It’s 2016! Why are we still using CAPTCHA?
CAPTCHA is a common site around the web and it can be frustrating. We recently had a client request for CAPTCHA, and it made us think… there’s got to be a better solution to web form SPAM. Right?
Why CAPTCHA?
CAPTCHA protects sites displaying or collecting data with tests that humans can pass but bots cannot. CAPTCHA stands for Completely Automated Public Turing Test To Tell Computers and Humans Apart. These tests have been part of our web experience since about 2000.
Aside from freaking out sentient robots, CAPTCHA do serve a purpose. They are commonly found during online activities such as:
- Submitting a form
- Posting a comment
- Completing registration
But there are also many drawbacks to using CAPTCHA:
- It can degrade the user experience if input incorrectly
- It can present accessibility issues for people when it comes to deciphering the codes
- It creates a security arms race: CAPTCHA technologies progress to make it hard for bots, bots respond. Actual users get stuck in between.
CAPTCHA, bugging humans since 2000.
Have you noticed CAPTCHA can be hard? What if this challenge means you are blocking bots but also losing human users? Research shows that while CAPTCHA are getting harder for bots to break, they are also getting harder for humans to decode.
Recently at PINT, a client requested to use CAPTCHA on their site to prevent form SPAM. They were preparing to launch a new site design and wanted to ensure the leads coming through their contact form were clean. But why CAPTCHA? It is not necessarily the right solution.
Most bots scraping site forms are not tailored to a specific site, unless:
- You’re running the website of a large corporation
- Your business is one commonly at risk for a security attack
Therefore, CAPTCHA maybe better, but only in certain use cases.
PINT’s CAPTCHA Solution
People have pretty strong feelings about CAPTCHA. Those feelings came to light when some PINT team members were discussing our client’s form SPAM issue. One senior team member compared CAPTCHA to DEFCON-5. So our challenge was set to find something less off-putting.
One senior team member compared CAPTCHA to DEFCON-5. So our challenge was set to find something less off-putting.
PINT employed a strategy to prevent form SPAM called the honeypot technique. It is a different methodology than CAPTCHA that capitalizes on the default behavior of bots. A honeypot lures bots into exposing themselves and leaves the humans alone.
In this case, we added an empty form field in the code, but one that a user doesn’t see. Since it is not visible to the human eye, a human user would not fill it out. But a bot would, because they see what’s in the code, not what’s visible on the page.
Once we detect that the form field has an input, we can probably guess that this was not the work of an actual human being. Validation on the client side flags it and the form submission will fail. If JavaScript is disabled, server side validation will pick it up. And even though it’s a bot, we will display an error message on the page saying that they didn’t pass our spam validation.
Benefits
- This method is virtually seamless for the user and does not degrade user experience. Users don’t have to guess images or figure out what an upside down backwards piece of text is saying. A good move might be to try this first and see how well it reduces your SPAM and improves your user experience.
- It doesn’t require the use of another API or integrating another service on to your page, thus saving on bandwidth and load times.
Drawbacks
- This doesn’t offer as much security as a ReCaptcha API would, but it should still work for a majority of clients who aren’t the specific target of security attacks. If you’re a bank, hospital, or other likely target, you’ll likely still want the rigor of a full-on turing test like CAPTCHA.
- If a hacker is targeting your site specifically, they will most likely tailor a bot to your site that will allow them to mimic human like behavior and bypass the form check. (Nothing is 100%)
Google and the Future of CAPTCHA
The honeypot technique is just one option when it comes to form security. There are some changes web users can expect to see in the future from Google in this area as well. One you may already be seeing is the reCAPTCHA that detects human-like mouse movements to verify a real user is submitting a form.
The other is an invisible reCaptcha option:
In talking about implementing CAPTCHA on the average website, our Solutions Architect said, “There’s no need to use a sledgehammer to kill a fly.” Need a flyswatter?
This post was originally published on the PINT, Inc. blog.
