Need suggestions/ideas for easy-to-use but secure captchas

To start with, I am well aware of the security/usability trade-off associated with captchas and do not need any explanation on that.

I know that reCAPTCHA is the state-of-the-art in captcha technology but we just do not want to use it for our site because of the difficulty faced by users to read distorted words. Our site is a study portal for students offering live online classes, so the users will be students (leaving certificate level) and teachers.

I have been searching for different ideas and found some good ones like:-

The Sesame Street Solution as given in http://www.usereffect.com/topic/2009-07-13-captcha-is-there-a-better-way.
Asking questions which are very easy for humans like "which one tastes better or ". But how many such questions do I need to store to be safe?

My purpose of asking this question is to get as many ideas as possible. I think there are still a lot of user-friendly but secure ways I could analyse before finalizing.

Please highlight the pros and cons of the method you suggest with reference to the way spam bots work. I am not much aware of many of their strengths and weaknesses.

Thanks,

Sandeepan

Reading distorted words is one thing, but also asking legit users to enter things like this can get quite annoying. So it's important you don't burden the user with anti-spam measures.

Damien Katz has used a negative captcha to stop spam bots. This technique, also called honeypot field, is easy to implement and doesn't require the user to do anything.

A more complex honeypot implementation is described by Ned Batchelder. It involves randomized field names and hashed values to make sure bots haven't tampered with the form.

In his article he states the following:

Spammers don't make software that can post to any form, they make software that can post to many forms.

So it only takes a simple trick to confuse the majority of spam bots. A little bit more magic will take care of the remaining bots.

Regarding the Sesame Street solution, asking simple question or selecting the correct animal from a list: these are questions that are hard for spam bots to answer, but they can be difficult for users as well. Especially if your site has an international audience, people with a first language other than English may have trouble understanding the questions. It may not be an issue with your student audience, but it is something to keep in mind.

Thanks for the idea. I understand that the question does not leave any clue for the bot to answer but the fact that the answer is a multiple choice one makes the probability of blindly guessing high. I assume my site is going to be very popular. Suppose a bot targetted at my site is made. If I keep 5 options to my question, and if the bot is programmed to blindly chose the 2nd one everytime, then the probability of cracking is as high as 20%. Am I right? Is'nt that quite high? May be ticking all the cats out of the pictures will have a lesser chance of being cracked.

sandeepan 2010-07-29 06:46:33

You don't quite understand. You give them e.g. nine images and ask them to pick the 4 which are giraffes. The odds of randomly guessing correctly are 1 in (9 choose 4) or 1 in 126.

Turtle 2010-07-29 07:29:13

ok agreed that the odds are quite less, but the demerit is having to display more number of images to make the odds low. Not quite sure whether my client will approve because of the cluttering of register form. But thanks anyway.

sandeepan 2010-07-29 07:39:25

could you please explain the technique of making sure that the visiting program can evaluate JavaScript. Or at least link to some article which has the explanation. Thanks for the ideas

sandeepan 2010-07-29 06:24:42

The concept of negative captcha sounds great. But how easily can I implement it? Are there some plugins available? Also, what are the chances of somebody making site-specific bots? I assume my site will be a very popular one. How much safe this technique will be considering that? Thanks for the idea,Sandeepan

sandeepan 2010-07-29 06:25:45

Damien has written that `though this technique likely won't work on big community sites (for long), it will work just fine for most smaller sites.`

sandeepan 2010-07-29 06:35:25

Most bots target a specific forum or blog *platform*, to ensure the bot can post to any site using that platform. If you don't use a popular platform, most bots won't be able to spam your site. Implementing a negative captcha isn't difficult. Just add an empty text field to your form, hide it from view using CSS and check if the field is still empty when the form is submitted to your server.If a bot specifically targets your site, you may have to use randomized field names, or use a traditional captcha.

Niels van der Rest 2010-07-29 07:21:11

So, will the usage of CSS prevent bots equipped with CSS techniques too? What are the odds of cracking it?

sandeepan 2010-07-29 07:52:53

If you use `display: none` on the field, some advanced bots may be able to detect it. But if you only move the field out of view by positioning it outside of the page or behind another element, it will be extremely difficult to crack. I have no statistics on its effectiveness, but it's easy to implement, so why don't you give it a try? :)

Niels van der Rest 2010-07-29 08:09:40

yes I think I will try hiding the field by putting it behind some element. I am further thinking to assign it random names and IDs. Now, the bot may be programmed to discard the only field with random names/IDs. So, I am thinking of assigning random names/IDs to some other similar input field (which is to be filled by humans) so that if the bot discards that field validation error will prevent the form from getting submitted. What do you think? This reduces the chances of cracking?

sandeepan 2010-07-29 09:34:53

Yes, that should make it even harder to crack.

Niels van der Rest 2010-07-29 10:29:56

ansaurus

tags:

views:

answers:

Need suggestions/ideas for easy-to-use but secure captchas

related questions