10 Things to Check Before Using a CAPTCHA

Share this article

Spam bot
All CAPTCHA systems are doomed to fail. Unfortunately, this has not prevented eager developers using CAPTCHAs in even the most basic web to email forms. No one likes CAPTCHAs. They are not fun. They can not be used by everyone, such as those with impaired vision or without graphics enabled. They slow down the sign-up process and, ultimately, they will lead to fewer real registrations. The worst problem with CAPTCHAs is that they put the onus on the user. Users do not care if you are receiving thousands of spam messages or bogus accounts: that’s your problem. CAPTCHAs should be the last barrier of defence – not the first. The vast majority of hacking attempts and bots can be prevented without resorting to CAPTCHAs. If you make it moderately difficult, spammers will simply move on to the next easier target. Here are some basic techniques that will stop the majority of spoofing attempts.

1. Validate everything server-side

You need to validate every field using server-side code – even if you have strong client-side validation. Be especially careful with fields that are placed in email headers. Email addresses are probably the most important values to check: use a good regular expression and watch out for HTML tags, SQL injections, or return characters (n and r in PHP).

2. Check for spam-like content

Most spammers post links to websites. If that’s not something you are expecting, it could indicate a spam bot. A third-party tool such as Akismet could help.

3. Check for rogue POST and GET values

If your form expects three POSTed fields, the existence of a fourth could indicate a hacking attempt. Similarly, check that no additional GET values have been passed.

4. Check the HTTP header

Simpler spam bots will rarely set a user agent (HTTP_USER_AGENT) or a referring page (HTTP_REFERER). You should certainly ensure the referrer is the page where your form is located.

5. Use a honeypot field

Spambots normally attempt to complete every form field so they pass basic validation. A honeypot field is one that is hidden from the user (CSS display set to none), so any value passed back is likely to come from a bot. The field should be labelled “Please leave this blank” or similar to account for those with CSS disabled or using custom stylesheets.

6. Detect the presence of JavaScript

If your page can run JavaScript, you can be almost certain it has been loaded in a browser by a human user. A simple in-page dynamically generated JavaScript function could perform a simple calculation or create a checksum for the posted data. This can be passed back in a form value for verification. An estimated 10% of people have JavaScript disabled, so further checks will be necessary in those situations.

7. Show a verification page or fail the first posting attempt

Bots have a tough time reacting to a server response. If you are in any doubt about the validity of a post, show a intermediary page asking the user to confirm their data and press submit again.

8. Time the user response

Accounting for human behaviour is one of the best ways to spot the bots. Users will take a little time to complete forms whereas bots are almost instantaneous. I use the following method in many forms and it has been effective:
  1. The current server time is recorded when the form page is generated.
  2. The time value is encoded into a string. The actual encoding algorithm is up to you, but it must be one that is not obvious and allow decoding back to the original value. I would also recommend using unique user data, such as the IP address, as an encryption key.
  3. The encoded time is put in a hidden form value.
  4. When the form is posted back, the field is checked and decoded back to a time. This can now be compared with the current server time to ensure the response time falls within a specific window, e.g. between 20 seconds and 20 minutes.
There are several benefits to this process: it does not rely on client-side technology, the time value must be in the returned data and, even if your form is spoofed, it limits the number of bogus submissions that can be sent.

9. Log everything

Keep a log of everything that occurs during a form submission process. This need not be an elegant solution; writing to a file will be adequate. The information you gather will be invaluable when spotting hacking attempts and implementing solutions.

10. Handling the extreme cases

Some of the techniques above will fail for legitimate users, e.g. checking for JavaScript or the HTTP header. It is only likely to affect a small number of users so a CAPTCHA could be used in those circumstances. Alternatively, if there is any doubt about the data validity for a small number of users, you could add human verification to your process. Ensure it simple to operate, i.e. email an administrator and only accept the post once a reply is received. CAPTCHAs can be essential for sites that could incur significant monetary loss or are obvious targets for illegal activities, such as online banking and webmail. However, they are overkill for most forms: a combination of techniques will stop the majority of bots without making sign-ups difficult for real users.

Frequently Asked Questions (FAQs) about CAPTCHA Alternatives and Spambots

What are the main types of CAPTCHA alternatives?

There are several alternatives to CAPTCHA that can be used to prevent spambots. These include biometric authentication, which uses unique physical or behavioral characteristics such as fingerprints or voice recognition; two-factor authentication, which requires users to provide two different types of identification; and behavioral analysis, which monitors user behavior to identify bots. Other alternatives include honeypots, which are traps designed to catch bots, and time analysis, which identifies bots based on the speed of their actions.

How does biometric authentication work as a CAPTCHA alternative?

Biometric authentication works by using unique physical or behavioral characteristics to verify a user’s identity. This could include fingerprints, facial recognition, voice recognition, or even typing patterns. The system will compare the input with the stored data, and if there’s a match, the user is granted access. This method is highly secure and difficult for bots to bypass, making it an effective CAPTCHA alternative.

What is a spambot and how does it work?

A spambot is a type of bot that sends spam messages over the internet. These bots can send large volumes of spam emails, comments, or other unwanted messages, often with the aim of advertising a product or service, spreading malware, or phishing for personal information. Spambots work by automatically generating and sending these messages, often bypassing security measures such as CAPTCHA.

How does two-factor authentication prevent spambots?

Two-factor authentication (2FA) adds an extra layer of security by requiring users to provide two different types of identification. This typically involves something the user knows, like a password, and something they have, like a mobile device. A common form of 2FA is a text message or app notification sent to the user’s phone. This method is effective against spambots as it’s difficult for a bot to gain access to a physical device.

What is behavioral analysis and how does it detect spambots?

Behavioral analysis is a method of detecting bots based on their behavior. This could include monitoring mouse movements, keystrokes, and browsing patterns. Since bots behave differently than humans, these patterns can be used to identify and block them. For example, a bot might fill out a form instantly, while a human would take longer. This method is effective as it doesn’t require any additional input from the user, making it a user-friendly CAPTCHA alternative.

How do honeypots work to catch spambots?

Honeypots are traps designed to catch bots. They are typically invisible to human users but visible to bots. For example, a form might include a hidden field that humans can’t see but bots will fill out. If the field is filled out, the system knows it’s dealing with a bot and can block it. This method is effective as it doesn’t interfere with the user experience.

What is time analysis and how does it identify spambots?

Time analysis is a method of identifying bots based on the speed of their actions. Since bots can perform actions much faster than humans, a system can use this to identify and block them. For example, if a form is filled out instantly, the system can assume it’s dealing with a bot. This method is effective as it doesn’t require any additional input from the user.

Are CAPTCHA alternatives more effective than traditional CAPTCHA?

CAPTCHA alternatives can be more effective than traditional CAPTCHA in preventing spambots. Traditional CAPTCHA can be difficult for humans to solve and easy for bots to bypass, making it less effective. CAPTCHA alternatives such as biometric authentication, two-factor authentication, and behavioral analysis can provide a higher level of security and a better user experience.

Can spambots bypass CAPTCHA alternatives?

While CAPTCHA alternatives are designed to be difficult for spambots to bypass, no system is completely foolproof. Spambots are constantly evolving and becoming more sophisticated, so it’s important to regularly update and improve security measures. However, CAPTCHA alternatives generally provide a higher level of security than traditional CAPTCHA.

What are the benefits of using CAPTCHA alternatives?

CAPTCHA alternatives offer several benefits over traditional CAPTCHA. They can provide a higher level of security, preventing spambots from bypassing them. They also offer a better user experience, as they are often easier for humans to solve. Additionally, many CAPTCHA alternatives don’t require any additional input from the user, making them more user-friendly.

Craig BucklerCraig Buckler
View Author

Craig is a freelance UK web consultant who built his first page for IE2.0 in 1995. Since that time he's been advocating standards, accessibility, and best-practice HTML5 techniques. He's created enterprise specifications, websites and online applications for companies and organisations including the UK Parliament, the European Parliament, the Department of Energy & Climate Change, Microsoft, and more. He's written more than 1,000 articles for SitePoint and you can find him @craigbuckler.

Share this article
Read Next
Get the freshest news and resources for developers, designers and digital creators in your inbox each week
Loading form