CAPTCHA and its Alternatives: A Review

0
34

A visual captcha is an image that contains a hard-to-read string of letters or numbers that you must type over to prove that you are not a spambot.

This anti-spam technique is widely used when commenting on a blog, contact forms, or in sign-up procedures. The problem is greatest for the blind and visually impaired but dyslexics also struggle. The accessibility problem transcends the lack of alt text because such a visual captcha leads to these visitors not being able to submit a form and thus not responding to a blog post, not asking a question through the contact form, and not creating a Twitter account. In this article, we give some possible alternatives to the visual captcha.

No captcha

You don’t want to receive spam. To achieve that, you bother every visitor with those unreadable letters they have to type. You solve your spam problem by creating a problem for all your visitors with good intentions. Just from a usability standpoint, that’s not a good idea. So look for a spam protection that doesn’t plague your visitors. It might be a little less effective than the visual captcha, but better two spam messages in your mailbox than two customers not completing their order in your webshop.

Honeypot

Spam-bots will try to fill in all fields of a form. To add a field that the visitor does not see and does not have to fill out. If it is filled in anyway, you are almost certainly dealing with a spammer. So in form validation, you do the opposite of what you normally do: only accept if the field is empty.

Note: hiding things is not always reliable. Those who disable CSS and users of Some screen readers will see something with CSS property display: none anyway. So give this field a label as well explaining that the user may skip this field if they should encounter it anyway.

This anti-spam honeypot solution is quite reliable until the spammer has found which field is the honeypot. Therefore, make the field look as normal as possible for a script that analyzes code: give it the same attributes as all other input fields, don’t put it as the last field in the form, be a little more creative when hiding the field than class=”hidden” or class=”invisible” and don’t name the honeypot field name=”honeypot” or name=”leaveBlank”. Instead, make it “attractive” by calling it name=”email”, for example, and feel free to add a * as well.

Enough time

Humans take longer than robots to fill out a form. Time is money for the spammer so the bot wants to work as fast as possible. This is what distinguishes “him” from a human. Refuse to submit a form within, say, ten seconds of the page loading. jQuery tutorial: Safer Contact Forms Without Captchas.

Akismet

Akismet is indispensable for bloggers to stop spam. There is no captcha involved. They examine each post before it enters your database and mark it as spam or not. It is available for many systems like WordPress and Fork CMS and there is even an API. It is free for personal use.

Filtering emails

This technique is best suited for contact forms: configure your email program or web server so that it does proper spam filtering. This way you avoid all spam in your mailbox, not just the spam from your contact form. Then you really don’t need to send a captcha to your visitors anymore.

Too complicated? Then get a Gmail address and send your messages there. Gmail is damn good at filtering spam.

Alternative to the visual captcha

The previous techniques are preferred because a visitor with good intentions won’t even notice that there is a spam protection on it and therefore won’t lose time or get frustrated by it. The following are some alternatives that do require an extra action from the visitor.

Email verification

Send an email containing a link that people have to click to confirm the transaction. This technique is great when registering on a website. Anyone surfing the web will also have an email address. This technique is perhaps less appropriate when posting a comment on a blog or with a contact form. It is used a lot for “I forgot my password” so it should be reasonably safe.

Verification by phone

Websites sometimes send an SMS with a code that you must enter in the web page, but this seems a bit more delicate. Does everyone want to give their phone number to any site?

Ask a question

You can add an extra question to your form which you are pretty sure the visitor knows the answer to, but which the spambot doesn’t understand. Often one uses a math or textual question.

This technique is reliable until the spambot does understand the question and can provide the answers. This is also not a good technique if the question is too difficult for the visitor or if he does not understand why he has to answer this question that usually has nothing to do with the purpose of the form he is filling out.

Audio Captcha

To solve the problem of visual captcha for the blind and visually impaired (not deafblind), more and more websites are giving the option to listen to the number or letter sequence instead of deciphering it visually. In one of the very first AnySurfer blog posts, this topic was already discussed, and to show that it doesn’t have to be so difficult, former colleague Roel Van Gils created something in PHP himself: Audio Captchas in Practice. Mollom works with letters and names them with the Nato alphabet (Alfa, Bravo, Charlie, Delta, Echo, …). An additional advantage of Mollom is that it only displays a captcha if the input is suspicious.

Unfortunately, there is no such thing as perfect security

Every security system will be broken sooner or later. If your site is popular enough with spammers, they will take advantage of it. In some cases, it even pays people to solve visual captchas so the bot can prove it is human. If you have a modest Dutch-language weblog, there’s not much chance of them picking out your site. And if you change the standard forms of your CMS a bit, you are already much less vulnerable.

Conclusion

Inaccessible anti-spam techniques deny access to essential parts of a website. Captchas are inaccessible:

  • If you have to be able to see to decipher the code in the image,
  • If you have to wield the mouse to click on the poes,
  • If there is an audio alternative but unintelligible as with reCaptcha,

Use one of the first techniques if you get too much spam. You can choose a question that everyone understands and can fill out, such as a math question. If you choose an audio captcha, test if it is understandable. And if all this fails, include a phone number and email address where people can go who can’t fill out the form. And uh, then provide that email address with good spam protection.