alternative captcha methods

Question

I'm looking for inspiration here. I need to employ some sort of human verification for my website, but the most common method these days (asking users to type the letters & numbers they see in an image into a text input box) seems a little rubbish - I find it hard sometimes to work out what the letters & numbers are.

There must be a better way!

I've had a few ideas, the best one seems to be to show users a series of images (4-6), and ask them to answer a question based on the contents of the images, such as:

(show some geometric shapes) "Which image has 3 sides?"

or

(show picture of animals) "which animal can fly?"

This has the advantage of being easy to program, and hopefully easy to pass.

Can anyone think of any other approaches to this problem? Or possibly spot flaws in the system outlined above? Is it possible to make such systems both easier for humans to pass, and harder for bots to pass?

Answer 1

Try using a question challenge system where a simple question demands a simple cognitive response. For example ask a user to answer the following example question:

Three cars on the street can see three more cars. How many total cars are there?

Technology is not so advanced that a bandwidth sensitive bot is capable of answering such a question and yet the question is easy to answer. A user must enter three or 3 to verify they are a human and not a machine. You would have to have a large enough bank of questions that a bot would not simply ping your site looking at questions to record so that it may return with answers in hand.

Answer 2

I particularly like the "which animal can fly" example. Simple & Effective.

But this kind of thing could be abused. It wouldn't be difficult to give it a cultural bias — or a perceived one.

And, as austin cheney showed, it could easily become a sort of intelligence test, and you would have an Accessibility problem.

Answer 3

Try using an ajax based submission process that's triggered by clicking a normal button (not a submit button), it's really easy with jQuery.

As far as I can tell, spambots don't have javascript.

If you're worried about users without javascript enabled, I think it's perfectly ok to have them unable to submit the form. If they can't trust you to enable javascript on your site, it's not your fault that they can't use the website to its fullest extent.

EDIT:

Also see: Practical non-image based CAPTCHA approaches?

The problem though, if someone is targeting your site purposely, this kind of technique won't work.

EDIT2:

I can't provide a link to a real life example, but I blogged about it with a bit more details, so here's some sample code:

function submit_form()
{
    jQuery.ajax({
      "type": "POST", // or GET
      "url": 'action_url', // The url you wish to send the data to, the url you'd put in the "action" attribute on the form tag
      "data": jQuery("form#the-form").serialize(), // The data you'll send. You need to get the form somehow. Easiest way is to give it an id.
      "dataType": "json", // Only put this if the server sends the response in json format
      "success": function(data, textStatus) // server responded with http status 200
        {
            // This is the happy case: server response has arrived
        },
      "error": function(req, textStatus, errorThrown) // maybe HTTP 404 or HTTP 500
        {
            // something went wrong, the response didn't go through or the response didn't come. Handle the situation: let the user know, or something.
        },
      "complete": function(req, textStatus) // This one always gets called anyway
        {
            // cleanup after yourself
        }   // XXX careful: if you put a comma here, IE6 will fail
      });
}