Supplements I take

Introduction

This document is an updated list of the supplements/drugs that I take daily, as well as notes on some other interesting substances. It contains information on exactly what I take, how much of it, how much it costs, and some information on the substance which should roughly explain my reasons for taking it.

The first list contains supplements I take daily, with the second list containing supplements that I do not take daily but that nonetheless seem interesting, and the third list contains supplements that are interesting, but that seem less suitable for safe human consumption or speculation.

The focus of my supplementation is to find substances that are both very safe and also have a notable probability of improving health, lifespan, well-being, or productivity, with the ultimate goal being to significantly slow aging, even if it’s difficult to do at this time. I don’t take many nootropics as I don’t think there’s much room for intelligence improvements just from ingesting simple compounds (evolution has already put quite a bit of time into making us smart), with the exception of treating some deficiency or other issue, or improving productivity/concentration, which definitely possible (see: caffeine, modafinil, adderall, many others), but distinct from intelligence.

This post is not an attempt to convince anyone of something specific or to suggest anything specific, but I have decided to publish it publicly in order to better keep myself accountable for my reasoning, receive potential feedback, and to otherwise share some potentially useful short summaries of information. Concordantly, I’m not a doctor and this post contains no medical advice or suggestions. Which supplements, if any, one should take, is a very personal matter, as it is dependent upon many unique traits such as one’s age, diet, lifestyle, genes, risk preference, finances, and more.

Notes on supplements

Although there are a lot of supplements that would be beneficial to many people, caution must be exercised both with research and purchasing. Supplements in the United States have very little regulation, with some sellers having poor quality control, fraudulent research, marketing, claims, and poor ingredient composition and sourcing. The supplement industry is worth billions of dollars and has many bad actors incentivized by profit over truth, so time and care must be exercised in order to find out what works best for you personally. Certainly, research can be found promising positive effects from thousands of various substances – but taking all of them would be impractical, expensive, and downright harmful.

Concordantly, one of the strongest criteria I look for in most supplements is safety, which many times (not always!) comes alongside popularity. As many supplements offer marginal benefits at best, it would be irrational to purchase and consume them if they had a good chance of causing harm, as this would easily cause them to fail a basic cost/benefit or risk/reward analysis.

Ideally one should attempt to find quantitative measures to objectively evaluate if a substance is really helping them in the desired manner. In some cases this is both easy and cheap to do, for example with Vitamin D supplementation, which costs only a few cents a day, does not need to be compared to a placebo, and can be tested for in your blood for as little as $30. In other cases, proper testing is difficult or impossible and may require significant effort and time for very little benefit. Keeping one’s lifestyle, diet, and other factors a perfect experimental constant is certainly difficult, as is performing blind experiments on yourself, collecting and analyzing data, and finding the proper quantitative desideratum to test yourself on to begin with; testing if something specific has definitively made you slightly smarter, happier, healthier, more productive, or extended your lifespan, is certainly difficult if not occasionally impossible to do in a scientifically rigorous manner with a sample size of one.

Additionally, which supplements benefit an individual is a very personal matter. Vegans may want to take some supplements that are found in meat. Carnivores may want to take some supplements that are found in plants. Supplements that may benefit the elderly or those with common conditions such as hypercholesterolemia or diabetes often seem to be much less useful for otherwise healthy individuals. Indeed, for individuals that have many health conditions including the elderly, there’s significantly more that can be gained from supplementation, as there are many more problems that can be improved upon (although there are also be more risks as well). Supplements will effect someone differently depending on their weight, age, genetics, health, diet, and many other factors. As such, it’s a bad idea to copy any individual’s routines completely, even if it’s a lot of work to do your own planning, research, and testing. It is also worth mentioning that the word ‘supplement’ is used here as a relatively generic word, simply meaning that the substance is only regulated as a food within the United States and thus requires no prescription (unless otherwise mentioned), but also offers few guarantees in terms of efficacy or consistency.

Supplements I take daily

The following list contains supplements that I’m currently taking daily.

Name: Vitamin D3

Dosage: 3,000+ IU (75+ µg)

Cost/Day: $0.03

Information: Vitamin D3 [Examine, webmd, Wikipedia] (colecalciferol) is a vitamin made by the skin when exposed to sunlight. It’s a common deficiency and is very cheap to fix. The benefits of supplementation are generally found to be minor (it’s still a bit controversial if supplementation is beneficial at all, although I lean towards yes personally), but as I was notably deficient and it’s one of the cheapest supplements, it’s an easy choice for me. I take vitamin D earlier in the day without a meal, contrary to most other supplements.

Name: Fish Oil

Dosage: 1-3g+

Cost/day: $0.10 (1g)

Information: Fish oil [Examine, webmd, Wikipedia] (omega-3 EPA+DHA) is another common and cheap supplement. Although many studies find minor or sometimes no benefits, many others find a large amount of diverse improvements, even if they are minor. It’s likely that the ratio of omega-6/omega-3 you consume is important, with most people consuming far too much omega-6 (which won’t hurt to reduce regardless) and not enough omega-3, so dosing of fish oil should be based on your diet, which is easily more than an order of magnitude more important to begin with.

Name: Garlic

Dosage: 1-3g

Cost/day: $0.02 (1g)

Information: Garlic [Examine, webmd, Wikipedia] is another popular and cheap supplement. There’s good evidence that it improves lipid profiles, may help with some cancer risks, and may have other very minor benefits (may activate AMPK too?). The most desirable compound in garlic is allicin, which is diluted in garlic that is microwaved, boiled, or aged. Dosage should be based on which type of garlic is being consumed. As many people enjoy the taste of garlic, it’s a good candidate to include in meals as well.

Name: Olive Leaf Extract

Dosage: 500mg

Cost/day: $0.02

Information: Olive Leaf Extract [Examine, Wikipedia] is a cheap and easy way to hopefully mimic the benefits of olive oil, as the leaves of the olive tree contain good amounts of relevant olive phenols such as oleuropein. It may still be better to consume olive oil instead, which is still a great thing to add to meals, but with such a low cost, this seems worth inclusion to me.

Name: Magnesium Citrate

Dosage: 250mg

Source: $0.05

Information: Magnesium [Examine, webmd, Wikipedia, Gwern] deficiencies are moderately common (up to 45-60%) and easily fixed. Fixing a magnesium deficiency is cheap and seems to offer quite a few minor general benefits, and also sleep and anxiety improvements for some. Depending on your diet, supplementation may be unnecessary. Magnesium comes in a lot of different forms so close attention is needed when purchasing. I stick to citrate as it makes dosing easier, has good bio-availability, and is unlikely to cause digestion issues. The above Gwern link is a great resource on Magnesium as well.

Name: Vitamin K2 MK-7

Dosage: 0mg

Cost/day: $0.00

Information: Vitamin K [Examine, webmd, Wikipedia], like most vitamins, is primarily beneficial for those deficient in it, so it is best to examine your diet thoroughly and/or be tested. There are several forms of vitamin K, and also several forms of vitamin K2. Vitamin K2 MK-7 seems to be one of the best forms to take in general, although K1 has decent evidence in favor of it as well, depending on one’s circumstances. I’ve temporarily discontinued this supplement after running out of it, awaiting more analysis and research.

Name: Glucosamine Sulfate

Dosage: 2g

Cost/day: $0.19

Information: Glucosamine [Examine, webmd, Wikipedia] is an amino sugar derived from shellfish that is commonly taken by the elderly to improve joint functionality and reduce pain. Glucosamine extends the lifespan of some mammals in studies, potentially in ways that are evolutionarily conserved, activating AMPK and therefore having slight similarity with metformin. Glucosamine may also induce autophagy via an mTOR-independent pathway, which may be the mechanism of action for its effects on lifespan. Due to its popularity as a supplement we can be relatively sure of its safety as well. Chondroiton is commonly included with glucosamine supplements, which appears very uninteresting for my own purposes, so I look for pure d-glucosamine/glucosamine sulfate, which is generally cheap.

Name: Glycine

Dosage: 9g

Cost/day: $0.20

Information: Glycine [Examine, webmd, Wikipedia] is an amino acid that is often supplemented to improve sleep. Better sleep is formidable by itself, but some studies find that it increases lifespan in organisms via methods that may be evolutionarily conserved. Although glycine is present in some foods and is also synthesized by your body, it may be the case that glycine deficiencies are technically common in humans, as the amount that is able to readily be synthesized in-vivo is sub-optimal. This may be relatively asymptomatic from an individual perspective and only manifest itself via a slight probabilistic decrease in healthspan/lifespan, although users often notice quite a few improvements besides just better sleep. Glycine may improve insulin sensitivity and other similar metrics. There may be some longevity benefits of a diet low in methionine (meat, fish, eggs, etc) as well, which may be related to one’s effective glycine/methionine ratio. I still consume a lot of methionine from common sources such as chicken breast, so this is another potential way in which glycine could be beneficial. Glycine appears to be very safe, even in larger doses, and is relatively cheap, more so as a powder, as is the case of most substances.

I take glycine in powder form, either adding it to drinks or meals, but for smaller doses of 1-2g, it might be easier to take gelatin capsules of 1g each. I’m still playing around with my glycine dosage to try to optimize it, the current dosage may appear a bit high to some, which was arrived at from a combination of the papers linked above (and linked to by those links), as well as some reasoning about my diet (high in methionine) and lifestyle. Unfortunately even with a blood plasma test of amino acid concentrations, it’s difficult to know if this is the optimal dose for human longevity, or if it is even helpful at all to begin with, but the cost/benefit analysis here still seems to lean heavily into the green. As a simple and common amino acid, it seems pretty difficult to hurt yourself with glycine, so even taking 10-20g a day shouldn’t be harmful.

Name: Bacopa

Dosage: 445mg

Cost/day: $0.09

Information: Bacopa [Examine, webmd, Wikipedia] is an herb that seems to offer reliable but likely very minor improvements to some areas of memory and general cognition. Effects are likely difficult to notice without rigorous placebo-controlled self-testing, but it is relatively safe and cheap regardless. Digestive side-effects aren’t uncommon, as is the case with many herbal supplements. In the future I’d like to replace my bacopa with a placebo and attempt to look for differences in quantitative cognitive performance metrics such as my anki recollection, but performing this experiment well is difficult, both because the effect is very minor and because a proper experiment with n=1 is very difficult.

Name: Ashwagandha

Dosage: 470mg

Cost/day: $0.15

Information: Ashwagandha [Examine, webmd, Wikipedia] is an herb that offers potential anxiety and lipid profile improvements. Some users report that it reduces anxiety and stress significantly, with some studies showing up to a 28% reductions in cortisol (in subjects with elevated levels). Lipid improvements can also be notable, with some studies showing a 10% reduction of total cholesterol, even in healthy subjects. As an uncommon herbal supplement, digestive side effects are a notable probability. Ashwagandha is likely worth trying if you feel that you have untreated anxiety.

Name: Ashtaxanthin

Dosage: 12mg

Cost/day: $0.15

Information: Astaxanthin [Wikipedia, webmd, Examine] is a carotenoid generally derived from seafood. It’s suggested that it exhibits photoprotective, antioxidant, and anti-inflammatory effects, and has improved triglyceride and cholesterol levels as well as oxidative stress in humans, although not in completely healthy individuals.

Astaxanthin has increased the life span of C. elegans by 16-30%, with the authors stating “These results suggest that AX protects the cell organelle mitochondria and nucleus of the nematode, resulting in a lifespan extension via an Ins/IGF-1 signaling pathway during normal aging, at least in part”. While this is certainly interesting, expecting such a lifespan increase in humans is far too optimistic from this case alone.

However, Astaxanthin may be able to activate FOXO3 in humans, an important gene for human longevity which is present in many centenarians. Some other well-known natural compounds such as resveratrol and curcumin also interface with FoxOs, although these substances are still relatively speculative as far as anti-aging effects in humans go, even if they do have many strong supporters.

There’s some other interesting potential effects of astaxanthin, with some papers showing that it increases neural stem cell proliferation and may be useful to help curb dementia, and other papers showing that it can improve skin health and appearance, leading it to become an ingredient in some cosmetics.

Astaxanthin appears to be very safe in humans and is a relatively popular dietary supplement, with a market estimated at over $500M USD annually, although the majority of this supply is used as a component in animal feed and cosmetics.

Name: Berberine

Dosage: 1.2g

Cost/day: $0.28

Information: Berberine (Examine, webmd, Wikipedia] is an extract from various plants. It appears to be a pretty strong natural mimetic of metformin, a popular drug for diabetes with many alluring potential anti-aging properties. It often improves lipid profiles and blood glucose, and thus may have many of the long-term benefits that metformin may have. Concordantly, the possibility for digestive side-effects is relatively high, and it’s sometimes taken several times a day in smaller doses as a result. Examine suggestions that it also inhibits enzymes such as CYP2D6 to some extent, which could lead to undesirable interactions with some drugs. It’s likely better to be on metformin than berberine, as drugs are kept to a significantly higher regulatory standard than supplements are and we have much more data on users of metformin. Update: my berberine usage has been indefinitely discontinued and replaced with metformin.

Name: Caffeine

Dosage: 50-200mg

Cost/day: $0.10 (much higher If drinks are considered)

Information: Caffeine [Examine, webmd, Wikipedia] is something you likely don’t need an introduction to. I try to keep my dosage relatively low to avoid issues with tolerance, using a combination of coffee, tea, or caffeine pills, depending on the amount desired and my mood. When taking 100mg or more of caffeine, I generally have 100mg of L-theanine as well.

Name: L-theanine

Dosage: 0-200mg, generally 100mg if taken

Cost/day: $0.20

Information: L-theanine [Examine, webmd, Wikipedia] is an amino acid that is present in tea leaves which is often combined with caffeine for supposedly synergistic effects on cognition and mood, improving the upsides of caffeine while helping to ameliorate some of the potential downsides. I generally only take it if I’m having more caffeine than average on a given day, since I keep my caffeine intake pretty low.

Name: Melatonin

Dosage: 1mg

Cost/day: $0.04

Information: Melatonin [Examine, webmd, Wikipedia, Gwern] is a hormone secreted by the pineal gland with an important role in regulating your sleep cycle. Melatonin production can be suppressed in many individuals that are otherwise healthy, for example by exposure to blue light from computer screens before bed (which solutions like the program f.lux and blue-light blocking glasses attempt to solve). The generally accepted benefits of melatonin are a reduction in the time to fall asleep, although some individuals claim that it reduces their need for sleep as well (often by 15-60 minutes). For those with sleep conditions such as insomnia or jet lag (or just being older in many cases), melatonin can be a much greater aid in improving sleep and quality of life.

One meta-analysis (K=10, N=653), found melatonin supplementation may have helped significantly reduce some instances of cancer mortality (R = 0.66 after 1yr). Some studies also find improvements in gastroprotection, healing and reducing the rate of stomach ulcers.

Melatonin has increased the lifespan of some mice by 18%, primarily given as a supplement later in life in an attempt to give older mice more effective pineal gland functionality (directly giving older mice the pineal glands of younger mice was also performed, which also was very beneficial). Melatonin levels similarly decline with age in humans (as most important things do), and supplementation may be increasingly beneficial as one ages.

The proper dose of melatonin to take varies between individuals and many melatonin pills for sale are dosed too high (5-10mg), so approximate self-experimentation can be used such as starting with 0.5mg and increasing your dosage until benefits are noticed. The above link to Gwern’s website on Melatonin points to a good in-depth analysis that is worth reading as well.

I don’t always take melatonin, but it’s great to be aware of and have.

Name: Metformin

Dosage: 0.5-1g

Cody/day: $0.16

Information: Metformin [webmd, Wikipedia] is a prescription drug for diabetes and is one of the most popular drugs taken by those interested in longevity, often taken for this purpose by individuals without diabetes. Metformin is said to mimic some of the potential benefits of caloric restriction. It increases the lifespan of mice, increasing AMPK activity and antioxidant protection, resulting in reductions in both oxidative damage accumulation and chronic inflammation. Lifespans of other organisms such as silkworms and nematodes are also increased. There exists a vast literature on metformin with respect to its mechanisms of improving longevity apart from just this; it’s currently the most popular drug taken to combat aging.

Due to the prevalence of diabetes, metformin has over 80 million users (the vast majority taking it for diabetes), which gives us wonderful data on its safety, with its side effects rarely including anything besides minor gastrointestinal issues. Metformin is also cheap, costing only $5-$25 a month in the United States. For the above reasons and many others, metformin appears to be one of the best candidates for an anti-aging drug, leading it to become one of the only drugs making clinical progress in this area with trials such as TAME (Targeting Aging with Metformin). Metformin deserves a larger write-up than I’ve given it here, so you’re encouraged to perform your own research on it (just as you should for anything written about on this page).

This list changes as I encounter new evidence, test new supplements, or change other aspects of myself such as my diet or lifestyle, but I hope to keep it updated, even if only for myself. I’m constantly looking for substances that have a good probability of doing a much better job at enhancing longevity, but it’s very hard to find and test them in a safe way – it’s unlikely many supplements such as simple vitamins or herbs are truly going to increase out lifespan notably. The next section has more information about some substances which are more interesting, but that I’m currently not taking.

Currently I spend around $1-2 a day on supplements. As my average food expenses can easily exceed $10 per day, a 10-20% increase in this is not too bad of a price for me to pay, even if the benefits are mostly minor. Healthcare costs are very high, so anything that may lower them, even if decades down the line, can turn out to be very cost-effective. Regardless, spending money on improving my own health seems to be the best possible use of money – it is the least fungible thing I can spend on. This reasoning applies to improving diet and exercise as well, which generally offer much greater returns than most supplementation.

I try to keep my supplement stack very minimal and would rather dedicate research time and effort towards substances that might have significant effects on aging such as metformin and rapamycin, rather than substances that are often very difficult to determine any effects of, such as the large amount of amino acids or uncommon vitamin forms that can be taken. Keeping the amounts of supplements I take to a minimum offers much more than a financial benefit – it reduces the probability I will cause damage to my liver over time (which users of many supplements, or anything risky, should get tested for), and reduces the probability there will be any type of drug interactions caused by anything I take, for example by some substances inhibiting or inducing enzymes that then cause other substances to increase or decrease in efficacy (see CYP3A4 and CYP2D6 for some good examples).

Additional supplements I do not currently take

This section contains a list of supplements that I think might be worth taking, but that I currently don’t use. Substances in this section seem to be relatively safe, and I’m generally only taking them because I have more doubts about their usefulness to me specifically.

Aspirin

Aspirin [Wikipedia] is used for more than just treating temporary pain or fevers. As an NSAID, it reduces both acute and long-term inflammation, and may also affect oxidant production, cytokine responses, and block glycooxidation reactions. Consuming a low dose of aspirin daily appears to lower the risk of CVD in higher-risk groups (generally older individuals with a relevant medical history), although appears to have little effect in otherwise healthy individuals. The risks of a few cancers may be lowered slightly by long-term continual use of aspirin, although this is generally a minor effect, and doesn’t seem to be the case for all types of cancer. Some organizations suggest daily aspirin use in small doses for those in certain risk groups, generally those that have already experienced a heart attack or stroke.

Among aspirin’s more common adverse effects is an increased risk of gastrointestinal bleeding, which is one of the reasons it’s not suggested by most organizations for otherwise healthy individuals with low CVD risk. Aspirin has increased the average lifespan (although not the maximum lifespan) of mice in some studies, but this is unlikely to be the case in humans unless significantly more needs to be taken, which would increase the probability of adverse effects notably.

To summarize, it’s very likely that continual aspirin usage reduces the risk of some types of cancer and moderately likely that it can reduce the risk of CVD in some higher-risk groups. Although side-effects are negligible for most individuals, it is difficult to tell if aspirin is worth taking for healthy and young individuals. It’s likely much more beneficial for the elderly or middle-aged, as they’re at a much higher risk of cancers as well as CVD. As a result of this, I don’t take aspirin regularly.

Cocoa Extract

Cocoa [Examine, webmd, Wikipedia] is well-known as a major component of chocolate. Although the sugar added to most modern chocolate definitely does not benefit one’s health, cocoa itself has many bioactive substances with potential benefits. Among the most notable is (-)-epicatechin, which can offer improvements in blood flow and a corresponding reduction in blood pressure for many individuals. As usual, the most notable improvements in blood pressure and cholesterol occurred in individuals with pre-existing elevated levels. Some age-related markers improve in mice when supplemented with (-)-epicatechin, although no direct increase in lifespan has yet been noted.

Supplementation with some form of cocoa (supplemented or consumed as ultra-dark chocolate) may be beneficial for some individuals, although consuming too much sugar with cocoa would likely offset any positive effects. Quality cocoa extract is more expensive than many of the other supplements listed on this page, coming in at $1-2 day for a proper dosage.

CoQ10

CoQ10 [Examine, webmd, Wikipedia] (Coenzyme Q10 / ubiquinone) is a substance found in meat and fish that is primarily present in mitochondria and aids ATP production. Although supplementation is likely safe, it’s difficult to find convincing evidence that CoQ10 supplementation would be effective for longevity. It may improve lipid peroxidation, blood flow and offer minor improvements in other areas, but in my opinion doesn’t appear to stand out from most supplements, both experimentally and theoretically.

Creatine

Creatine [Examine, webmd, Wikipedia] is an organic compound used in the recycling of ATP in humans. It can be found in notable amounts of muscle meat and can also be synthesized in humans via glycine, arginine, and methionine. Creatine is a very popular supplement for athletes with strong evidence that it notably increases power output and lean mass, with some evidence that it can offer minor improvements in related areas such as recovery, fatigue, and some biomarkers that are positively associated with quality anaerobic exercise. It’s very safe, has little potential for any side effects, and is relatively cheap. The only reason I don’t take creatine right now is that I’m not doing many activities to build muscle, although I’ll likely start taking it soon, even if only alongside basic resistance training, calisthenics, or even cardio.

Curcumin

Curcumin [Examine, webmd, Wikipedia] is a pigment found in tumeric. Curcumin’s strongest benefit seems to be the reduction in inflammation that it offers, although there appear to be some other areas that may be improved as well such as lipid profiles, mental health, potentially improved digestion, and reduced pain with some conditions such as osteoarthritis. It may exhibit a notable anti-tumor effect via apoptosis. It seems relatively safe, although has low bio-availability, so is often taken with substances to increases its availability such as piperine, or taken in an otherwise proprietary formulation that generally has some type of oil that improves bio-availability instead. As inflammation is important in aging and many other diseases, it’s something that is nice to be aware of.

I previously took curcumin, but as my inflammation is now very low (and can barely be shown to be lower with the type of blood panels I usually get), I’ve stopped taking it for the time being. Curcmin can be potentially tough on the liver, and in large doses has a greater potential to cause adverse affects. Some papers show quite a few potential drug interactions that can occur by taking curcumin, especially in larger doses, and via a variety of mechanisms, including its affect on platelets and potential interactions with enzymes such as CYP3A4, potentially affecting the metabolism of a large amount of drugs.

Quercetin

Quercetin [Examine, webmd, Wikipedia] is a flavanoid found in fruits and vegetables. As usual, eating the right fruits and vegetables is good for you on its own, and may make supplementation less beneficial, or completely irrelevant. I likely get enough of this from my diet, although there may be benefits to infrequent high-dose supplementation.

L-carnitine

L-carnitine [Examine, webmd, Wikipedia] is an ammonium compound found in notable quantities in meat such as beef. Supplementation sometimes appears to offer some decent results, but I’ve determined that I like already get a sufficient amount from my diet.

PQQ

PQQ [Examine, Wikipedia] is a redox cofactor found in human breast milk and some foods such as kiwis. PQQ alters indicators of inflammation and mitochondrial-related metabolism. It’s likely very safe, the main reason I’m not currently taking it is there’s very little evidence showing that it notably benefits already-healthy young humans, and it costs a bit higher than most supplements on this page.

Resveratrol

Resveratrol [Examine, webmd, Wikipedia] cannot go without being mentioned, as the extract from grapes that inspired the ‘red wine is great for you’ craze many years ago, it has been a constant source of speculative benefits and is still a very popular supplement in longevity communities. Although it hasn’t quite lived up to its initial hype, there’s still a lot of research on how it may be beneficial for longevity in one way or another. A summary is currently excluded here and you’re encouraged to read the above links if interested.

Sulforaphane

Sulforaphane [Examine, webmd, Wikipedia] is a compound found in vegetables such as broccoli and cabbages, with the best sources of it being broccoli sprouts and cauliflower sprouts. I’ve taken sulforaphane previously, but it will be difficult to know if it had a notable effect on me or not. I’m currently focusing more on my diet and have decided against taking sulforaphane. I’ve excluded a research summary in favor of the above links.

Trimethylglycine

Trimethylglycine [Exmine, Wikipedia] is a betaine amino-acid derivative found in some plants. It is notable for reliably reducing homocysteine levels in healthy subjects, sometimes by as much as 10%, and as much as 10-40% in unhealthy individuals. It appears that it might have a slightly negative effect in increasing, or preventing to some extent a decrease in, LDL, which is why I’m currently not taking it. It’s a nice molecule to be aware of and might deserve a spot in my stack at a later point, but as usual it would be nice to have more research available.

A lot of supplements have been excluded from this list, including many which are very interesting. Individuals who follow nootropic or longevity communities will definitely be curious why their favorite substance may have been excluded from this page, to which my answer is mostly that there’s too many substances for me to include all of them, so I did quite a bit of picking personal favorites. Even so, there’s likely many substances I’d like to include, but which I haven’t yet heard about or done enough research on. Feel free to message me on Twitter if you have any great suggestions here.

More interesting and potentially unsafe substances

This section contains some brief notes and links on substances that appear to be a lot more ‘experimental’ than the above sections, but have some interesting potential. In some cases it’s impossible to find proper tests of safety, or even basic toxicity, in humans. Regardless, they’re all interesting chemicals, sometimes increasing the lifespan of organisms such as mice by large amounts. A lot of compounds have been excluded from this list as there are too many for me to list currently. The most interesting item of this list is currently rapamycin, by a large margin. Also see list of potential CRMs.

Allantoin

Allantoin is a compound present in some cosmetics, toothpaste, shampoo, lotions, and more, which has improved lifespan in C. elegans in multiple studies.

Lipid profiling of C. elegans strains administered pro-longevity drugs and drug combinations.
https://www.ncbi.nlm.nih.gov/pubmed/30351306

A network pharmacology approach reveals new candidate caloric restriction mimetics in C. elegans.

https://www.ncbi.nlm.nih.gov/pubmed/26676933

Astragalus Membranaceus

astragalus membranaceus contains a compound called TA-65 that may activate telomerase, extending the lengths of the shortest telomeres in humans. This compound is lacking in notable research, and much of what exists is clearly for-profit.

A natural product telomerase activator as part of a health maintenance program.

https://www.ncbi.nlm.nih.gov/pubmed/20822369

Anti-Aging Implications of Astragalus Membranaceus (Huangqi): A Well-Known Chinese Tonic

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5758356/

Astragalus membranaceus: A Review of its Protection Against Inflammation and Gastrointestinal Cancers

https://www.ncbi.nlm.nih.gov/pubmed/26916911

Rapamycin

rapamycin notably extends the lifespan of most organisms we have given it to thus far, but lacks proper research in humans aside from its use as an immunosuppressant. It’s a very popular drug to research in the area of longevity, and deserves a longer write-up than I’ve given it here; I may even start taking it in the near future.

Rapamycin and aging: When, for how long, and how much?

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4401992/

Rapamycin fed late in life extends lifespan in genetically heterogeneous mice

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC2786175/

Rapamycin slows aging in mice.

https://www.ncbi.nlm.nih.gov/pubmed/22587563

Rapamycin-mediated lifespan increase in mice is dose and sex dependent and metabolically distinct from dietary restriction

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4032600/

Mice Fed Rapamycin Have an Increase in Lifespan Associated with Major Changes in the Liver Transcriptome

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3883653/

Lifespan extension and cancer prevention in HER-2/neu transgenic mice treated with low intermittent doses of rapamycin

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4026081/

Longevity, aging and rapamycin

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4207939/

Rapamycin and other longevity-promoting compounds enhance the generation of mouse induced pluripotent stem cells.

https://www.ncbi.nlm.nih.gov/pubmed/21615676

Dosing of rapamycin is critical to achieve an optimal antiangiogenic effect against cancer.

https://www.ncbi.nlm.nih.gov/pubmed/15612989

Intermittent supplementation with rapamycin as a dietary restriction mimetic

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3249447/

Rapamycin increases lifespan and inhibits spontaneous tumorigenesis in inbred female mice.

https://www.ncbi.nlm.nih.gov/pubmed/22107964

Towards natural mimetics of metformin and rapamycin.

https://www.ncbi.nlm.nih.gov/pubmed/29165314

Rifampicin

Rifampicin is an antibiotic that has improved lifespan in C. elegans

Rifampicin reduces advanced glycation end products and activates DAF-16 to increase lifespan in Caenorhabditis elegans.

https://www.ncbi.nlm.nih.gov/pubmed/25720500

Lipid profiling of C. elegans strains administered pro-longevity drugs and drug combinations.
https://www.ncbi.nlm.nih.gov/pubmed/30351306

Selegine (L-deprenyl)

Selegiline/L-deprenyl is a MAO-B (and sometimes MAO-A) inhibitor sometimes used to help treat Parkinson’s or depression which may be able to improve lifespan in humans.

Longevity study with low doses of selegiline/(-)-deprenyl and (2R)-1-(1-benzofuran-2-yl)-N-propylpentane-2-amine (BPAP).

https://www.ncbi.nlm.nih.gov/pubmed/27777099

The significance of selegiline/(-)-deprenyl after 50 years in research and therapy (1965-2015).

https://www.ncbi.nlm.nih.gov/pubmed/27480491

fisetin

Fisetin is a flavinoid from plants that may be a very effect senolytic.

Fisetin is a senotherapeutic that extends health and lifespan

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6197652/

Fisetin induces Sirt1 expression while inhibiting early adipogenesis in 3T3-L1 cells.

https://www.ncbi.nlm.nih.gov/pubmed/26499075

Fisetin up-regulates the expression of adiponectin in 3T3-L1 adipocytes via the activation of silent mating type information regulation 2 homologue 1 (SIRT1)-deacetylase and peroxisome proliferator-activated receptors (PPARs).

https://www.ncbi.nlm.nih.gov/pubmed/25286082

C60 (buckminsterfullerene)

C60 is an interesting fullerene that has extended lifespan in some animals notable, but has little data on human consumption and safety.

The prolongation of the lifespan of rats by repeated oral administration of [60]fullerene.

https://www.ncbi.nlm.nih.gov/pubmed/22498298

Spermadine

Spermadine is a polyamine compound that can be found in aged cheese, soybeans, wheat germs, and human sperm. Supplementation of spermadine has extended lifespan across species, including in yeast, nematodes, flies, and mice. In humans, spermidine levels decline with aging. Take note some of the links in this section do note a conflict of interest.

Spermidine delays aging in humans

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6128428/

Cardioprotection and lifespan extension by the natural polyamine spermidine

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5806691/

Spermidine: a physiological autophagy inducer acting as an anti-aging vitamin in humans?

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6287690/

Molecular basis of the ‘anti-aging’ effect of spermidine and other natural polyamines – a mini-review.

https://www.ncbi.nlm.nih.gov/pubmed/24481223

Benzofuranylpropylaminopentane

Benzofuranylpropylaminopentane is an unusual and understudied drug, in some ways similar to selegiline noted above. It has prolonged lifespan to a minor extent, such as 4% in mice.

Longevity study with low doses of selegiline/(-)-deprenyl and (2R)-1-(1-benzofuran-2-yl)-N-propylpentane-2-amine (BPAP).

https://www.ncbi.nlm.nih.gov/pubmed/27777099

Acarbose

Acarbose is another anti-diabetic drug that inhibits an enzyme from releasing glucose from larger carbohydrates. It can be taken at the start of a meal in order to reduce blood glucose increase.

Acarbose, 17-α-estradiol, and nordihydroguaiaretic acid extend mouse lifespan preferentially in males.

https://www.ncbi.nlm.nih.gov/pubmed/24245565

17α-estradiol

17α-estradiol is an estrogen that is significantly less feminizing (99% less so) than normal estradiol. It appears to have some neuro-protective benefits as many estrogens do, and has extended lifespan in mice.

Male lifespan extension with 17‐α estradiol is linked to a sex‐specific metabolomic response modulated by gonadal hormones in mice

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6052402/

Acarbose, 17-α-estradiol, and nordihydroguaiaretic acid extend mouse lifespan preferentially in males.

https://www.ncbi.nlm.nih.gov/pubmed/24245565

nordihydroguaiaretic acid

nordihydroguaiaretic acid (NDGA) has extended the lifespan of mesquitos by 50%, and male mice by 10%.

Dietary nordihydroguaiaretic acid increases the life span of the mosquito.

https://www.ncbi.nlm.nih.gov/pubmed/3749035

Acarbose, 17-α-estradiol, and nordihydroguaiaretic acid extend mouse lifespan preferentially in males.

https://www.ncbi.nlm.nih.gov/pubmed/24245565

If you enjoyed this post or have corrections feel free to say hi on Twitter

You (probably) don’t need ReCAPTCHA

Google’s ReCAPTCHA is often the first tool that many webmasters reach for when confronted with the need to stop spam and automated malicious traffic from harming their services. In this post I explain several reasons why ReCAPTCHA is usually not the best solution to use for this purpose, as it is often unnecessary, inconveniences users, and subjects users to intensive tracking and fingerprinting that they are not able to opt-out of. Several alternative solutions to ReCAPTCHA for various threat models are presented as well as best practices for implementing captchas in general.

The face of evil

ReCAPTCHA is harmful

ReCAPTCHA is yet another free-of-charge product offered benevolently by Google for any webmaster to implement within their own services. How does ReCAPTCHA differentiate legitimate human users from bots? ReCAPTCHA relies extensively on user fingerprinting, putting emphasis on the question of “Which human is this user?” rather than the ordinary “Is this user human?”. It’s worth noting how much easier it is to successfully solve ReCAPTCHAs when the user is logged into their Google account, thus allowing Google to associate their actions with their real identity. A similar effect is often reported for users of non-Google browsers, who notice ReCAPTCHAs take more time to complete in Firefox over Chrome. This is in-line with many other anti-competitive techniques that Google has used over the years to help grow their market share.

Although determining exactly how ReCAPTCHA works is very difficult, with Google not only heavily obfuscating its JavaScript, but also implementing an entire VM in JavaScript with its own bytecode language, there have still been many attempts to reverse-engineer some of the client-side code, as well as to theorize about how the server-side logic operates. Initial attempts at reverse-engineering ReCAPTCHA show copious amounts of information belong collected, including but not limited to: plugins, user agent, IP address, screen resolution, execution times, timezone, language, click/keyboard/touch information within the frame of the captcha, test results of many browser-specific functions and CSS evaluation, information about canvas element rendering, and cookies, including those affiliated with your Google account that were placed within the last 6 months.

There is a good reason why ReCAPTCHA uses the google.com domain instead of one specific to ReCAPTCHA. This allows Google to receive any cookies that they have already set for you, effectively bypassing restrictions on setting third party cookies and allowing traffic correlation with all of Google’s other services, which most users use. ReCAPTCHA collects enough information that it could reliably de-anonymize many users that simply wish to prove that they are Not A Robot. As JavaScript is now required to even view a ReCAPTCHA, even a user running software such as TBB (Tor Browser Bundle) may find themselves giving away more information than they intend to, for example if they have resized their browser window (which is discouraged for exactly this reason).

Correspondingly, webmasters that use Google’s ReCAPTCHA on their websites must link to both Google’s Privacy and Terms pages (included in the form by default in a small 8px style that makes them appear unclickable). Although Google used to have its own privacy and terms pages for ReCAPTCHA, these links are no longer specific to ReCAPTCHA, but rather are the privacy and terms pages for all users of Google services in general, regardless of which service is being used, or if the user has (or even wants) a Google account to begin with. Therefore accepting these terms (implicitly, by attempting to prove you are Not A Robot) grants Google permission to do everything that they do to their regular users of their services to you, and little information is available as to what specifically is done (GDPR is likely to be unhelpful here, given ReCAPTCHA’s spam-stopping purpose). Not only are the unhelpful links in the ReCAPTCHA box never opened by users, but there is also no Google logo or visual reference to indicate that ReCAPTCHA is a Google service, so many users have zero indication that they have just consented to all of Google’s tracking just because they tried to leave feedback or create a ticket on your website. If you thought you could use the Internet without using Google’s services, try using the Internet without filling out a single ReCAPTCHA, which for some users is required to pay their bills, file their taxes, and sometimes even use Government websites (if you somehow manage this, next try never sending email to Gmail/Gsuite addresses or using Google APIs for a more exciting challenge). Good luck.

It is worth mentioning that caring about user privacy to this extent is likely to be outside of the scope of concern for most websites. Many websites are already so tightly coupled to Google’s services (commonly including Google analytics, Google ads, Google APIs, Google tag manager, Google static resources, Google OAuth, Google Compute Engine, and many others) that the addition of a Google captcha appears negligible. With that said, different websites have different values and different users, and many do not want to require users to agree to Google’s tracking and labor for basic usage. The level of centralization that ReCAPTCHA forces is not good for anyone except Google.

Apart from the privacy implications of ReCAPTCHA usage, the actual captcha is very tedious for many classes of users, sometimes becoming so difficult that users find themselves unable to to complete the captcha at all. Users hate ReCAPTCHA. They really hate ReCAPTCHA. ReCAPTCHA is so hated that some websites have a profit model of charging users $20 annually to disable ReCAPTCHA, which thousands of users pay for. If this sounds like a great new business model to you and now you want to add ReCAPTCHAs to every page of your website to attempt to maximize profit, I will find you. And I will force you to complete a ReCAPTCHA every time you want food or water until you die from malnutrition after the first week. I have read countless posts from users that became so frustrated with a service that used excessive ReCAPTCHAs that they swore to never use the offending website again. These are often intelligent users with no disabilities who are simply tired of being treated like dirt and wasting their time. Be kind to your users and help minimize the amount of ReCAPTCHAS that they have to solve just to be allowed to use the Internet.

ReCAPTCHAs become significantly more difficult if the user attempts to ‘opt-out’ of Google’s services and tracking by using software that hinders it, such as VPNs, TBB, and many anti-tracking browser addons and modifications. To demonstrate what is meant by ‘very tedious’, below is a real-time recording of myself solving a single ReCAPTCHA using TBB:

Spambots are known to give up when forced to be patient

I got lucky and only needed to complete two challenges. Sometimes there are ten or more. Watching the above video, you might think to yourself “I knew the tor network was slow, but I didn’t know it was that slow!”. You would be correct to take note of this discrepancy. If we open up the web developer console, we can see that the HTTP requests for new captcha images only take a few hundred milliseconds. Despite this, Google’s heavily-obfuscated JavaScript intentionally delays the appearance of the new images by several seconds every time, which I’m sure has something to do with the fact that bots give up when forced to wait, probably. This is not a nice way to treat users that don’t want to perform unpaid labor and be fingerprinted by Google. Keep in mind that the above video demonstrates one of the worst possible cases of ReCAPTCHA UX (which some userscripts may improve), and that the average user has a significantly quicker experience, providing that they are not attempting to thwart any of Google’s tracking and don’t make many mistakes.

In addition to this tediousness, the actual labor that the user is performing is directly used to benefit Google. Worry not however, as Google is eager to brag about the selfless humanitarianism that you’re engaging in by choosing ReCAPTCHA, stating the following on their main ReCAPTCHA page:

“Hundreds of millions of captchas are solved by people every day. ReCAPTCHA makes positive use of this human effort by channeling the time spent solving captchas into digitizing text, annotating images, building machine learning datasets.”

This is certainly a very rosy way of convincing you to feel good about forcing your users to engage in unpaid labor that directly benefits the world’s most powerful surveillance corporation. ReCAPTCHA is free for a reason.

Lastly, ReCAPTCHA is popular. Very popular. While this brings some advantages, it also means that there’s significant efforts to break ReCAPTCHA, and those efforts all potentially affect your website, with your captcha implementation being perfectly identical to a million others. As a result of this, there have been many papers published that break ReCAPTCHA over the years, generally with Google making modifications to improve their captcha afterwards. There have also been paid-for services that use human labor to solve captchas on behalf of a paying client for less than a cent each. For a modern and user-friendly example of bypassing ReCAPTCHA, see Buster. Buster is a modern browser extension (Firefox+Chrome+Opera) which helps you to solve difficult captchas by completing reCAPTCHA audio challenges for you by using speech recognition.


Captchas are not always necessary

Before implementing a captcha, it’s worth considering if one is necessary to begin with. To help with evaluating this proposition, consider if your threat model is concerned over customized or uncustomized spam. Uncustomized spam is pervasive across many Internet protocols, and you will encounter it quickly after enabling HTTP, SSH, or many other protocols on a server. It is generally unintelligent, cheap to execute, and easy to block, even without captchas. Customized spam, however, is spam that has been written to specifically affect a given company, service, website, or user. As customized spam is created by an actor that is able to tailor it to your service, it is more dangerous than uncustomized spam, and more effort is required to effectively limit it.

Many developers vastly over-estimate the likelihood of customized spam. As a competent programmer, it is easy to imagine how effortlessly someone could decimate your service with spam if they were sufficiently dedicated. One could imagine a malicious actor writing a simple script that could spam or DoS your website by just using Curl and bash. Even if you have a captcha, you can imagine them using OCR or machine learning to automatically bypass it, then using proxies and VPNs to automatically bypass your IP rate-limiting. While in this imaginative trance, you’ve forgotten that 99% of users have no clue how to do any of this, and do not even know what Curl or HTTP are. Furthermore, your service likely offers very little prospective rewards to would-be competent attackers.

Just because someone could spend hours (or minutes) writing a program to spam your website does not mean that someone will. Your personal blog about the latest vegan bacon is not a high-priority target for anyone. Adding a ReCAPTCHA to your Contact Me page is just a great way to get no one to talk to you. I’ve ran several websites with millions of pageviews that have received zero customized abuse and have spoken to other webmasters with similar experiences. Jeff Atwood of codinghorror.com once wrote similarly:

The comment form of my blog is protected by what I refer to as “naive captcha”, where the captcha term is the same every single time. This has to be the most ineffective captcha of all time, and yet it stops 99.9% of comment spam.

This is not a suggestion to do nothing, ignore basic security, and be unprepared for attacks, but rather to realistically consider your threat model and apply only what is necessary.


ReCAPTCHA alternatives for uncustomized spam

For uncustomized spam, a full captcha implementation is rarely necessary. This section lists some simple and effective tricks that stop most uncustomized spam from impacting your website.

Hidden form elements

Uncustomized spam is not intelligent enough to know when it should or should not fill out a form element. For example, adding a form element with a name of ‘url’ and hiding it with CSS allows you to reject any request that is made with it filled, which spambots are eager to do. To maintain accessibility be sure to add a label to this element so that users who use screen readers do not fill it out. Other good hidden form element names include ‘website’, ‘firstname’, ‘lastname’, ‘email’, and ‘name’, unless they are already being used legitimately.

Static questions

Uncustomized spambots are also so unintelligent that they do not correctly answer simple questions such as “What is 2+3?”, or “what is the name of this website?”. These questions effectively stop almost all uncustomized spam. Common software stacks such as WordPress and Drupal have free plugins that will allow you to quickly create questions like these.

Community-specific questions

If your website is community-centric such as a forum or blog, you can ask a community-specific question that prospective members of your community should know the answer to. This is a simple and great way to prevent users from joining your community that you believe shouldn’t be participating, either because they lack basic relevant knowledge, or because they are unable or unwilling to learn it. As an example, a community of mathematicians might ask the user to name a simple formula or solve an equation, given an image of it.

Effective at keeping out the arithmophobic



For another example, a community of niche media connoisseurs might ask the user to identify a certain character that they deem to be important to their shared culture.

The quality of our community members is of the utmost importance

JavaScript

Did I mention uncustomized spambots are unintelligent? Basic JavaScript is not executed or parsed by most uncustomized spambots, so using it to calculate the value of a form element is also effective. JavaScript can also be used to submit the form itself, set a CSRF token properly, or perform many other simple tasks. If your site has many users with JavaScript disabled, it is better to offer an alternative solution as well.

Third Party Services

From WordPress plugins like Akismet, spam-detection APIs like StopForumSpam, and APIs that evaluate users or IPs such as abuseIPDB, there are a lot of free (and paid) third party services to aid you in stopping spam in ways that are not visible to most of your users.


ReCAPTCHA alternatives for customized spam

If you operate at sufficient scale and/or if automated usage of your website is inherently lucrative enough, customized abuse will eventually happen for one reason or another. Remember that a captcha is just a tool to help verify that a given user is a human. It is not the only tool to help with this, and it is not the right tool for every use case. No solution is perfect and can stop a sufficiently-resourced attacker from abusing your service. This section lists some alternatives to ReCAPTCHA in roughly increasing order of complexity.


Django Simple Captcha

Django Simple Captcha offers a simple captcha for Django projects.

Django simple captcha. Yes, this actually stops many attackers

Captcha for Laravel 5

Captcha for Laravel 5 offers a customizable captcha for Laravel projects.

Captcha for Laravel 5, very customizable

CMS-Specific Captchas

Popular CMS solutions generally have at least one simple captcha plugin that is suitable for basic purposes. Here are some examples for WordPress, Drupal, and generic PHP.

Secureimage PHP captcha
Drupal match+slide captcha

Custom JavaScript functionality

Just as basic JavaScript stops most uncustomized spam, more advanced scripting can stop a lot of customized spam as well. For example, some websites require you to slide a jQuery slider element in order to successfully submit a form. There are examples of this for wordpress, jQuery (jQuery UI slider, Bootstrap slider), Prestashop, Node, and more, although these examples may not be suitable for production use and I have not tested them.

Slide to unlock

Just including true JavaScript evaluation as a requirement will raise the bar for attackers, and can be done without the user having to perform any actions. If you choose to write a lot of custom front-end code to evaluate users, be sure to do extensive user testing on every type of device and log failures so that they can be analyzed to further remove false positives.

Capy Puzzle CAPTCHA

Capy offers a simple puzzle captcha that requires the user to drag a puzzle piece into an empty slot.

All of the fun of finishing a jigsaw puzzle with none of the effort


SolveMedia

SolveMedia offers a captcha and corresponding plugins for a variety of popular software stacks, including vBulletin, WordPress, MediaWiki, Dupal, Joomla, and more. The captcha can scale its difficulty based on the threat score of a user.

he’ll come when you least expect it

If for some reason you feel the need to profit off of your captcha implementation, fear not, as there’s also a version fit for the capitalist dystopia of the near future:

Please drink verification can

Geetest

Geetest appears to use some fingerprinting, but otherwise works similarly to most puzzle captchas. Notable for being used on Binance, one of the world’s largest cryptocurrency exchanges.


This list is nowhere near exhaustive and many similar captchas have been excluded from it. If you are a software engineer, you likely think many of these captchas could be solved by software, which although correct, misses the point. Although in theory a captcha should be a perfect turing test, in practice, they are only used to make attacking your service more difficult so that spam is no longer cost-effective. Even a perfect captcha provides no guarantee of stopping all abuse. Nonetheless, you may be surprised at how few attackers are willing to execute JavaScript or perform OCR to automatically attack your website unless you run an extremely popular service.


Captcha best practices

If you have decided that you do need a captcha, consider if it’s truly necessary to implement it in all of the locations where you want to throttle automation. Showing users fewer captchas not only provides a better UX, but also improves KPIs like conversions and user retention.

Use rate-limiting where possible

As the purpose of a captcha is to confirm that the end-user is a human, a user should generally only have to correctly solve a captcha once. If there is an action that you would like to throttle to ensure it is not performed too often by a user, consider using rate-limiting as an alternative (or in combination with) a captcha.

Use reasonable thresholds for captcha presentation

Set reasonable thresholds for actions that you want to limit with captchas. Rather than presenting a user with a captcha after a single failed login attempt, allow several attempts. Brute-forcing secure passwords in this manner is not feasible to begin with, and if credentials from a database leak are being automatically cross-validated with your service, a post-login-failure captcha won’t even help.

Stop showing captchas to users that are just trying to read content. If your blog asks me to complete a captcha just to read a single post because I’m using a super-scary VPN as a result of your CDN’s “premium military-grade bot protection” feature, I’m going to close the tab. There are sometimes cases where captchas are more reasonable for read-only actions such as stopping active application-level DDoS attacks. Your blog is not one of these cases.

Do not require repeated captcha solves

If a captcha is part of a form that may fail validation and is reloaded upon failure, do not force the user to solve another captcha if they correctly solved the first one. This prevents users having to frustratingly solve captchas several times in a row as they fix their input (for example, adhering to your revolutionary password policy that requires at least 1 non-printable character, 1 Egyptian hieroglyph, and 1 iOS-only emoji).

Intelligently use other sources of validation

Consider if you have reasonably validated that a user is likely to be a human during previous interactions with them. If a user has a confirmed email address and phone number or proper two-factor factor authentication, it may be unnecessary to show them a captcha. Similarly, if a user has been a paying customer for several months without issues and is attempting to make a new purchase with their existing billing information, it is also a bad time to make them fill out a captcha. I mention this only because I’ve had to do it before.


The future of verification

It’s important to note that a sufficiently-resourced attacker can bypass any mechanisms you have in place to some extent. When a service has a billion users (Facebook and Twitter) or otherwise provides significant incentives for abuse (anything related to cryptocurrency), difficult trade-offs must be made when attempting to verify users.

Faced with this, some services that operate at very large scales not only use ReCAPTCHA, but also perform phone and/or email verification and employ a significant amount of custom automation-detecting heuristics. Twitter is a good example of this, as new users are required to both complete a ReCAPTCHA and (usually) verify a phone number. On top of this, Twitter has entire teams dedicating to stopping abuse, and yet the platform still has issues with millions of spambots, just as Facebook does. Although requiring phone verification has unfortunate consequences for anonymity, most platforms were not intended to be used anonymously to begin with. An even greater challenge is attempting to stop spam in environments where user anonymity is desired, which I provide some examples of at the end of this section.

With the current state of machine learning, it is becoming increasingly difficult to construct a captcha that is user-friendly. Some of the most effective attacks on advanced captchas such as ReCAPTCHA have simply involved taking a given challenge and querying a machine learning API to solve it automatically. Now that we have many API services to accurately label audio, images, videos, and more, this is only becoming more powerful, just as machine learning is in general.

Despite the impossibility of a perfect captcha, articles have been written decrying that captchas are dead for more than a decade due to the increasing possibility of true negatives (software that passes as a human). Despite this, most of the Internet is not covered in spam. Intelligent software engineers make much more money working at FAANG instead of covering the Internet in unsolicited fake Viagra ads, at least for now. For a potentially poor analogy to physical security, remember that we have physical items that can break doors, windows, cameras, sensors, locks, and much more. Yet, these protections are all still essential features of a physical security system. They are often not made to be impossible to break, but rather to make an attacker’s job significantly more difficult, skewing the effort/reward ratio enough to stop most attackers.

Regardless of the forthcoming AI supremacy, the current paths that larger systems tend to favor involve validating who a specific user is rather than only attempting to validate if they are human or not. Phone verification and sometimes even picture, ID, or address verification are found among large services that have a high potential for abuse, as well as our good friend ReCAPTCHA. Verifying users while attempting to better preserve anonymity is more difficult, but those that are determined generally find clever ways to do so. Some good examples include privacy pass (protocol paper), allowing users to anonymously skip captchas if they have already solved one, Apple’s new Find My Device feature, allowing Apple devices to broadcast their location with BLE such that it can only be read by the original device’s owner, and well-known security systems such as asymmetric cryptography, cryptographic hashes, differential privacy, etc, which can often be cleverly implemented in systems to improve security and often anonymity. Some other techniques that can be used to help verify users and reduce spam include proof-of-work and micropayments, both of which have been used successfully in most popular cryptocurrencies such as Bitcoin and Ethereum for more than a decade, although can still be difficult to implement in everyday scenarios.

If you are Twitter or Facebook, no captcha will solve all of your issues. For everyone else, there are still a lot of simple tools and heuristics that go a long way in helping to stop abuse. Be kind to your users and try your best to not force them to spend their free time completing ReCAPTCHAs for Google. They will appreciate it.

If you enjoyed this post or have corrections feel free to say hi on Twitter

First Post

This is a new blog where I hope to semi-regularly (at least once a month) make posts about interesting topics. Please see the About page for more information.