CAPTCHA, that notoriously annoying combination of numbers and letters, is getting harder and more annoying. CAPTCHA (Completely Automated Public Turing Test to tell Computers and Humans Apart) is a necessary evil, but the lesser of two evils, for any web site owner that has some kind of HTML form on their web site, where HTML form data is saved to a database, flat file, or sent via email. The bigger evil I am talking about is receiving spambot data from these forms. So, Captcha seems like a good alternative, even though your visitors don’t like filling them out.
A lot of my web site visitors ask me to remove these images, and I professionally decline explaining why. Here’s the real prevalent problem: While we web developers and graphic designers attempt to make it harder for spambots to read these things, we seem to make it just a bit more difficult for human beings to read them as well, which defeats the entire purpose of having any HTML form at all. So, the spambots win and we constantly seem to lose. Unfortunately, as long as we have spabots filling out forms, we must have CAPTCHA until a better trend comes along.
In this podcast, I will tell you about some of the cool tricks web designers are using to make CAPTCHA easier or better yet, alternatives to deter the spambots. We will also talk about the security exploits of CAPTCHA no matter what web development language (I use PHP and ASP.NET/C#/VB.NET on my sites) you are using. We also talk about some technologies that may help CAPTCHA development like AJAX.
Tags: captcha web development ajax html Turing spam php .net
December 14, 2008 at 5:13 am
Hey Bruce, first, I need to ask, was there a podcast MP3 file that goes with this post? I’d be interested in hearing it but I don’t see a link.
Second, I agree that CAPTCHA is a necessary evil, and one that as a podcaster and blogger I don’t think is going to be replaced anytime soon. I have run forums and sites where I’ve had to lock down comments because they get overrun with spambots. But I’ve slowly integrated CAPTCHA systems into all of them in order to open them back up. Comments still have to go through spam filters and moderators, but I find less problems since doing this.
I would like to know what you think is the best combination for a CAPTCHA image. Also, do you think there is merit to those systems that use math or question and answers to provide that Human test versus reading an image?
Thanks,
Dan
January 23, 2009 at 9:35 pm
Hey Dan, you asked all good questions. I don’t like the math equations, because spambots can also do math and better than people. Asking someone what 2+2 equals is not a smart move because spambots can also calculate. Most of web designers, I suppose, are just not computer programmers. So, I think CAPTCHA is better. What combination works best? How about numbers, uppercase letters, and lowercase letters, and at least one punctuation mark like S7e@9!q
Also, CAPTCHAs should be 7 characters long, which is not too annoying for people. 5 is just too easy for a spambot.
March 18, 2009 at 6:04 am
You can eliminate 99% of spambots simply by:
1. Create a javascript function that changes a hidden field using math.
2. Have the server side script verify the hidden field value.
3. If the value matches, then it works.
This technique wont be useful if your site is specifically targeted. It will only prevent the random spambots that hit as many sites as possible.
The captcha should only be used if you are being targeted, or if you are a very popular site. There is no need for a small site to annoy their users with a captcha.
March 18, 2009 at 6:06 am
I would like to add, that I am colorblind and I can’t read half of the captchas that are displayed to me. This is extremely frustrating on a work computer without speakers.