Ditch Captchas And Give Folks Some Honey

20140412-222803.jpg

You know what are absolutely terrible? Captchas. Verify you’re a human? Hardly. Verify you’ve been taking illicit drugs that make text on acid look legible? More like it.

Captchas and Accesibility
Also, have you researched the effects of captchas on accessibly? I’ll help you out here, they are TERRIBLE for accessibility!

If you’re going to spend the cash and time to build a fabulous web presence, why would you make it difficult for people to register to obtain your products and services?

Captchas are the lazy way out that costs you business. Ever run analytics on abort rates for your site when people hit a captcha?

Your Argument
But there are bots! And they are spamming my site! I NEED to use a captcha!

No, actually you don’t. Check out the honeypot method. You put a fake field in your form, and position it off screen with CSS. Most bots won’t be able to differentiate that the field is hidden, and they’ll fill it out, so you can flag those registrations as spam. Real people who are registering won’t see the field at all.

Flip the Paradigm
Using the honeypot method, you flip the paradigm. You make the bots prove they are human, instead of slowing down and irritating the people who have taken the time to visit your site and who just want to register and give you their money.

It Works!
A majority of the research I’ve come across has shown the honeypot method to be highly effective at blocking most spam bots.

What If…
But what if someone uses autofill to complete their form, or has CSS turned off in their browser? Or you’ve tried honeypot and your bot attacks were too advanced?

Then use honeypot as your first line of defense, and if the hidden field IS filled in, THEN display a captcha as a final step. It’ll wipe out your spam bots and give folks using autofill a chance to finish registration without severely irritating the rest of your customer base.

If You Must… Use Simple Addition
And for the love of all things holy, if you must use captcha as a second line of defense, make it simple addition rather than words on acid or sounds with awful background noise or flash animations that make you lose all of your mobile sales. (This actually happened to me recently when I tried to complete a purchase: “Drag all the basketballs into the hoop to prove you’re a human and complete your purchase!” I’d love to if I could see them at all!)

Love your customers and staying in business? Then give them some honey rather than captcha induced migraines.

(Want to give this a try? There’s a great article by Karl Groves with some code to get you started! http://www.karlgroves.com/2012/04/03/captcha-less-security/ Big thanks to Deborah Edwards-Onoro @redcrew for sharing this gem!)

Advertisements
Tagged , , , , ,

12 thoughts on “Ditch Captchas And Give Folks Some Honey

  1. Hi Jennifer,

    Thank you for the post recommending honeypots instead of CAPTCHAs. Honeypots are one of my favorite strategies to combat spam.

    Jennifer, not sure if you’ve seen it, Karl Groves’ post on CAPTCHA-less security describes the mechanics behind creating a honeypot, as well as other security methods.

    http://www.karlgroves.com/2012/04/03/captcha-less-security/

  2. David Mead says:

    Nice post. Glad to see advocacy of a layered approach that fits more with the ‘adaptive’ way of building websites we seem to be following these days. Also great for mobile.

  3. jma245 says:

    This is a great article about the financial implications of CAPTCHA’s as well!
    http://ccollingridge.overblog.com/the-cost-of-captcha

  4. Matthew Flaschen says:

    Can you add links to some of the research supporting the approach? I think the fundamental problem is that a bot can be explicitly coded to ignore certain fields (or to only fill in an explicit list of fields, which is pretty straightforward). So once your site is no longer small (not worth bothering with), people will explicitly target it.

    You address this with:

    “Or you’ve tried honeypot and your bot attacks were too advanced?

    Then use honeypot as your first line of defense, and if the hidden field IS filled in, THEN display a captcha as a final step.”

    But an advanced bot is not going to fill it in, so the second line of defense will just be bypassed.

    The article also suggests:

    “if you must use captcha as a second line of defense, make it simple addition rather than words on acid or sounds with awful background noise or flash animations that make you lose all of your mobile sales.”

    This may work if the math is an image, and reasonably hard to parse with OCR. However, plain text (e.g. “2 plus 3”) is not going to work. There is a CAPTCHA plugin for MediaWiki that works like this (https://www.mediawiki.org/wiki/Extension:ConfirmEdit#SimpleCaptcha_.28calculation.29), and there are unsurprising reports that it is ineffective.

    Computers are very good at basic math, and requiring simple parsing (e.g. the text ‘minus’ means a subtraction operation) does not make it any harder.

    • jma245 says:

      Hi Matthew! You bring up some excellent points in your comment! This article’s primary focus was to come up with an accessible alternative to CAPTCHAS. You are absolutely correct, bots become smarter every day, and this solution may not be the best choice for larger sites that deal with advanced bot attacks on a regular basis. I’ll try to answer your questions!

      1: Research – In the months since this article was written I experienced a MacBook crash and burn. The document that contained my research links didn’t make it through the war, I deeply apologize that I’m not able to share those with you.

      2. “But an advanced bot is not going to fill it in, so the second line of defense will just be bypassed.” There is a great article by Ryan Johnston that outlines some modifications he’s made to the classic honeypot method, to try to keep up with, and battle the increasingly intelligent bots. He had an interesting take on it that you may be interested in checking out here: http://www.smartfile.com/blog/captchas-dont-work-how-to-trick-spam-bots-with-a-smarter-honey-pot/

      3. CAPTCHAS: As far as CAPTCHAS go, I agree that using an image that contains a math problem is the best solution, since bots are most definitely math pros and plain text isn’t much of a defense.

      Have you come across any accessible CAPTCHA alternatives that you feel would work more effectively? I love hearing about how other folks approach this complex ever present problem!

      Thank you so much for taking the time to comment on my post!

      • Matthew Flaschen says:

        Thanks for the reply. 🙂

        I agree honey pots can be made smarter, though it’s not still the same as a CAPTCHA. The idea of using random field names that change each time (whichi is brought up in Ryan’s article) should definitely help. It can still be defeated, but it requires the bot read the HTML and figure it out based on position.

        Wikimedia is not using an accessible CAPTCHA yet. However, MediaWiki and its extensions (the software we use) does have various techniques that reduce the need for CAPTCHAs.

        There is an extension which allows filters to run which can detect (and optionally either warn or block) certain forms of abuse (e.g. certain link spamming, strings of curse words). Also, certain external links are simply blocked based on a blacklist.

        Some actions (e.g. page moves, emails) are throttled, which reduces how fast undetected bots can take actions.

        We also only show CAPTCHAs for new users (which includes signup). Usually, bots will be caught before they are considered no longer new.

        In general, even for new users, there is no CAPTCHA on editing. However, one is shown if an external link is added by new users. Similarly, a CAPTCHA is shown after there is an invalid password a certain number of times (but not on regular logins).

      • jma245 says:

        Thank you for sharing this info Matthew!

      • Matthew Flaschen says:

        Also, Wikipedia provides additional ways to take actions for people who can’t see the CAPTCHA. E.g. https://en.wikipedia.org/wiki/Wikipedia:Request_an_account .

  5. josevader says:

    Jennifer, you are too good. I love what you do.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: