I hate CAPTCHA, Alternatives to Captcha? Options

[Oblomov]

Hello, first post here.

I hate CAPTCHA, for lots of reasons

1. If you incorrectly fill in the form and it reloads (server side validation) then the captcha image is regenerated, so you need to change that as well as the offending field.

2. I sometimes browse with images off.

3. My Dad can't complete captcha checks unless they are clearly readable which many of them are not

4. For a simple "add a comment" function, it doubles the length of the form.

5. They're ugly, and an obstacle.


So what are the alternatives - how do you create a transparent turing test that will divide the sheep from the goats, the humans from the robots? I don't think we need anything that's necessarily 100% effective. The most important thing is that no human user will have their message or request rejected, and providing that only a few robots make it through, they can be dealt with manually.

There's the dummy field option - create an invisible (off screen or set to to {display:none}) input field. Humans will not fill it in, robots will.

What about passing a hash through as a session variable? Form submits but fails invisibly if the session variable does not match the hash generated on page?

Measure the speed at which the form is filled in. A user who loads the form and then submits within 0.6 seconds is unlikely to be human.

Any more for any more? What are the problems with the methods I've mentioned, if any?

[Stuart]

Hi,

Not forgetting that with captchas comes the added server overhead of regenerating complex images (often full of wavy lines to conceil text from the bots) which could severely affect the performance of an application in some cases.

With regards to checking the speed of a form submission, I feel this could provide a viable solution but would require a little research. I'm personally not clear on how quick bots actually are, taking everything into account such as connection speed and data transmission. However, I'd back them to be considerably quicker than the average touchtypist.

The only simple approach I can think of to protect blogs/CMS sites is the technique of providing an additional, visible form field in which users can type an answer to a simple question (something pretty much every human can answer, but bots can't - avoid questions such as "what's 2+2").

While this does carry a certain irritation factor for the end user, it's relatively easy for developers to set up (you could keep questions and answers in a simple database table). Also, you can style the additional form field so it fits in with all other form elements. It's a bit of an ugly compromise, and probably not bulletproof, but better than the dreaded captcha!

[Dan]

The only simple approach I can think of to protect blogs/CMS sites is the technique of providing an additional, visible form field in which users can type an answer to a simple question (something pretty much every human can answer, but bots can't - avoid questions such as "what's 2+2").

Yeah, I saw something like this the other day, using three radio buttons for a very simple multiple choice question that only a human could answer. I suppose if it's multiple choice, then a robot would stand a 1in3 chance of getting it right, but it's less taxing to the user than having to type an answer.

@ Oblomov, if you use CSS to hide an input field, then it would be visible to users without CSS enabled, so they might fill it in, unless you didn't put a label on it, in which case it would just be confusing.

[Oblomov]

Yes, I take your point about users with CSS off, vis a vis the off screen input field.

The additional question test is obviously effective, but for my money it's equivalent to a captcha field, yet another thing to fill in.

I had a cheap guestbook script running on a customer's site which was repeatedly getting pharmaspammed. I solved it by generating a time based hash on every page and popping it into the session variable. If the form was requested without the hash in the session (i.e. direct post request) it quietly binned the request with a "thank you for your message". Similarly if the hash generated on the form page didn't match the one in the session variable, it failed silently.

(of course I should have written the guestbook app myself and built in a captcha field)

[netrover]

Yes, I take your point about users with CSS off, vis a vis the off screen input field.

The additional question test is obviously effective, but for my money it's equivalent to a captcha field, yet another thing to fill in.

I had a cheap guestbook script running on a customer's site which was repeatedly getting pharmaspammed. I solved it by generating a time based hash on every page and popping it into the session variable. If the form was requested without the hash in the session (i.e. direct post request) it quietly binned the request with a "thank you for your message". Similarly if the hash generated on the form page didn't match the one in the session variable, it failed silently.

(of course I should have written the guestbook app myself and built in a captcha field)

I agree with this topic. Also from an accessibility point of view they are pretty bad. I'm not good with the colours but there are many other reasons.

My latest vbulletin software now has an alternative choice in the form of an anti spam question and answer.

I also found a similar add-on http://www.codegravity.com/projects/mathguard if it's of any use to you for adding onto forms.

[Oblomov]

I agree with this topic. Also from an accessibility point of view they are pretty bad. I'm not good with the colours but there are many other reasons.

My latest vbulletin software now has an alternative choice in the form of an anti spam question and answer.

I also found a similar add-on http://www.codegravity.com/projects/mathguard if it's of any use to you for adding onto forms.

That's interesting.

My ideal captcha alternative would be invisible, and not require the user to complete an extra step.

One thought I've had is an extension of an idea earlier in the thread. Would it be possible using javascript in the form to actually record the keystrokes and mouseclicks within the form and then submit that as a digest of some kind with the form data?

The form processing script can then check the digest and decide whether it's a human or computer user submitting the form.

In the absence of javascript, then one of the other methods (CAPTCHA, maths, unique hash) could be subsituted to allow for "elegant degradation".

[Ben]

Very good idea! I like the concept of JS keystrokes, then falling back on 2nd and 3rd levels that offer poorer usability, while retaining the minimum assurance required. The JS part is only 10 minutes' work.. Has it been done already?

[Oblomov]

Very good idea! I like the concept of JS keystrokes, then falling back on 2nd and 3rd levels that offer poorer usability, while retaining the minimum assurance required. The JS part is only 10 minutes' work.. Has it been done already?

Not to my knowledge, but then that's rather the point!

Although I was rather hoping you'd have it finished by now Ben

[I'm looking archly at the imaginary watch on my wrist now]

[netrover]

I found another option instead of captcha which is a clever trick you might find useful if you do not mind the odd human spammer in favour of accessibility and stopping bots.

http://www.webmaster-talk.com/php-forum/12...ntact-form.html

[dkindnes]

I found another option instead of captcha which is a clever trick you might find useful if you do not mind the odd human spammer in favour of accessibility and stopping bots.

http://www.webmaster-talk.com/php-forum/12...ntact-form.html

As Dan said earlier, wouldn't this cause problems if people viewed with CSS off?

Im just adding in a security check at the moment on a form.
Ive got a text input field and a question - Type out the number 3 as a word.
So it will only accept the form if "three" has been entered (any combo of case will do)

think this is a reasonable method?
and will that stop the bots?

[Dan]

It will stop the bots, unless they get really clever. But it's still an extra step which may frustrate the user.

[dkindnes]

its a pretty long form anyway so it should be alright.

[TWD]

Methods such as asking a predefined question (ie: Type out the number 3 as a word) only work for so long if your website gets decent amounts of traffic. They tried this over at forums.beyondunreal.com and it worked for about two months. My guess is that some bots will notify their masters if they can't solve the form. The person answers the question, and then the bot starts spamming away. The only method that can really be effective is if the answer changes every time.

[dkindnes]

Methods such as asking a predefined question (ie: Type out the number 3 as a word) only work for so long if your website gets decent amounts of traffic. They tried this over at forums.beyondunreal.com and it worked for about two months. My guess is that some bots will notify their masters if they can't solve the form. The person answers the question, and then the bot starts spamming away. The only method that can really be effective is if the answer changes every time.

yeah true,
a random question selection from a large group of human only filter questions would be best.

Maybe this could be an idea for a web service (if someone hasn't thought of this already)

[Ben]

Ooh, that is interesting. Even simpler, you could call in a piece of Javascript code that inserts the random question and interacts with the form at submit-time to allow/disallow. I like the idea of using the crowd to work out the most effective questions, but you'll always need to avoid locale-specific questions. (Some of our friends in the US can easily fall into the trap of thinking that everyone uses American English and sees US culture and politics as global culture and politics.)

[TWD]

yeah true,
a random question selection from a large group of human only filter questions would be best.

Maybe this could be an idea for a web service (if someone hasn't thought of this already)

It could never work as a web service. The issue is that in such a system there is limited set of questions/answers. It wouldn't be very difficult to create a bot that knew all the answers. If it was a service it would be more than worth it to bot authors to build functionality for that particular system. You have to make your system completely random. Hence why captcha works so well

Besides once you go through that much effort I would also ask how it's any better than a well formed captcha. Assuming that our captcha is good enough that people don't have a hard time reading it how is answering a question any better than copying text from an image? I don't think the problem is captcha, but crappy captcha.

[Oblomov]

Besides once you go through that much effort I would also ask how it's any better than a well formed captcha. Assuming that our captcha is good enough that people don't have a hard time reading it how is answering a question any better than copying text from an image? I don't think the problem is captcha, but crappy captcha.

I still think there is a way of doing it without having captcha at all - which I believe would be infinitely better for reasons I outlined in the OP. Captcha just screams "kludge" at me, which is the other reason I dislike it. It's a really vulgar solution to the problem of spambots.

I think the key to differentiating between spam and ham on a web form is to rely on aggregating existing information, not testing the vision of the operator or asking them banal questions.

Ideally all of this would be done server side so no css/js scripts would be necessary..hmm..goes off to tinker...

[Ben]

What about using a JS-based test as layer one?

It could detect things like mouse events & keystrokes, or even record the time signature of the form entry! If the input signature is humanoid, we don't have to bother with captcha at all. If not, maybe reveal a captcha 2nd-level test...

Still tinkering Oblomov?

[TWD]

I think that looking for mouse movements and keystrokes is a good idea. I would recommend finding some way to conceal what you are doing. Simply detecting a keystroke or mouse movement would be enough, but if the both authors knew how it was working it wouldn't be hard to bypass it. However, if it's just your website, and you don't advertise how it works they are likely to never even bother finding out how to crack it.

[netrover]

I think that looking for mouse movements and keystrokes is a good idea. I would recommend finding some way to conceal what you are doing. Simply detecting a keystroke or mouse movement would be enough, but if the both authors knew how it was working it wouldn't be hard to bypass it. However, if it's just your website, and you don't advertise how it works they are likely to never even bother finding out how to crack it.

I expect a lot of you have seen or heard of this Secure Contact form by Mike Cherim.

It only has one anti spam question but after putting it one of my sites the spam dropped right off so I donated to the project.

Accessibility is top notch as well as the spam blocking features.