Captcha - To Use Or Not To Use

Hi, i am building a site at the moment and i am trying to decide whether to add Captcha to my site to protect the following:

  • create account form
  • contact form (as it is saved in the database)
  • change email form
  • change password form

01 - do you think this will p*ss users off - i don’t think it will as they really will only ever need do enter the Captcha once…

02 - i am surprised to see that Facebook and Twitter do not use them, how do they stop robots from processing multiple forms

03 - what is your general view / feeling on using Captcha’s

Presumably you are asking about image CAPTCHAs - there are lots of alternative CAPTCHAs that are less obvious to real people while still preventing the bots and big sites not using image CAPTCHAs would be using a more sophisticated less obtrusive one instead.

[font=verdana]Moved to “Web Design” forum because this isn’t really a PHP issue

My view of using Captchas is that they should only be used where not using them would cause insurmountable problems for the site management. Where users have to be registered in order to post, there is very little need to have a Captcha, because you should have systems in place to spot bots and stop them.

The only one on that list where I would accept a Captcha is on the account creation form, because you don’t want bots to be able to sign up for accounts. Everything else just adds an unnecessary complication and potential barrier. Remember that in many cases, people find Captchas harder to solve than bots, so if you’re relying on them as your sole anti-spam protection measure, you might be in for a nasty surprise.

Any other action – for authenticated users – shouldn’t need a Captcha. In the case of changing registration details (email and password) you might want the user to re-enter their current password to prevent unauthorised changes, but a Captcha won’t help there at all.

Facebook does use Captchas for some things for non-authenticated users.[/font]

I always think twice about filling out a form that uses Captcha, as there’s a good chance that I just won’t be able to type the gobbldygood to the system’s satisfaction. It is the single most annoying thing on the web, and I’ve aborted filling out forms many times because I couldn’t be bothered fighting with the stupid Captcha.

I still prefer putting in a hidden field which—if filled out—aborts the form. You can add a simple question to it for legitimate users who have CSS off or who are using a screen reader.

The best CAPTCHA I can think of to use on a form would be one that puts the time the form displayed in a hidden field in the form and then checks that sufficient time for a person to fill out the form has passed since then when the form is submitted.

Bots would normally fail that invisible CAPTCHA by filling out the form too quickly.

Hah, that’s clever. I’d love to try that out. I wonder if I can stretch my meagre PHP skills to accommodate that. I can see how you could easily grab the time the page was loaded as the value of the hidden field … but how to compare it with the time of submission? Hmmm …

Excellent idea felgall… maybe set it so that if the $form_submission_time is not 5 seconds greater than $form_display_time then throw error

[FONT=verdana]As an end-user, I find most Captcha forms slightly irritating, but just about acceptable. However, there is one form of Captcha that I detest. It’s the type where you have a single image, but with two character strings. One of the strings is perfectly clear; the other is nearly always virutally illegible. I’m sure you’ve all seen examples of what I mean. Google, for one, uses it on their own registration forms.

With that type of Captcha, I frequently have to request a new image, sometimes several times, before I am able to figure it out. Often, I just abandon the attempt.

As a developer, the only type of authentication I would use is one that the user is unaware of. I’m currently experimenting with a method which I described in the following blog post: A simple way of preventing contact form spam. I’m not yet sure how well it works, but at least it is unobtrusive.


I’ve been using that method for years, and it seems to work well. But in the end I decided to allow something simple like the number/digit 4 with an instruction to enter that for those who could see the input.

That’s interesting, Ralph. But I’m curious to know why you prefer a method that requires the user to actually do something, rather than one that’s completely passive?

Some years ago I came across a discussion that was recommending against having a form field with an instruction not to do anything. But yes, it’s much of a muchness, I guess. I used to have a label that said—“Don’t fill in this field. It’s for catching spammers!” … or something like that … but unfortunately the client got a glimpse of this code and wanted it removed, as the mention of spam freaked him out.

The CAPTCHA I suggested earlier in the thread shouldn’t require instructions in order for the person to comply with the CAPTCHA requirements unless there are any thousand words a second typists out there.

Indeed. It’s a much nicer solution. I just haven’t quite figured out how to implement it yet. I’m not sure of the best way to grab the time at which the form is submitted, and how best to measure the time difference between two moments and set a condition for the results.

i didn’t think this would be that difficult for you php pros :slight_smile:

I know this is only pseudo code but wouldn’t this work:

IF $form_submission_time is not 5 seconds greater than $form_display_time then throw error

I’m sure it would … but one has to know how to say that in computer language. :lol:

It’s simple for you guys… even i could do that :slight_smile: or maybe not then…

Would it make sense to record the $form_display_time in a session variable and then when the form is processed check it against the current time to make sure 5 seconds have a elapsed…

Most people are used to Captcha by now so I don’t think it will piss anyone off really.
The benefit to you is tremendous in keeping out the lazy people and the spammers. Those spam bots are annoying and this feature really curbs out the bots.

Cool, thanks… i also think a lot of people are used to CAPTCHAs…

Except those with visual and other problems that can’t use the wretched things. :frowning: Make sure you have a system in place to accommodate such visitors.

I’ve actually be successful with verification questions. You may have seen these in the form of addition questions. Unfortunately, bots can easily bypass those now.

I came up with animal sound questions instead, such as:

What animal says “meow”?

I also use “woof”, “gobble gobble”, and “moo”.

They’re tougher for bots to answer, but real users shouldn’t have too much trouble with them.