Un-Captcha Techniques Redux

I've spent a bit of time working on alternative CAPTCHA techniques, mostly because I've found that the vast majority of CAPTCHA offerings are non-intuitive and even for people with excellent eyesight, don't always "make it" the first time around. I have pretty good vision, but I find myself constantly frustrated by stupid case-sensitive CAPTCHA requirements that I simply cannot pass the first, sometimes the second and even as many as three tries.

Webmasters and site developers are like lemmings - they seen something that somebody promotes, they copy it, they use it, but they DON'T THINK!

WTF?  All one needs to do is look at Jeff Attwood's blog and you can see that he requires the user to type in a clearly readable "ORANGE" every time - and it works perfectly! The Bots simply don't get it. It's easy to see, easy to read, and shows how UTTERLY RIDICULOUS  these various CAPTCHA images are to the user, and how they literally destroy the user experience!

One technique I pioneered was the use of an Image - to - HTML captcha that renders as HTML.


But! There could even be an easier way:

This concept is based on the fact that most spam - bots are, in a word, "dumb".

Here is the technique:

1) Add an input field to your form having some interesting name such as "url":
<input name="url" type="text" value=""/>


2) Hide the input box with a  css style element so that real (human) users cannot see it directly:
<style>
.captchaStyle {
  display: none;
}
</style>

<p class="captchaStyle"><input name="url" type="text" value=""/></p>

In your code that processes the form, check if the “url” formfield contains any value. If it does, it's a bogus post because it was a bot that  saw the field and "thought" that it was supposed  to fill it in, so you would reject it or set it up for moderation.


It works because geniune users cannot see a hidden input box on your form and therefore, they won’t fill it, while robots do  see it, assume that they need to provide a value, and fill it in.

Go figure.

Comments

  1. Anonymous9:41 PM

    And I wonder how long it'll take before the bot programmers start searching the styles to see if the element is hidden and ignore it as well.

    Measures, countermeasure, counter-countermeasure... ;)

    ReplyDelete
  2. When I saw how Casey Chesnut proved he could OCR a Captcha image, that's when I realized there was no "perfect" solution.

    ReplyDelete
  3. Anonymous6:00 AM

    I have other resolution. I'm using JS to hide special form input. :)

    ReplyDelete
  4. Anonymous8:39 PM

    I would think another way would just be show several random images, each with a number under them (the url for the images must also be random) then ask the user to put in the order of the images, like dog, cat, frog, car, so the user would enter the numbers under each image in the order asked, would be very difficult for a bot to figure that out.

    ReplyDelete
  5. Anonymous8:51 AM

    I'd be willing to help raise funds to cover the cost of lethal injection for any individual pompous enough to write a spam bot.

    God, please curse them!

    ReplyDelete
  6. Anonymous10:54 AM

    i tried this after i read about a honeypot captcha here when i was experiencing spam on one of my sites, but unfortunately it did not work. sometimes the bots didnt put a value in that box, sometimes they did.

    ReplyDelete
  7. Anonymous5:35 AM

    Peter, sorry don't know where to post this: I have some problems with your captcha control, the validatecaptha routine validates the captcha guid against the cache, but if the cache has expired you get a null reference exception. Could you please have a look at that?

    /Peter Strömblad
    in relation to Your captcha control from eggheadcafe

    ReplyDelete

Post a Comment

Popular posts from this blog

ASP.NET: Loss of Session / Cookies with Frames

FIREFOX / IE Word-Wrap, Word-Break, TABLES FIX