Un-Captcha Techniques Redux

I've spent a bit of time working on alternative CAPTCHA techniques, mostly because I've found that the vast majority of CAPTCHA offerings are non-intuitive and even for people with excellent eyesight, don't always "make it" the first time around. I have pretty good vision, but I find myself constantly frustrated by stupid case-sensitive CAPTCHA requirements that I simply cannot pass the first, sometimes the second and even as many as three tries.

Webmasters and site developers are like lemmings - they seen something that somebody promotes, they copy it, they use it, but they DON'T THINK!

WTF?  All one needs to do is look at Jeff Attwood's blog and you can see that he requires the user to type in a clearly readable "ORANGE" every time - and it works perfectly! The Bots simply don't get it. It's easy to see, easy to read, and shows how UTTERLY RIDICULOUS  these various CAPTCHA images are to the user, and how they literally destroy the user experience!

One technique I pioneered was the use of an Image - to - HTML captcha that renders as HTML.


But! There could even be an easier way:

This concept is based on the fact that most spam - bots are, in a word, "dumb".

Here is the technique:

1) Add an input field to your form having some interesting name such as "url":
<input name="url" type="text" value=""/>


2) Hide the input box with a  css style element so that real (human) users cannot see it directly:
<style>
.captchaStyle {
  display: none;
}
</style>

<p class="captchaStyle"><input name="url" type="text" value=""/></p>

In your code that processes the form, check if the “url” formfield contains any value. If it does, it's a bogus post because it was a bot that  saw the field and "thought" that it was supposed  to fill it in, so you would reject it or set it up for moderation.


It works because geniune users cannot see a hidden input box on your form and therefore, they won’t fill it, while robots do  see it, assume that they need to provide a value, and fill it in.

Go figure.

Comments

  1. Anonymous9:41 PM

    And I wonder how long it'll take before the bot programmers start searching the styles to see if the element is hidden and ignore it as well.

    Measures, countermeasure, counter-countermeasure... ;)

    ReplyDelete
  2. peterbromberg5:42 AM

    When I saw how Casey Chesnut proved he could OCR a Captcha image, that's when I realized there was no "perfect" solution.

    ReplyDelete
  3. Anonymous6:00 AM

    I have other resolution. I'm using JS to hide special form input. :)

    ReplyDelete
  4. Anonymous8:39 PM

    I would think another way would just be show several random images, each with a number under them (the url for the images must also be random) then ask the user to put in the order of the images, like dog, cat, frog, car, so the user would enter the numbers under each image in the order asked, would be very difficult for a bot to figure that out.

    ReplyDelete
  5. Anonymous8:51 AM

    I'd be willing to help raise funds to cover the cost of lethal injection for any individual pompous enough to write a spam bot.

    God, please curse them!

    ReplyDelete
  6. Anonymous10:54 AM

    i tried this after i read about a honeypot captcha here when i was experiencing spam on one of my sites, but unfortunately it did not work. sometimes the bots didnt put a value in that box, sometimes they did.

    ReplyDelete
  7. Anonymous5:35 AM

    Peter, sorry don't know where to post this: I have some problems with your captcha control, the validatecaptha routine validates the captcha guid against the cache, but if the cache has expired you get a null reference exception. Could you please have a look at that?

    /Peter Strömblad
    in relation to Your captcha control from eggheadcafe

    ReplyDelete

Post a Comment

Popular posts from this blog

FIREFOX / IE Word-Wrap, Word-Break, TABLES FIX

One of the most annoying things a developer (who would normally delight in writing code, not futzing with markup) can have is getting rendering issues between different browsers. The two biggest players are of course Internet Exploder and Firefart (as I lovingly like to refer to each). In most cases that's going to take care of 98 percent of your total site traffic. IE has had a proprietary "word-break" style attribute for a long time, and this made it into the CSS 3.0 spec. But that doesn't necessarily help you with Firefox right now. Firefox literally - (and I consider this completely idiotic, since it's been in their bug database for FIVE YEARS) does not have a reliable CSS style element to force table cell content to break in the middle of a word in order to stop the content from expanding your table / div off the page or over other content on the page. Here's a partial fix, which will work for most tables and browsers. The style declaration (I call it m
Read more

Some observations on Script Callbacks, "AJAX", "ATLAS" "AHAB" and where it's all going.

I've taken a more than cursory interest in the whole Remote Scripting (.NET species) vs. AJAX and now ATLAS discussion, mostly because I started using Remote Scripting since Microsoft first released it, and because I continued to refine it after seeing Brent Ashley's excellent work with JSRS, which was one of the first "real" cross-browser solutions back in 2000 (that's the turn of the Century for you history buffs). Now Bertrand Leroy, a Microsoft guy whose work I like , has authored some very interesting ASP.NET 2.0 script callback stuff that he points to on his blog, and he is obviously (at least, to me he is) involved quite heavily in the development of this new ATLAS infrastructure that they'll preview at PDC. Leroy's most recent post brings to the surface what I agree are the major differences between the "AJAX a - la .NET" approach as popularized by Michael Swartz with his AJAX.NET library, and Leroy's RefreshPanel, the ASP.NET 2.0 b
Read more

IE7 - Vista: "Internet Explorer has stopped Working"

Image
This one was a bitch. All of a sudden for no reason at all, out of the blue, I get this dialog "internet Explorer has stopped working". I didn't install any new software, crap- I didn't do anything! So here I am using FIREFART to go on the internet and find out what to do! Damn! Good thing I've got the sucker on the same machine (I'm not "anti-Firefox", i just don't use it that much except to check my page renderings). The Fix The fix (at least for me): 1) Go into Control Panel, and choose "Internet Options". 2) Under the "Advanced" tab, press the "RESET" button at the lower right: Don't ask me why this happens, or why the fix works. That's a BUG, D00D - I don't care how you slice it!
Read more