Cleveland Web Design by Designing Interactive
September 16, 2007
Making CAPTCHA Usable
By: Josh Walsh in Code
In today’s ever complex world of spam, Phil Haack has come up with a refreshingly simple solution for coping with blog and form spam which he calls Honeypot Captcha.
No javascript, completely accessible and easier on your visitors.
The Problem
Spammers use robots to fill out blog comment fields to increase links to their website and promote a variety of squalid products and services.
Here’s a great example. Dan Benjamin is a profound influence on the development community. Despite the incredibly valuable content available on his website, the spam is out of control. See the comments on this post to see what I mean.
Update: Dan fixed his commenting problem. I’d like to think this post had something to do with it.
The Idea
Spam bots love form fields and hate form validators. To avoid required field errors, they fill out every form field available to them. This usually ensures that they pass validation and that the form gets submitted.
Surely you’ve encountered today’s ridiculous image Captcha routines, where they scramble a bunch of letters in a funny looking image, and then ask you - the human - to decipher and enter the text in a box, which is checked for a match before submission.
The idea of CAPTCHA is annoying and complex… two adjectives I despise.
Lazy Bloggers
CAPTCHA is designed to alleviate the frustration on the developer or blogger by pushing it to their visitors. I can attest to this just as much as anyone else: blog spam is annoying. However, making my life easier in order to discourage activity from my visitors is idiotic.
Confusing Input
I’m not sure how many people realize that spam bots are now reading these CAPTCHA images and passing them anyway. In order to combat this problem, the images are becoming more and more complex making them more difficult for humans to decipher. (“Is that an O, o or 0?”)
A Development Nightmare
Developing a CAPTCHA application isn’t tremendously difficult, but it does involve text-graphics manipulation and requires your server to remember what the CAPTCHA is for your visitors session so they can match up the response with the original string.
It’s just added complexity that isn’t needed.
The Solution
Add a form field to your forms which should be left blank intentionally. Spambots, by their greedy nature, will fill in all fields. You simply check to make sure this field is left blank, if not, disregard the submission.
Phil recommends using CSS to hide the form field completely from your visitors. For screenreaders, simply use a label that says something like “Help us combat spam by typing nothing in the following box.”
Additional Tips
To avoid being noticed by the spambots as a “Honeypot User,” make sure you give your spam field a name that’s unique to your website. I also recommend changing your label text from time to time.
If they discover your feax-field, just change the input ID, and you’ll be safe for a while again. I guarantee it’s simpler than re-factoring your CAPTCHA application.
Finally, if spam still gets through, make sure you deal with it and keep the burden off of your visitors.
Comments
Danny Sedor » September 16, 2007
While I find the use of CAPTCHA’s to be a pain and I have often had to try 2, maybe 3 times to get the correct code from the jumbled image, I also think that the hidden form field will have its own set of problems and be circumvented rather quickly by determined spammers.
I would propose a simple registration for the website you wish to blog/comment on. Once registered you can set your browser to auto-populate the information on each subsequent visit.
The layer of security is still there. The user only has to be slightly inconvenienced once (during the initial visit), and the developer/admin does not have to continue to monitor the hidden field to see if the obstacle has been overcome.
Joe F. » February 21, 2008
Interesting approach. Not sure how spambots are going to work around this one. Especially if you use a long string for your ID. But, going the simple registration route, if you ensure your site suppots OpenID, this would be no big deal. Otherwise, I probably wouldn’t comment, because who needs YET ANOTHER username & password?
beth » February 21, 2008
I’ve always said fighting comment spam is the responsibility of the blogger/site owner, and not their commenters or users. Why make interacting with you or your site any more difficult than necessary?