wow , neat idea!!Quote:
The best CAPTCHA I can think of to use on a form would be one that puts the time the form displayed in a hidden field in the form and then checks that sufficient time for a person to fill out the form has passed since then when the form is submitted.
Good point, but I have also already seen non English captchas... oddly enough an accessibility issue in reverse.. what if I don't have a Cyrillic keyboard!!Quote:
But that could cause difficulties for non-native English speakers.
I must confess i dont have much experience with c myself, but one method I would consider would be generating an equation:
"3 + 7 =?" easy line of text to generate in PHP but the answer you are looking for would be "10" this of course throws the bots off, with minimal fuzz
If you get that as part of a reCaptcha then there's no problem. Because with reCaptcha the main thing it is testing you on is whether you can decode the known and deliberately scrambled word, if you don't give the "right" answer for the scanned text (I've had mathematical formulae, upside-down text, all sorts) then all it has to compare your answer with are the answers that other people have given. And the chances are that few of them will have gone to the effort of looking up the Unicode for Cyrillic characters, so it has no way of knowing you're wrong if you give the closest approximation you can using the Latin alphabet.
Which was exactly my point. If you decide to use that sort of challenge-response mechanism, you've got to think vary carefully about how the question will be perceived in various countries, cultures and languages. And it's not limited to "English-speaking areas". There will people from non-English speaking parts of the world who have a legitimate reason to visit your site, and who might be baffled by what, to you and me, are perfectly reasonable questions.
Anything is better than that. :) (When I ask Captcha to sound out the words, they usually sound like animal noises to me anyway. :shifty: )Quote:
are animal sound questions better than trying to figure out the horribly distorted letters in a CAPTCHA image?
The math challenge questions were settled on as a standard because they require no language and no local knowledge. However, math problems are easily defeated by bots. So, essentially, these types of questions don't work anymore. CAPTCHA doesn't work well anymore either, as many bots can bypass it.
Sometimes hidden "are you a bot?" fields help, and these don't impact visitors because they never see them anyway.
So, the only thing that seems to be left are some sort of simple reasoning questions that bots can't answer (yet, anyway). The trick is to make them general enough for any visitors to guess, but difficult enough to stymie bots.
What other types of challenge questions might fit the bill?
I don't know how bots work, but I wonder if you gave an instruction like "type anything here other than an email address" but in the HTML put something like type="email" or id="email", would that trip up the bots?
I'm surprised no-one's mentioned the 'Honeypot', which uses a hidden field to tempt a bot to insert something (typically an e-mail address).
Ralph.m has mentioned something similar, but it's not clear to me that it's actually hidden in his version. For those not using CSS there's an instruction not to complete the field. Optionally (as web-master) I get the spam messages diverted to me so I can monitor them from time to time. As a back-up to the Honeypot I class as spam anything where the first_name and last_name fields are the same, as most of the spam messages that I do monitor these fields are full of identical gobbledy-gook (or even gobble-gobble) like 'oeafijbgp'. If Humbert Humbert wants to contact me he'll have a problem, I know.
For timing script execution, how about PHP microtime (see PHP manual).
Wouldn't a combination of the honeypot and the time counter work best... so we have a hidden field and also throw an error for all forms that were completed under 5 seconds...
The submission time is exactly what I do on my contact forms, it appears to work.
As someone asked for code; its really easy, in PHP (this has no security, its bare bones code):
On the PHP script that loads the form;
<input type="hidden" name="loadtime" value="time();" />
Then on your post php script (where you send the email):
So grab the post time timestamp from the form, get the current time in a timestamp, get the load time as current_time - post_time, if the load time is less than 7, spring an error.Code:
$loadtime = $_POST['loadtime'];
$totaltime = time() - $loadtime;
if($totaltime < 7)
echo("You took less than 7 seconds to complete the form, blah blah blah");
It may not be 100% foolproof, but it definitely helps. I don't use the honeypot exactly because of screen readers. You don't want anything obstructing legitimate users, especially not those stuck behind accessibility software.
My timer is set to 7 seconds, which when you consider they have to enter an email address, name and a message is reasonable. The only way I can make the timer error appear on my forms is to hit the keyboard with 4 fingers on the first field, have the email ready populated via double clicking and selecting quickly and hitting the keyboard with 4 fingers again in the message and hitting submit. I have to do that like a hyperactive 3 year old to get the error, so I'm pretty confident that nobody legitimate will ever see that error unless they sit there trying to get it.
Now I have revealed it... please don't :(
Thanks for this, FizixRichard. I looks forward to giving it a try. I wasn't sure if you could do something like
but glad to know you can. :)Code:
$totaltime = time() - $loadtime;
I think you should use Captcha for account creation only.For other Forms instead of using captcha images you can use other techniques like mathematical operations to confirm whether the person isn't a bot.:):cool:
Why not lol? When it's a question of security for your site then to avoid spamming you should use Captcha...
It's a perfectly valid discussion when you consider that Captcha's:
1. Are of limited effectiveness, bot's are continually evolving their recognition skills and learn how to get past them. I've had to update captcha image sets many, many times as bots have figured them out.
2. They are often difficult to read and sometimes illegible.
3. They are an accessibility nightmare, even with audio recognition
4. End users hate them
Therefore, other solutions that catch bots out have been outlined in this thread.
CAPTCHA is a modern day necessity. You will get tons of spam without it. Even a contact form I had got spammed until I added visual verification.
If anyone needs an incredibly easy to integrate CAPTCHA that is also free and open source, you should check out Securimage at this site:
I use it and it works very good. You can integrate it into your site with only a few lines of code. I can't recommend it highly enough.
So "CAPTCHA is a modern day necessity. You will get tons of spam without it." is simply untrue, other traps such as form timers and honeypots work just as well.
Just to note, I've converted 15 sites, some old ones with CAPTCHA's and some with Honey Pots to the timer suggestion. It works great and I am getting about 30% less spam on these sites, plus they are far more accessible as people have indicated throughout this thread. I know that bots could be built to pause to beat timers but nothing works forever, so while it works well I will use it.