Although CAPTCHA is common feature, I think that its use should be strongly discouraged because of accessibility problems for visually impaired users, so it should be removed from the core (it could be available as an extension).
Maybe it should be re-evaluated and it’s API made more friendly to implement different captchas? I, for example, for my projects use asciigen captcha created by SamDark (http://rmcreative.ru/files/src/asciigen.rar) - implementing that required to somewhat hack the code because captcha isn’t requested by seperate http request, but embedded into to the page.
Ah yea forgot about that . Might be best suited to the package manager then.
Nothing is really fool proof and that motion one seems like a good idea but just trying the demo a few times threw up a few userbility issues for example you need to draw an arrow but can’t release the click, potentially confusing for the more novice internet user.
Premise 1: every thing that is easily readable by a reader for visually impaired people, is easily readable from a spam bot too.
Premise 2: a “standardized” CAPTCHA (this is true for every anti-spam method) can be an easy target for spammers, because defeating the standard Yii CAPTCHA (actually it’s not so difficult with an OCR software) they defeat the CAPTCHA of every Yii website which uses it.
reCAPTCHA does a decent job because of the audio CAPTCHA, unfortunately it’s only available in English language, so it’s still a major issue.
So… I’m for removing CCaptcha from the core (for the reasons that I’ve already explained). Alternatives could be systems like Bad Behavior http://bad-behavior.ioerror.us/blog/ and/or techniques based on hidden form fields or logical questions like these http://www.phpbb.com…i-spammer-tool/ . They’re not perfect solutions, however we remove and discourage the accessibility disaster of CAPTCHAs (moreover, I think that the current CCaptcha is not more effective than these solutions).
Akismet and approvation tools are suitable for certain uses (forum messages, blog comments, etc.) but not really suitable for other things (like protecting e-mail contact forms from spam flooding, etc.).
That’s because it’s easy to code a bot that parses logical questions in a given format (and that’s why it’s better to not “standardize” them).
My propose is to remove CCaptcha from the core because CAPTCHAs are a serious accessibility issue and their use should be discouraged. It can be moved to an external extension if somebody really want to use them. I think we don’t really need a replacement inside the framework core, but there could be an article in the cookbook with examples of some alternatives (techniques based on hidden form fields, logical questions, etc.). A Bad Behavior based extension would be nice too.