If the main issue with not using images for the captcha is the CPU load of creating those images, it may be a good idea to figure out a way to create those images when the CPU load is "light" (relatively speaking). There's no reason why the captcha image needs to be generated at the same time that the form is generated. Instead, you could pull from a large cache of captchas, generated the last time server load was "light". You could even reuse the cached captchas (in case there's a weird spike in form submissions) until you regenerate a bunch of new ones the next time the server load is "light".

当我看到一个关于人类计算的视频(该视频是关于如何使用人类通过游戏来标记图像)时，我有了一个想法来构建一个验证码系统。人们可以使用这样的系统来标记图像(可能用于其他目的)，然后使用关于标记的统计信息来选择适合验证码使用的图像。

假设有一张图片，90%的人都给它贴上了“猫”或“摩天大楼”的标签。然后可以呈现图像，要求图像最明显的特征，这将是图像的主导标签。

这可能超出了SO的范围，但有人可能会发现这是一个有趣的想法:)

我认为比特币是一个非常实用的非图像验证码——详情请参阅http://bitcoin.org。

人们在注册时发送小额付款，确认后可以退还。你花在弄清楚验证码上的时间不会回来。

音频呢?提供一个有声音在说话的音频样本。让用户输入他听到的内容。也可能是被他识别出来的声音效果。

作为奖励，这可以帮助语音识别器创建封闭的标题，就像RECAPTCHA帮助扫描书籍一样。

可能愚蠢……我有个想法。

Make an AJAX query for a cryptographic nonce to the server. The server sends back a JSON response containing the nonce, and also sets a cookie containing the nonce value. Calculate the SHA1 hash of the nonce in JavaScript, copy the value into a hidden field. When the user POSTs the form, they now send the cookie back with the nonce value. Calculate the SHA1 hash of the nonce from the cookie, compare to the value in the hidden field, and verify that you generated that nonce in the last 15 minutes (memcached is good for this). If all those checks pass, post the comment.

This technique requires that the spammer sits down and figures out what's going on, and once they do, they still have to fire off multiple requests and maintain cookie state to get a comment through. Plus they only ever see the Set-Cookie header if they parse and execute the JavaScript in the first place and make the AJAX request. This is far, far more work than most spammers are willing to go through, especially since the work only applies to a single site. The biggest downside is that anyone with JavaScript off or cookies disabled gets marked as potential spam. Which means that moderation queues are still a good idea.

从理论上讲，这可以作为通过模糊性的安全，但在实践中，这是很好的。

我从未见过垃圾邮件发送者试图破解这种技术，尽管可能每隔几个月我就会收到一个手动输入的主题垃圾邮件条目，这有点怪异。

简单的文字听起来很棒。贿赂社区来做这项工作!如果您像我一样相信，SO代表积分可以衡量用户帮助网站成功的承诺，那么提供声誉积分来帮助网站免受垃圾邮件发送者的侵害是完全合理的。

Offer +10 reputation for each contribution of a simple question and a set of correct answers. The question should suitably far away (edit distance) from all existing questions, and the reputation (and the question) should gradually disappear if people can't answer it. Let's say if the failure rate on correct answers is more than 20%, then the submitter loses one reputation point per incorrect answer, up to a maximum of 15. So if you submit a bad question, you get +10 now but eventually you will net -5. Or maybe it makes sense to ask a sample of users to vote on whether the captcha questionis a good one.

最后，就像每日信誉上限一样，假设没有用户可以通过提交验证码问题获得超过100个声誉。这是对此类贡献的权重的合理限制，也有助于防止垃圾邮件发送者在系统中植入问题。例如，你可以选择与提交者的声誉成比例的概率而不是相等概率的问题。乔恩·斯基特，请不要提交任何问题。