9

What type of captcha will you recommend? I am looking mainly at usability, ease of use (development too), relatively secure

Usability

I find that those captcha with very curly words/numbers are sometimes too unreadable. What I start to see in many applications are simple calculations "Whats 5 + 15". seems simple, but that should be easily crackable by bots, i'd expect?

Security

I am not working on a very secure app, u know just general web apps like project management, forums etc type apps. So I don't require hard core security which I think will be overkill and just mess up the code. I prefer something minimalistic & easy to use

I read about honey pot method too. Where I have a input thats hidden by css. The theory is that bots will fill up all fields. How true is that? That is simple to implement least intrusive, user does not need to do anything. Does it mean that I can just have that without captcha?

5 Answers5

5

There is no 100% secure protection.

All captchas can be cracked. Did you know for instance that there are firms in India which specialize in offering manforce to crack captchas?

There are also tricks like embedding your captchas as frames into other pages which invite their users to solve it to get access to interesting pictures.

I suggest you relax and make it simple. Try the following options one by one.

  1. Integrate with Akismet service
  2. Change the POST Url for your pages to something different. Bots will usually post to the same page Url, and if you won't accept such sumbissions it will keep bots out.
  3. Add a honeypot solution
  4. If 1, 2, 3 fail, add a captcha
  • Do you have source for "... Did you know for instance that there are firms in India which specialize in offering manforce to crack captchas?.." I am very much interested in know the company names – Gopi Dec 23 '10 at 13:36
  • 3
    Do you want to apply there? :) –  Dec 23 '10 at 13:43
  • 1
    Aside from the manpower solution, there's the fact that image recognition and OCR is very good nowadays, and it's hard to reliably get one that humans can answer and bots can't. – David Thornley Dec 23 '10 at 19:01
  • Citation for "change the post URL"? That doesn't sound like an effective strategy at all. – Mark E. Haase Jul 30 '13 at 13:58
5

As you said, the honeypot captcha is a good option, it's invisible to users and works in a lot of cases.

Another very good option is reCaptcha which is almost always easy enough to read.

  • reCaptcha is not easy enough. I often refresh 5-6 times before I get something readable. –  Dec 23 '10 at 13:15
  • @Developer Art, really? I think I've only refreshed a reCaptcha once or twice ...ever. –  Dec 23 '10 at 13:27
  • reCaptcha has two words, one which is unknown by the system and one which is already known. The unknown word can be anywhere in the range of quite understandable to complete garbage, while the known word is usually very easily readable. The system can only check if you got the known word right, of course. Therefore: just try and get the more readable word right. That should save you some refreshs. And don't worry about spacing or accents, whether *é* is typed *é* or *è* or *e* doesn't matter. –  Dec 23 '10 at 13:31
  • +1, reCaptcha is probably the easiest and best solution. –  Dec 23 '10 at 16:08
  • I guess just honeypot will be good enough? I am curious tho as to why bots don't fill up select fields only, I guess for most forms theres validation, so if they fill them with rubbish, validation will keep them out without a need for anti-bot mechanisms? –  Dec 24 '10 at 02:55
  • reCAPTCHA is the worst. The queries are frequently impossible, usually really hard, and only occasionally reasonable. If you have reCAPTCHA on your site, you are losing people because of it. http://markhaase.com/2012/08/30/recaptcha-is-a-blight/ – Mark E. Haase Jul 30 '13 at 13:59
3

Something like this:

Captcha humor

  • 1
    Is this now used on math.stackexchange.com or what? "Prove that you're worthy!" :-) –  Dec 23 '10 at 13:36
  • Aside from the obvious problem that most people will not be able to solve it, there's the less obvious problem that there's probably a fairly small number of these, and the answers can be precalculated and entered automatically. – David Thornley Dec 23 '10 at 18:59
  • haha ... maybe that will be for entry to phd maths class? –  Dec 24 '10 at 02:43
  • Just for the sake of curiosity: ln(2). may i pass? –  Jul 07 '11 at 10:25
0

I've had very good results simply asking a question on the registration form that visitors in your domain can all answer, but someone outside the domain cant. For example, 'whats the name of the head coach of last year's league champions?', or 'whats the last name of the author of [some popular book]?', or 'whats the nickname for the company's cafeteria?'. Bots cant break those, and non-English (or whatever language you are using) speakers generally cant translate them well enough or arent familiar enough with the context to be able to answer them.

This of course assumes there is some binding element (employer, hobby, interests) that all your visitors share.

Generally speaking, if these are home grown apps you wont likely get a lot of attention from spammers unless your site is really big as they'll go after the more common packages since there's more of them (and thus a better payoff to writing a script to automate logins).

GrandmasterB
  • 101
  • 1
0

A picture based CAPTCHA system, if one wants to use one, would be my preference. What I dislike about my CAPTCHA's out there is for someone like me that has a hard time seeing/reading things with little contrast between colors is I end up either refreshing until I get something I can read or taking a guess.. And no, my eyesight is fine vision wise, purely a thing with contrast. I even find some web pages almost impossible to read because they designer didn't know how to pick good background/foreground colors for readability and went with "cool looking" instead.

Wayne In Yak
  • 219
  • 2
  • 9