To start out, a Captcha is a simple test that is using on many web forms to test if the response is generated by a computer. "CAPTCHA" is an acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart. Commonly, a Captcha requires that the user types in letters or numbers from a distorted image that is presented.

The reason I am talking about CAPTCHA Alternatives, is that:

  • CAPTCHAs can't be used by everyone, such as those with impaired vision or graphics disabled.
  • They slow down the registration process
  • Due to increased computer power, captchas are getting easier for computers to crack and as a result, we try to stay ahead of this curve, making captchas increasingly difficult for the end user to input the correct value.
  • Captchas put the responsibility on the user, when it could be handled on a level that is invisible to the user.
  • Due to the extra steps, CAPTCHAs can lead to fewer real registrations.

So, what are our alternatives?

After doing a little research on CAPTCHAs, here are some of my favorite CAPTCHA alternatives:

  • Time how long it takes to submit the form - Accounting for typical human behavior here. Users will take a little bit of time to complete a form, but bots will be almost instantaneous. In the form, generate a hidden field that holds an encrypted version of the time the page was loaded and check it on submit to make sure the user took the minimum amount of time or that it falls into a certain time window. The major plus here is that this is a server-side solution and doesn't rely on client-side technology.
  • Bait the bots with a Honeypot - Spambots tend to fill in every field of a form so they have a better chance at passing the basic validation. The bait (aka honeypot) is an empty field that is set to "display:none;", so if there is anything in it, we can assume it's a bot. To account for users who have CSS disabled or aren't using your stylesheet, make sure to label the field something like "Leave this field blank".
  • Log Everything - Keep a log of everything that occurs during a form submission. This will be invaluable when spotting additional hacking attempts and coming up with a solution. Remember to be careful with this, because if you are saving it to a table instead of a flat file, someone trying to hack your site could get something here.
Remember, many of these alternative methods can be used in combination, making them even more powerful.

How do other people feel about CAPTCHAs? What other Captcha alternatives do people use?

'Til next time, Bridget

This entry was posted on May 19, 2009 at 8:32 AM and has received 692 views. There are currently 0 comments. Print this entry.