Different kinds of CAPTCHA
Thursday, 26. April 2007, 18:27:17
Most of us have probably seen a CAPTCHA image: A image with some fuzzy lines, noise and stuff and a bunch of letters that we are supposed to type into a box to verify that we are indeed human and not a computer.
There are other types of tests to determine whether one is a human or not, some even better than the images... but for some reason they aren't used as widely as images.
Let's look at some different methods to determine the users' humanity
There are other types of tests to determine whether one is a human or not, some even better than the images... but for some reason they aren't used as widely as images.
Let's look at some different methods to determine the users' humanity
The simplest version of a different test is just to have a textbox and a static message such as "type foobar to the box". Most spambots can't figure out even such simple things.
Other versions of this include simple math problems such as 2+2=? or an item the user must choose from a dropdown list.
Other quite simple methods include checking if two values in your form contain the same values: For example, if you have a first name field and a last name field, it's highly unlikely that they both should contain the same value. Is there anyone called Peter Peter? Don't think so.
Another approach is to check for HTML input in fields which shouldn't require any.
A bit more complicated approach is to create a fake name field. Most spambots will try to fill in fields that have the name attribute set to things such as "name" or "firstname"... So in addition to the actual fields, add a field with a name like that and hide it with CSS. Because bots can't parse CSS they will see the field and fill it... so you simply check if the field is filled and from that you can know it's a bot. Some precautions are in order, though: Text-only browsers might ignore the CSS to hide the field and thus you should add some text to accompany the field that tells to leave it empty.
You can also check the browser headers. 99% of real browsers fill in Accept Language and Accept headers... so if they are empty, you have a bot.
The methods mentioned above are as foolproof as using scrambled images. Also, a user with disabilities might not be able to see the fuzzy image at all, so there's also the usability issues of using images to detect bots. In a high-traffic site, generating images may also take considerable amounts of processing power.
So why aren't different methods used instead of images?
Why not switch to those tasks which humans find easy but computers find hard?
If everybody used "2+2=" it wouldn't take the botwrights long to figure out ways of answering this, and the current craze for letters+digits+noise can produce images that even humans find hard to decypher, but we can recognise famous faces (even allowing for cultural differences, there are some people who should be recognisable to pretty much all the online population), distinguish between cats and dogs, call a spade a spade, etc.
Sites need not use precious processing power to generate these images, just choose them from a pool, and they can be large and clear enough for anybody able to see the screen.
PS: I keep getting a security code error with this!
By anonymous user, # 5. November 2007, 20:23:08
By zomg, # 6. November 2007, 04:46:14