Click on that audio button sometime and see if you can solve it.

You do realize there are javascript-enabled browsers out there that can be used as libraries in any software, including bots?

This would fail.

The majority of spam comments now are autogenerated with keywords and generic "thanks for this info, I will come back and read again" messages. Your typical user won't recognize this is spam. It's just like using bayseian filters for email spam.

In other words, the spammer's bots had rules to handle the particular image captcha you used, and didn't have rules for the ASCII one you chose.

It might have been a bad CAPTCHA system, I've seem some that do stupid things like put the actual letters in ALT text or the image asset URL. Hell, I've seen one that draws the image using javascript, and the original letters are right in the source for anyone to harvest with basic scripting abilities. Those kinds of systems are easily broken, and when you know a large percentage of a particular CMS install base uses the same broken system, you end up with the experience you described.

If your ASCII-based plugin becomes common, I guarantee the bots will start detecting and bypassing it.

If you are a high-profile site, the spammers will build rules to handle your specific form edge case.

You're just pushing the problem to the social media providers then. And they do captchas as well. There's plenty of fake social media profiles out there and if you use social media logins, be prepared for bots using fake or hijacked social profiles.

I know there's plenty of ways to break the intent of CAPTCHA. But at the moment it's still the easiest to implement and most difficult to break solution we have.

Until a better solution is developed, or CAPTCHA is completely broken, it's not going anywhere. It sucks, but for the most part it does work.

CAPTCHA will be around as long as it is the best way to stop programatic submissions.

CAPTCH sucks for sighted people as well, not just the visually impaired.

As long as we have need for tools to discern software from people, something like CAPTCHA will exist. And so far we haven't developed anything that only humans can do, but computers can't.

WPA2 is just as easy to setup as WEP or WPA, so why not just do it?

True story, when I turned on tethering on my phone in the airport, to avoid people trying to connect to the WiFi AP it creates, I set the SSID name to "TSA".

If you have a random password of the maximum length following all the password security recommendations, then there won't be a matching hash in the rainbow tables even if your SSID is in them. As an AC noted, an attacker is still going to have to brute force. Whether or not your SSID is in the rainbow tables won't make any difference on the size of the search space.

You're only at risk if your SSID *and* your password are in the rainbow tables.

They aren't changing the Favicon, they're changing the contents of the title tag.

This is actually really simple, cross-browser supported, and a nice gesture for visitors.

This can be done in one line of Javascript if you add it to your play event. Here's a JQuery-flavored example:

$('title').html( "▶ " + $('title').html() );

Talk about an mind-boggling easy and straightforward solution. Surprising no one implemented it before.

If the device is connected to WiFi, it works.

Your SSID is meaningless. Everything else is basic password security 101.

Next time you're there, copy down one of his MAC addresses and start spoofing it.