In my opinion, the value comes not in their being impossible (or even difficult) to crack, but in being just enough work as to require individual attention. The author of the article talks about being able to post to 94 out of 99 blogs attempted. The trick is, it looks like all of them used the same CAPTCHA generator. My current hypothesis is that if I can make my site significantly individual, then this type of automated attack becomes much more difficult. The author’s system makes several assumptions about the CAPTCHA’s properties. Violate those assumptions, and I’m betting the success rate drops dramatically.

Now, my current CAPTCHA generator isn’t particularly sophisticated, but I did take a couple of steps to be sure it isn’t exactly “stock”. If someone happens to find an automated way through it, I’ve got a couple more tricks up my sleeve to make the spammers’ lives more difficult. I look at this kind of like using one of those “club” steering wheel locks on a car. It won’t stop someone who specifically targets my site, but it will be just enough of a deterrent to keep the random automated attempts away.

So far, it has worked brilliantly. The CAPTCHA literally stopped 100% of the comment spam on my log.