability to recognize human speech (although, judging by today's videos with robots, for these guys there will soon be no problem with either the first , nor with the second).
In addition, human and computer messages are sent at regular intervals so that the judge cannot find the computer in response speed.
But, despite all these tricks, already in 1966 (wow "already" - after 16 years!) computer program with the poetic name ELIZA, capable of passing this test... Many abstruse comrades still doubt whether the experiment with Eliza is considered a Turing test or not, but the fact remains that the piece of iron was able to confuse people.
So CAPTCHA is a modern Turing test that helps to weed out robots from people in automatic mode... A computer algorithm acts only as a judge. Because of this, a captcha is sometimes called an inverse Turing test.
And if you do not pass this test, then by your actions you say that you are no different from a soulless robot, and sometimes even more stupid when the latter was able to pass it π
In addition, in some cases, with a certain number of unsuccessful attempts, you can still get banned by the IP address on the site. I hope this will motivate you to approach captcha input more responsibly next time :)
By the way, despite the fact that the Turing test itself was invented in 1950, CAPTCHA is a fairly young phenomenon. Inventions similar to modern captcha appeared relatively recently - in 1997, and the term itself was coined in 2003.
I think now it became clear to you what a captcha is, how it appeared and when. The only question is "Why?" It's a good question, so I won't wait long with the answer π
The question is, why did you even need to determine with the help of CAPTCHA who came to the site: a person or a robot?
The fact is that robots in the world of the Internet are special automated programs, which are not always created for the benefit. This can be the spread of spam, and even hacking of a resource.
By the way, even when trying to automatically brute-force passwords or sending spam to unprotected sites, it is already possible to cause serious damage to them, creating a heavy load on the server, because of which the site will stop working.
Therefore, the most important purpose of captcha is to ensure the security of the site by blocking attacks and performing automatic actions using various malicious programs.
Another answer to the question of why a CAPTCHA is needed is the recognition of scanned books and other printed publications. How?
If you yourself have ever tried to digitize books yourself using Adobe FineReader or the like (I donβt know about you, but in my student years I often did this when writing abstracts and term papers π), then you know that recognition is far from 100%.
This is despite the fact that most of the books are printed in standard typographic type. For manuscripts, software recognition is almost zero.
So, the creators of CAPTCHA (in particular, they were the first to use this mechanism the creators of Google reCAPTCHA) decided to take advantage of this circumstance. They made up programmatically unrecognized words, which were then displayed in the form of captcha pictures with a request to real people to enter what they saw. 
Thus, a database of options for decoding difficult-to-recognize words was collected and at the same time users proved that they are real people, because were able to recognize what they saw, which distinguishes us from robots. As for me - brilliant, like everything in Google, in fact π
The only moment that for me personally in this whole story remained unclear - how did people pass the captcha with hard-to-recognize characters, if for such there may even be several correct answers? Google, of course, will not reveal its secrets.
But if I personally developed this mechanism for recognizing text by users using captcha, then I would select some more or less similar version of what is shown in the picture, so that it would be possible to check the user's response with it.
Or he simply counted the option entered by the user as an answer option, and the user himself would certainly suggest to enter the captcha again with a more readable sequence of characters for which there is an answer, so that the user would not think that he was being fooled, and not produce the number of incorrect attempts , for which they sometimes get banned.
By the way, I like the second option much more, tk. using it, you can collect a database of correct user answers, having about 10 ready-made captchas with answers at the entrance. The rest will be collected automatically. All we need to do is analyze and process user responses.
Thanks to all of the above, the creators of reCAPTCHA are promoting their project under the slogan "Stop spam - read books!" And I must say - it works π
According to the official information of the creator of reCAPTCHA, Luis von Ahn, his captcha is used up to 100 million times daily, which leads to about 2.5 million books being read a year.
Google acquired reCAPTCHA in 2009 and began using it to digitize an archive of New York Times newspapers from 1851 to the present day and books from Google Books until 2011. In 2012, when these resources were depleted, Google began to recognize building numbers and images from Google maps and Google Street Views, which is another challenge that can be solved using CAPTCHA.
Why did I suddenly decide to talk selectively about Google reCAPTCHA? Yes, because this is a Google product, which is considered a generator of various standards in the field of the web, cybersecurity and other areas. Therefore, reCAPTCHA is the unofficial standard for captcha today - everything is simple π
Therefore, in the text of this article, it will flash more than once.
Captcha types
Captcha is based on the principle described above: create a task that a person can handle, but the program cannot.
As a rule, the task is chosen not very difficult so that most people can cope with it. In the end, the purpose of captcha is not to determine the user's intelligence, but simply his ability to recognize what he saw or heard and think.
Although, I will not be surprised that on some mathematical forum you can find a captcha in the form of a differential equation or some problem from Eysenck's test (and certainly for a while) in order to filter out people with low IQ π
Initially, to achieve this goal, a CAPTCHA was a string of distorted letters, numbers and other symbols that were specially passed through various noise filters, rotated and bent. But over time, other types of CAPTCHAs have appeared, weeding out robots from humans using other tasks.
1. Graphic captcha
As already mentioned, the most ancient type of captcha. It is a picture with a sequence of distorted characters (letters, numbers and special characters).
The specified text string implemented in the form of a picture, where the letters are slanted, crossed out, various color and noise filters are superimposed on the picture. All that needs to be done to solve the captcha in this case is to enter the symbols shown in the pictures into a special field in text form.
It is still successfully used by such resources as Yandex and Vkontakte.
I myself was surprised at such a beautiful version of Yandex captcha, which I came across just at the time of writing this article π
2. Logic captcha
In this case, the captcha checks the presence of logic in the person who passes it, and therefore the ability to think with the help of various tasks.
It can be:
- arithmetic examples (for example, 2 + 3 =?);
- tasks for the selection of certain objects from the proposed ones (find a woman from all photographs, a man with a raised hand, animals, cars, etc.);
- specifying a specific digit from a sequence of numbers (for example, select the third digit from the number 2312145);
- choice of a word starting with a certain letter (for example, you need to choose a word starting with "c" among "Chewing gum, board, chair");
- write the number from the picture in letters and vice versa.
The most interesting logical CAPTCHA I've seen is Facebook CAPTCHA, for which you need to select the name of your friend shown in the photo. It looks like this:
3. Behavioral captcha
In this case, the user is required to perform a certain action in order to prove that he is not a robot.
It can be anything. Starting with the banal ticking next to the box "I agree with the terms of the contract", which many of you have seen and which, in fact, is also a captcha. And ending with something more sophisticated π 
Some of the most common examples of behavioral captcha include the following:
- moving the slider to a specific position;
- rotation of the image to the specified position (vertical, horizontal).
Previously, behavioral and logical captchas were still very popular at the same time by composing a picture from fragments (the so-called puzzle captcha, since it worked according to this principle).
But the most interesting behavioral captcha that I have come across is a specialized radio-technical captcha, which can only be passed by experts in radio engineering. But there is an incentive to enter the radio engineering faculty and study for 5 years at the university π
4. Sound captcha
All of the above CAPTCHA options do not present any difficulty for real users of sites, because to solve them, a person's visual perception is sufficient, which computer programs do not possess.
But here the question arises: how to be visually impaired PC users or even blind? Audio captcha was created just for this category of people.
Honestly, personally, I do not quite understand how a blind person can even get to the sound captcha power button and see where to enter characters, but at least they can go through it, as the developers claim.
Everyone has probably seen it on Google reCAPTCHA.
To be honest, I have not met an independent sound captcha. Perhaps, on some resources for the visually impaired, it is, but I'm not a frequent visitor there.
For this reason, I posted given view CAPTCHA at the end of the list.
Regarding the now popular Google reCAPTCHA - if you studied it carefully, you could make sure that it does not refer to any specific type of captcha, but is combined.
In the first version of reCAPTCHA, it combined graphic and audio captchas, and since 2015, when noCAPTCHA reCAPTCHA appeared, it became behavioral, logical and sound captchas at the same time. Those. there is one more degree of protection in it.
Where can I find captcha on the site
As we have already found out, CAPTCHA is used on sites in order to identify robots and prevent their actions. Therefore, in order to determine where captcha is used, you need to make a list of actions that robots perform on sites most often.
Among them:
- Sending spam in the form of comments with links to other resources.
- Registration of users to perform various actions in order to hack the site and, again, send spam.
- Choosing a password to enter the site under account an existing user.
- Cheat likes, friends, views, downloads and other actions for which you can get money in order to earn money without taking any action.
- Parser robots that steal content from websites. Now, for such things, you can get a ban from search engines, but some online stores, I think, are still doing it.
Therefore, the captcha is installed to prevent the automatic execution of these actions, and therefore most often the captcha can be found in the following places:
- Registration form on the site.
- Authorization form on the resource.
- Form for adding comments.
- Password recovery form.
- File download form.
Sometimes a CAPTCHA appears when an action is performed too often (like, adding friends, clicks on ads, etc.).
But for the most part, as you may have noticed, captcha is still an indispensable element of various web forms, through which the user interacts with the site. If you are interested, then I recommend that you read the article at the link, which, in addition to describing the principle of operation, contains 2 working examples of installing captcha on the site with your own hands.
This concludes today's article on what a captcha is. In it, I tried to tell you about what a CAPTCHA is in the most understandable and accessible language, and we also talked about why it is needed and what types of CAPTCHAs can be found today.
In the following publications, I will tell you how captcha works, consider the process of installing reCAPTCHA on a site and how to develop it from scratch, as well as about webmasters and ordinary users without a website and special knowledge.
Share your opinion in the comments under the article and do not forget to subscribe to project updates to keep abreast of the release of new articles.
And for dessert, I bring to your attention a video that inspired me to write this article and talks in some detail about captcha and, in particular, Google reCAPTCHA.
Stock up on popcorn and enjoy your viewing.
Probably, there is no Internet user who, at least once in his life, would not have to enter the βsymbols from the pictureβ in the appropriate field on the site. The importance of this action is often explained: to distinguish a person from a robot. But how the distinction is made may not be clear to some. And the word of foreign origin - captcha - is completely new in the Russian language, and therefore it can introduce ambiguity into the process.
What is CAPTCHA? This is a computer-controlled test that allows, with varying accuracy, to determine whether a user belongs to one of the categories: a person or a computer (robot, bot). This way you can prevent automatic registrations with services, for example, to avoid spam mailings. The following are used as problematic forms in captchas:
a sequence of characters to be entered,
a riddle to be answered,
arithmetic example, the answer to which should be found and entered in the field;
sets of pictures, in which you need to mark all images containing a certain object, etc.
These forms can be recognized by a person, but not in every case by a computer. Problems expressed in forms can be solved by a person, but also not in every case by a computer.
An example of how captcha works
When generating a sequence of characters, language characters are placed on a background that can blend in with the characters, and they themselves can be curved. It is difficult for a robot to distinguish a sign from a background element and to recognize this or that curved symbol, so computers often fail such tests.
The ability to pass the test by a computer
In some cases, robots pass the test and perform actions that resource managers want to protect them from. This is possible for several reasons:
the image is recognized;
the answer to the image question is embedded in the name of the image file, which can be found in source code pages;
the algorithm for constructing forms is recognized and the selection of answer options is performed, etc.
Thus, in the answers to the questions "what is captcha?", "What is it for?", "In what forms is it implemented?" and "can you get around it?" there are no complicated aspects. However, it is important to keep in mind that it is impossible to guarantee complete protection of the site using CAPTCHA tests, but it is quite possible to partially filter out a large number of automatic (machine) requests that can lead to spam.
CAPTCHA- shorthand for English Completely Automated Public Turing test to tell Computers and Humans Apart- fully automated public Turing test for distinguishing between computers and people. In runet, you can often hear transcription "Captcha".
Essentially CAPTCHA this is a small test that a person can easily handle, but a computer is several orders of magnitude harder to solve this problem. Tests are based on the work of the human sense organs and logic.
This test is used with one purpose - to prevent bots from accessing sending or publishing spam information on sites, downloading any materials.
CAPTCHA methods
The vast majority of CAPTCHA methods offer visual recognition graphic information, less often analysis and / or some calculation and input of recognized information in a special field. Let's consider the most common methods.
1. The most common method: the user is offered enter the numbers / symbols shown in the picture... As a rule, symbols are distorted, blurry, noisy with interference.
2. The user is prompted picture with numbers written in text and enter numbers.
3. The user is prompted to perform a simple arithmetic or logical action and enter the result. The method can be complicated by a combination with the previous one.
4. Method based on human feelings, knowledge and sensations- from the proposed series of images, choose the correct one that satisfies the question posed. For example, choose a beautiful face from several faces. Or choose an apple from the offered fruits.
5. Method based on human speech recognition.
5. Video-CAPTCHA... Any of first three methods, in which, instead of an image, information is transmitted to the user using a video sequence, where letters and symbols are in constant motion.
Options 1, 2 and 3 are easy to transfer from service to service and easily customizable. They are not demanding on hosting, resource-intensive. At the same time, the degree of protection remains high enough (with correct setting). Methods 4, 5, 6 require more serious configuration or connection to specialized services that provide CAPTCHA services.
The most common is method 1 - duplicating the displayed characters and letters in a special field. Methods based on human knowledge and feelings, as well as those associated with arithmetic or logical actions, depend on the mentality, literacy of the visitor or moral norms adopted in the territory of residence. This can give incorrect interpretations of the captcha, respectively, errors during testing. Naturally, such actions can lead to an outflow of visitors from the site.
Errors, vulnerabilities and countermeasures / protection methods
home possible error- a mistake or insufficient professional training of the programmer to write or install the captcha code. Captcha programming errors allow bots to bypass security, leaving real visitors to pass the test.
A rather striking example. Calling a picture CAPTCHA by explicitly specifying the verification code by passing it as a parameter to the image call:
, where "Hqhqhq" appears as the requested confirmation code. The implementation vulnerability is obvious: the bot scans the page code and extracts the verification code, substituting it in the appropriate field. Your protection by the bot is passed in a split second, and a real person will need several seconds or even minutes to enter the verification code.
Exists brute force method used by bots. Captcha always associated with a visitor's session. With a relatively small variant of the values CAPTCHA, the bot, registering the session, sequentially goes through all the options, sooner or later guessing the correct value.
- Tutorial
How many years Habr has existed - for so many years posts about the next captcha appear on it regularly - be it a script for generating a picture, a new idea for a captcha with cats, and the like. The most recent example that a person does not quite understand - how the captcha should work after all (see the text of the post and the last comments), but at the same time shares his misconceptions with the community. One gets the feeling that captcha is such terra incognita for most developers - both for those who simply fasten it to the next form in the hope that it will work "out of the box", and for those who come up with captchas like those on which you need to choose a picture with a cat from several photos.
Article contains useful information for those who use captcha on their server, instead of trusting a third-party service like reCaptcha.
And for the seed - if you think that such a captcha check will work:
if ($ _ POST ["captcha"] == $ _SESSION ["captcha"]) return true; (example from practice)
then you are deeply mistaken.
Captcha
By definition, captcha is an automated public Turing test (a test that can be passed by a human, but not a computer). In this article, I will consider the properties of a captcha using the example of its most common type - text in a picture, although almost everything written is equally applicable to any type of captcha.Two main properties of captcha
Any captcha must have two properties, without which it will not work:Recognition resistance- a property that protects a captcha from being recognized by an algorithm - for example, a text recognition system. Ensures that a person can read the text in the picture, but the computer cannot.
Anti-example: the standard phpBB 2.x forum captcha did not have such a property - due to the relative ease of recognition, scripts appeared that spam all forums in a row, forcing webmasters to change the captcha to a more persistent one.
Resistance to guessing- a property of a captcha that does not allow guessing its value in a small number of attempts (less than 1000). If the set of possible captcha values ββis small, the program will have no difficulty in guessing it by selecting it instead of recognizing it.
Anti-example: arithmetic captcha like "1 + 2" (iterating over numbers from 1 to 20 will soon give a result).
Anti-example: choose from several pictures the one with a cat.
Captcha check
The value for verification must be stored on the server, and not transmitted along with the picture to the browser. To match the visitor and the correct value of the captcha, you must use a certain key that is transmitted along with the captcha (session ID, captcha number, etc.)Anti-example: if you transfer the captcha itself and the value for its verification (including encrypted), then a person only needs to recognize such a captcha once and then use the combination "answer" - "value to check" in his script (according to the link at the beginning of the post just such a case)
Before checking the answer - you need to make sure that it is not empty. Otherwise, the attacker can pass an empty value and pass the captcha without uploading a picture or deleting the current session identifier. will compare two empty strings (in PHP, a nonexistent value is equal to an empty string).
Anti-example: the code I already mentioned if ($ _ POST ["captcha"] == $ _SESSION ["captcha"]) return true;
Moreover, this code was written by an experienced programmer.
After verification, the saved captcha value must be deleted. If this is not done, an attacker will be able to use given value again an unlimited number of times. Yes, when the page with the form is updated, the captcha is also updated (either when generating a form or when generating an image), only the script may not load the form again (it should be noted that this is not relevant if the site uses disposable csrf tokens for forms).
Anti-example: a hypothetical login form, in which it is enough to enter the captcha correctly once, and then brute force the password with a script, avoiding regeneration of the captcha on the server.
Bulletproof captcha
Brute force protection. If your captcha is resistant to recognition, but not very resistant to brute-force (for example, you only need to read 3-4 digits on it), it is advisable to limit the number of incorrect answers "from one ip" / "for one login" / etc. Such restrictions must be checked BEFORE checking the captcha itself (that is, even in the case of a correctly entered captcha, if there is a restriction, it should not be considered passed) otherwise it will not interfere with brute force.DoS protection. When generating captcha on your server, you need to understand that this is a convenient vector for carrying out DoS attacks (which, unlike DDoS, can be arranged by any student). For protection, you can limit the number of captcha generation for one ip, captcha caching, etc.
Protection against recognition. If you choose a captcha, or suddenly you are going to write it yourself, it is advisable to understand which captcha is more protected from recognition. There are ready-made universal captcha recognition scripts that work on the OCR principle, and if your site is of interest to spammers, there is a risk that they will use / write a script specifically for your captcha. The latter, however, refers more to sites of the level of Yandex or vk, but it is advisable to provide for an option with protection against banal OCR.
Anti-gate protection. Formally speaking, a captcha as a Turing test is not obliged to protect you from anti-gates, since in this case a person will recognize it. From a practical point of view, this issue is very relevant and it is necessary to defend somehow.
There is not and cannot be a "gold standard" (because in this case, antigates will implement its support), so you are free to supplement the captcha with any tricks to make it impossible to recognize it through the antigate. For example:
- non-standard captcha (collecting a puzzle, rotating an image, clicking on an area on a photo, etc.);
- Cyrillic captcha is the simplest solution, but it has a number of disadvantages: it is suitable only for projects with a Russian-speaking audience, there are anti-gates with Cyrillic support;
- usage virtual keyboard next to captcha for entering non-standard characters or shapes (may be inconvenient for mobile users);
Usability
Do not ask to enter a captcha if you are already convinced that there is a person in front of you. Here, however, one must be careful that the form cannot be used by the script an unlimited number of times after a single captcha input by a person.Example: registration form. If I'm registering somewhere, and forgot to enter the "postal code" field, but entered the captcha correctly, there is no need to show me a new one. Take 10 minutes to save somewhere that a living person is now trying to fill out this particular form.
To facilitate human recognition: do not use letters and numbers in captcha at the same time, do not use both uppercase and lower case, exclude similar characters.
Refusal to use captcha
The best captcha is no captcha. Where you can refuse to use it - this must be done. You may need to implement additional limits and checks for this, but users will thank you.But here you have to be very careful. For example: a registration form without captcha, with an email field to which an activation letter comes. Without additional means of protection, such a form can be inundated with "left" addresses, and your site will be blacklisted by postal services. In this case, you can do without captcha, but only if you have another line of defense, such as an ip limit.
To some, the information in this topic will seem obvious, but if I had not come across examples of misunderstanding of these simple principles in life, including from experienced fellow developers, I would not waste time writing this text.
