CAPTCHA Alternatives

You probably encountered a CAPTCHA test when registering to become a user on a website. The CAPTCHA test shows a distorted word or phrase that supposedly only have a human would be able to read, and asks the user to type the words shown in the image, thus helping to insure malicious computer programs cannot adversely effect user registration.

                                                                                                                                                                                                                                                           Does this look familiar?

captcha01

But is CAPTCHA the best solution to the problem?

Adding a CAPTCHA test to the registration page has been known to frustrate and annoy users. Users who have to repeatedly refresh the CAPTCHA test to get a readable phrase will consider logging in to be time consuming and will be less likely to register with and use the website.

Also, CAPTCHA can have a significant impact on the ease of the user experience. Many browsers provide utilities to auto-fill username/password forms and all of these utilities are rendered useless if you add a CAPTCHA and add an extra frustrating step to the log in process.

In addition, CAPTCHA actually does not provide any real form of security to its host site, it just verifies that the user is a human being. Brute force attacks on a website can involve the use of “spambots,” or pieces of computer code that repeatedly send dummy data to the page in order to breach the security measures installed.

But if one wants to prevent brute force attacks, then other forms of protection would be more useful than CAPTCHA. Throtteling the requests if there is too many, or banning IPs if the enter wrong passwords too many times, for instance would be more effective security measures.

Click here to read more about the issues with Captcha

If there are problems with CAPTCHA, what registration security measures would be better?

 

An alternative – Dipping into the Honeypot 

Honey PotMany sites have been using Honeypot, a good alternative to CAPTCHA. Instead of presenting the user with a CAPTCHA prompt, a host site can use CSS to present an invisible field with a common form name like “email” or “username”. When a spam bot comes to a registration form, it fills out every input field, and ignores the CSS. A human user won’t see the field but spambots will be attracted to it, like bees to honey, and attempt to fill it in. If the field is populated, it is clear that a spambot is trying to register, and the host can code to handle the situation.

Implementing the Honeypot technique can add security to your website without annoying users, like CAPTCHA.

Learn more about Honeypot security here 

 

And check out Smartfile’s blog on Captcha and Honeypot

Posted in:

One Comment

  1. I agree and thanks for the mention. Honeypots work better than captcha for signups, logins, and comments.

    The problem that still baffles me, though, is trackbacks. In the case of this article a trackback says, “Hey this site legitimatly mentioned you.” I want to get trackbacks like this one. You guys rock.

    Trackbacks are designed for software to notify you of things like this. In other words, they are meant for bots. I’m still trying to work out how to stop the bad bots from posting spam trackbacks. I don’t want to just disable trackbacks because I want the legitimate trackbacks. Anyone have any thoughts or comments on this?

Leave a Reply