Just to give a background for my question, I am using Vanilla Forums for a website I run. Vanilla Forums comes with baked-in support for using reCAPTCHA to authenticate new registrations on the website, which I have enabled. Recently on my forum, however, I have seen a spike in spam registrations (obvious 'spammy' usernames, same email address used, et al.)

I looked into this to try to see how spambots could be getting past the reCAPTCHA verification. I know that in reCAPTCHA, one of the words is known by the system and the other isn't, so it is possible that a form submit might validate even if one incorrect word is entered.

So I tried out a couple of things on the registration form on my site, by entering invalid reCAPTCHA inputs. I found that...

• If the number of characters entered per word is correct
• The answer response entered for BOTH words is entered correctly EXCEPT FOR by one character

...no reCAPTCHA error is thrown.

I don't think this issue is isolated to Vanilla Forum either. When you go the the demo page for reCAPTCHA, try this yourself. Enter two words, correct number of characters, but the words themselves off by one character - with 'similar' looking characters (like, an 'a' instead of a 'd', 'v' instead of 'w'.)

Is there something wrong with Vanilla's implementation of reCAPTCHA or is this a known issue with reCAPTCHA itself? (You can test Vanilla's registration form here.)

Possibly related: Has reCaptcha been cracked / hacked / OCR'd / defeated / broken?