[Wsuug] CAPTCHAs

Andrew Jaswa ajaswa at gmail.com
Tue Nov 18 16:15:12 EST 2008 

The W3C has a well written (as far as the W3C goes) document as to why
we shouldn't be using CAPTCHAs. http://www.w3.org/TR/turingtest/

The "CAPTCHA" that you mention isn't actually one. Some users will
still see that method and could potentially be considered a robot. If
you make it a hidden input field and don't use CSS to hide it, it's a
great way to reduce spam. Combined with simple math questions or
things like "is fire hot or cold?" you'll reduce your spam by nearly
100%. You can also check to see what kind of content the "user" is
inputting and filter out messages based on a ban list and if there are
urls in the message that would also be a red flag.

But you are right most programmers/developers consider every user a
robot until proven other wise. What happened to innocent until proven
guilty?

CAPTCHAs are terrible.

On Tue, Nov 18, 2008 at 2:04 PM, Joshua McDonald <josh at thisisgrow.com> wrote:
> Captchas aren't terrible.
>
> What makes them terrible is when developers err towards spammers.
>
> I look at my captchas as spam reducers, not spam eliminators.   I found a
> while ago a great way to do a transparent captcha that the user never sees.
>
> Basically, create a text field named "email" (or something common, email,
> password, name, etc) that doesn't conflict with any other form element name
> in your form.   using a common name is a must though, as many spam bots wont
> fill out fields that arent common names.   Put a label next to the field
> saying "Leave this field blank".  Then, hide both of them.  setting the
> style to display:none works, but some spam bots ignore them as well, so its
> best to hide with javascript, or by placing another element over top of
> them.  Make sure if you do the latter to remove the field from the tab
> order.
>
> After that, check for that field being blank.  If there is content (a bot
> cant resist an "email" or "message" field) then you know it's spam.
>
> As long as it's labeled correctly, you shouldn't have any problem with
> usability as people should be smart enough to leave it blank if you tell
> them to do so.
>
> Now, this didn't kill all of the spam, but it did cut back on false
> positives and failures due to the captcha.  It also still caught the
> majority of spam on the few forms I used it on... it got about a 80% capture
> rate... which is good enough for me.  I can deal with a little spam...
>
> The rule should be to err on the side of human...
>
> Joshua McDonald
> Grow Interactive
> www.thisisgrow.com
> 757-248-5274
> 757-248-5275 (f)
>
> On Nov 18, 2008, at 3:47 PM, Andrew Jaswa wrote:
>
>> In my ongoing crusade against CAPTCHAs:
>> http://www.docstoc.com/docs/1048763/Worst-Captchas-of-All-Time
>>
>> I didn't make this... but I think it shows why using CAPTCHAs is bad.
>> really bad...
>>
>> --
>> Andrew Jaswa
>> andrewjaswa.com
>> wsuug.org
>> _______________________________________________
>> Wsuug mailing list
>> Wsuug at list.wsuug.org
>> http://www.thelinuxlink.net/mailman/listinfo/wsuug
>
> _______________________________________________
> Wsuug mailing list
> Wsuug at list.wsuug.org
> http://www.thelinuxlink.net/mailman/listinfo/wsuug
>



-- 
Andrew Jaswa
andrewjaswa.com
wsuug.org

More information about the Wsuug mailing list