Off Topic:
A turkey - before it's gobbled by humans. of course.Originally Posted by oo7ml
| SitePoint Sponsor |
Off Topic:
A turkey - before it's gobbled by humans. of course.
If you're a bear made of mohair, ponder on the nature of a mo.
wow , neat idea!!The best CAPTCHA I can think of to use on a form would be one that puts the time the form displayed in a hidden field in the form and then checks that sufficient time for a person to fill out the form has passed since then when the form is submitted.
Good point, but I have also already seen non English captchas... oddly enough an accessibility issue in reverse.. what if I don't have a Cyrillic keyboard!!But that could cause difficulties for non-native English speakers.
I must confess i dont have much experience with c myself, but one method I would consider would be generating an equation:
"3 + 7 =?" easy line of text to generate in PHP but the answer you are looking for would be "10" this of course throws the bots off, with minimal fuzz
Brilliant ideas, elegant execution.
Graphic Design, Art Direction, Copywriting and Web Design.
If you get that as part of a reCaptcha then there's no problem. Because with reCaptcha the main thing it is testing you on is whether you can decode the known and deliberately scrambled word, if you don't give the "right" answer for the scanned text (I've had mathematical formulae, upside-down text, all sorts) then all it has to compare your answer with are the answers that other people have given. And the chances are that few of them will have gone to the effort of looking up the Unicode for Cyrillic characters, so it has no way of knowing you're wrong if you give the closest approximation you can using the Latin alphabet.
Any posts I write in Arial are on my mobile phone, so please excuse typos etc.
Any posts I write in Verdana are on a PC, so feel free to berate me mercilessly for any mistakes
Which was exactly my point. If you decide to use that sort of challenge-response mechanism, you've got to think vary carefully about how the question will be perceived in various countries, cultures and languages. And it's not limited to "English-speaking areas". There will people from non-English speaking parts of the world who have a legitimate reason to visit your site, and who might be baffled by what, to you and me, are perfectly reasonable questions.
Mike
I'm sure most kids are familiar with it. I know it well, but couldn't remember which animal it applied to. (Showing my age, I guess.)
Anything is better than that.are animal sound questions better than trying to figure out the horribly distorted letters in a CAPTCHA image?(When I ask Captcha to sound out the words, they usually sound like animal noises to me anyway.
)
You also have to keep in mind what the demographics of your site(s) are and who your target audience is.
The math challenge questions were settled on as a standard because they require no language and no local knowledge. However, math problems are easily defeated by bots. So, essentially, these types of questions don't work anymore. CAPTCHA doesn't work well anymore either, as many bots can bypass it.
Sometimes hidden "are you a bot?" fields help, and these don't impact visitors because they never see them anyway.
So, the only thing that seems to be left are some sort of simple reasoning questions that bots can't answer (yet, anyway). The trick is to make them general enough for any visitors to guess, but difficult enough to stymie bots.
What other types of challenge questions might fit the bill?
Visit The Blog | Follow On Twitter
301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
Can be hosted on and utilize your own domain
I don't know how bots work, but I wonder if you gave an instruction like "type anything here other than an email address" but in the HTML put something like type="email" or id="email", would that trip up the bots?
Wouldn't that fail with accessibility technologies?
Visit The Blog | Follow On Twitter
301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
Can be hosted on and utilize your own domain
I'm not sure. Do they react differently to different kinds of input?
I'm surprised no-one's mentioned the 'Honeypot', which uses a hidden field to tempt a bot to insert something (typically an e-mail address).
Ralph.m has mentioned something similar, but it's not clear to me that it's actually hidden in his version. For those not using CSS there's an instruction not to complete the field. Optionally (as web-master) I get the spam messages diverted to me so I can monitor them from time to time. As a back-up to the Honeypot I class as spam anything where the first_name and last_name fields are the same, as most of the spam messages that I do monitor these fields are full of identical gobbledy-gook (or even gobble-gobble) like 'oeafijbgp'. If Humbert Humbert wants to contact me he'll have a problem, I know.
For timing script execution, how about PHP microtime (see PHP manual).
Tim Dawson
Isle of Mull, Scotland
Yes, I was referring to the honeypot method, where the field to catch bots is hidden from view. The only problem is that screen readers, or those with CSS off etc., may see the form field, so there needs to be some consideration of what to say to them so they know what to do.
Wouldn't a combination of the honeypot and the time counter work best... so we have a hidden field and also throw an error for all forms that were completed under 5 seconds...
That's what I suggested, back in post #8. But I didn't know it was called Honeypot. In fact, I didn't know that it was such a well-known technique that it had a name.
Mike
The submission time is exactly what I do on my contact forms, it appears to work.
As someone asked for code; its really easy, in PHP (this has no security, its bare bones code):
On the PHP script that loads the form;
So literally insert a timestamp into a hidden field. (with a javascript loading form you'll want to populate this when the user clicks your contact button)Code:<input type="hidden" name="loadtime" value="time();" />
Then on your post php script (where you send the email):
So grab the post time timestamp from the form, get the current time in a timestamp, get the load time as current_time - post_time, if the load time is less than 7, spring an error.Code:$loadtime = $_POST['loadtime']; $totaltime = time() - $loadtime; if($totaltime < 7) { echo("You took less than 7 seconds to complete the form, blah blah blah"); exit; }
If your using a javascript form that opens in an overlay, have the javascript complete the timestamp; then do any time conversion if necessary.
It may not be 100% foolproof, but it definitely helps. I don't use the honeypot exactly because of screen readers. You don't want anything obstructing legitimate users, especially not those stuck behind accessibility software.
My timer is set to 7 seconds, which when you consider they have to enter an email address, name and a message is reasonable. The only way I can make the timer error appear on my forms is to hit the keyboard with 4 fingers on the first field, have the email ready populated via double clicking and selecting quickly and hitting the keyboard with 4 fingers again in the message and hitting submit. I have to do that like a hyperactive 3 year old to get the error, so I'm pretty confident that nobody legitimate will ever see that error unless they sit there trying to get it.
Now I have revealed it... please don't
Last edited by FizixRichard; Jul 1, 2012 at 14:36. Reason: Typo
Thanks for this, FizixRichard. I looks forward to giving it a try. I wasn't sure if you could do something like
but glad to know you can.Code:$totaltime = time() - $loadtime;
Use captcha in account creation only
I think you should use Captcha for account creation only.For other Forms instead of using captcha images you can use other techniques like mathematical operations to confirm whether the person isn't a bot.
Why not use Fegall's idea and not include the captcha. The form will have a minimum time rather than almost immediate that the bots will do, so allow an account that waits the specified period. If this is the 'minimum' time allowed to create the form, then it is pretty equal for the sited and non-sited users and no annoying CAPTCHA's and would stop most spam bots from creating multiple accounts. Love this idea!Except those with visual and other problems that can't use the wretched things.
As I said previously, we use a timer system and it does work. Now the occasional bot does get through, its not 100%, but it really is occasional; we converted to the timer method to solve a problem; which was that bots started to figure out how to get past the captcha so we decided to try something else. The timer method is far more effective.
Why not lol? When it's a question of security for your site then to avoid spamming you should use Captcha...
Who said anything about neglecting site security and not stopping spammers? This thread is discussing alternative methods to resolve the same problems that captcha's resolve.
It's a perfectly valid discussion when you consider that Captcha's:
1. Are of limited effectiveness, bot's are continually evolving their recognition skills and learn how to get past them. I've had to update captcha image sets many, many times as bots have figured them out.
2. They are often difficult to read and sometimes illegible.
3. They are an accessibility nightmare, even with audio recognition
4. End users hate them
Therefore, other solutions that catch bots out have been outlined in this thread.
CAPTCHA is a modern day necessity. You will get tons of spam without it. Even a contact form I had got spammed until I added visual verification.
If anyone needs an incredibly easy to integrate CAPTCHA that is also free and open source, you should check out Securimage at this site:
http://www.phpcaptcha.org/
I use it and it works very good. You can integrate it into your site with only a few lines of code. I can't recommend it highly enough.
This is untrue, you need some kind of bot protection however captcha's are not the beginning nor the end, there are other solutions to stop spam bots as has been discussed extensively in this thread.
So "CAPTCHA is a modern day necessity. You will get tons of spam without it." is simply untrue, other traps such as form timers and honeypots work just as well.
And they are also much kinder on legitimate visitors. Captcha may make a site owner feel secure, but it's a misery for users.
Just to note, I've converted 15 sites, some old ones with CAPTCHA's and some with Honey Pots to the timer suggestion. It works great and I am getting about 30% less spam on these sites, plus they are far more accessible as people have indicated throughout this thread. I know that bots could be built to pause to beat timers but nothing works forever, so while it works well I will use it.
Steve
I was under the assumption most Captcha's now a days have a read out feature. So as long as those you have issues can hear, they can have the Captcha read out the letters or phrase to them.Except those with visual and other problems that can't use the wretched things.
Posting Permissions
Bookmarks