How important is CAPTCHA on registration pages?

My personal experience with ReCAPTCHA (widely regarded as being one of the best) is that it took about a week after we added it before the spammers we were trying to prevent figured out how to solve them.

They don't solve 100% of the presented images correctly but they don't have to. Even getting one in every ten correct would be fine for them and they are doing better than that. They are probably doing better than our customers.

There are some alternative styles of CAPTCHA that involve playing games or selecting the picture of a kitten out of several images. These types of CAPTCHA have not yet seen any serious attention from dedicated spammers.


User enumeration may not be a solvable problem, depending on the design of your site. In the case of a forum, an attacker simply needs to visit the forum and note down the usernames he sees attached to every post.

If anyone can register to the site, the registration process will have to notify the potential user that the name they have chosen is already taken. A CAPTCHA will probably change the equation for an attacker here because the cost of solving it and the failure rate compared to the potential value of the enumerated credential would probably mean that it's not worth the effort.

Since usernames are generally the non-secret part of the credential pair, even figuring them out usually doesn't have much value for an attacker.