Anyone still of the opinion that all the more accessible, less annoying CAPTCHAs are "Security by obscurity"?
Yes, I'm bitter. Being blind, CAPTCHAs just piss me off. I use skipinput.com for my CAPTCHA-solving needs (no affiliation, just a "Happy" customer) because all the alternative audio CAPTCHAs just plain don't work. So I'm glad we now have actual evidence of just how questionable the rigorous security of visual CAPTCHAs really is. Yes, you should adopt countermeasures to automated and human spammers proportional to the amount of effort an attacker will put into attacking your site, of course, and that may include very strong CAPTCHAs, but this really is a perfect illustration of why you gain nothing from shoring your defences up more than is really necessary, and in fact may hurt yourself. Your visitors come first, and there really are lots of ways (honey pots, script-based, text-based, rate limits, IP reputation, email verification with optional code, etc, etc). I know it's hard sometimes for the smaller sites to do more than just slap on ReCAPTCHA, but frankly having operated on a single email challenge-response type system for several years now on a little forum, I'm convinced that our best weapon against the spammers at this point is diversification. May the world rid itself of obnoxious CAPTCHA, the concern for all humankind be extended equally regardless of ability, and the reality that "Security by obscurity" sometimes is all it takes to make your website visitors happier and less inundated with spam be finally recognised. :)