>The logic is sound, but doesn't play out in the real world that often.
It does play out in the real world a whole lot if you have the misfortune to be in charge of certain kinds of websites.
> once your site or app is targeted by a human who is determined to spam you, the stakes are raised to the point where neither CAPTCHAs nor standard honeypots will deter everything.
reCAPTCHA stops the bulk of it. Yes, people can still use CAPTCHA farms, but at the very least they increase the attacker's cost and will generally reduce their spam rate by a lot. After 4chan rolled out reCAPTCHA, 5+ years of spam problems vanished in an instant.
> It does play out in the real world a whole lot if you have the misfortune to be in charge of certain kinds of websites.
Very true; for some classes of sites, this is definitely the case. I was speaking more in a general sense, as I see many developers and project teams install some sort of CAPTCHA on every site as a default. In most circumstances, I think people should go for the simpler solution first, then be ready to drop in something like reCAPTCHA (or some other active spam deterrent) only when spam becomes a real problem.
I'd agree with that. It's good to have the code production-ready at a moment's notice though, because the reaction time can sometimes mean the difference between having to clean up 100 spam submissions and thousands of spam submissions.
It does play out in the real world a whole lot if you have the misfortune to be in charge of certain kinds of websites.
> once your site or app is targeted by a human who is determined to spam you, the stakes are raised to the point where neither CAPTCHAs nor standard honeypots will deter everything.
reCAPTCHA stops the bulk of it. Yes, people can still use CAPTCHA farms, but at the very least they increase the attacker's cost and will generally reduce their spam rate by a lot. After 4chan rolled out reCAPTCHA, 5+ years of spam problems vanished in an instant.