Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why the CAPTCHA Approach Is Doomed

Posted by timothy on from the how-do-you-feel-about-are-you-a-human dept.

TechnoBabble Pro writes "The CAPTCHA idea sounds simple: prevent bots from massively abusing a website (e.g. to get many email or social network accounts, and send spam), by giving users a test which is easy for humans, but impossible for computers. Is there really such a thing as a well-balanced CAPTCHA, easy on human eyes, but tough on bots? TechnoBabble Pro has a piece on 3 CAPTCHA gotchas which show why any puzzle which isn't a nuisance to legitimate users, won't be much hindrance to abusers, either. It looks like we need a different approach to stop the bots."

3 of 522 comments (clear)

  1. That wooshing sound.... by ivan256 · · Score: 5, Insightful

    ...is the point going right over the author's head.

    A CAPTCHA works well enough for the same reason greylisting works well enough. They may be trivial to bypass (for some definition of 'trivial'), buy many applications only need a tiny speed-bump to make a huge difference in undesirable traffic.

  2. Stuck in the old ways by Anonymous Coward · · Score: 5, Insightful

    Everyone seems to think that the answer to this is to challenge the user somehow. Why isn't a technical solution possible that doesn't require any interaction from a person?

    On my own contact forms, I use a really simple obfuscation technique, it doesn't require any user interaction, and I don't get any spam. I've chosen to name my form elements with meaningless names, because obviously automated spammers rely on field names to fill in the blanks. If they see a form like this:

    <input type="text" name="email">
    <input type="text" name="subject">
    <input type="text" name="message">

    Obviously it's pretty easy to fill out. If they see this instead:

    <input type="text" name="sj38d74j">
    <input type="text" name="9sk2i84h">
    <input type="text" name="m29s784j">

    Then they probably won't even make it past the email validation part, unless they catch the error that my page is printing and try all combinations (or get lucky).

    It makes it even more effective when you use fields with good names, but hide them from users with either CSS or Javascript:

    <input type="text" name="email" style="display: none;">

    That's a honeypot, if it's filled out then it's a robot. You can use the same CSS or Javascript techniques to also print messages informing users not to fill those out if their browser decides to not run my code and instead shows them.

    Really simple solution, requiring no user interaction, and is at least if not more effective than a challenge and response type of solution. I don't know why everyone is hung up on a visual challenge when it's a lot easier to distinguish between a real web browser and a scraper that doesn't bother to execute Javascript or apply CSS. I've been saying this for years though, so I don't really expect anyone to start paying attention now.. at least my own inbox is spam-free though.

  3. Re:My solution is simple & elegant: by lewiscr · · Score: 5, Insightful

    Limit the email the account can send, and you reduce the desire for the account. Reduce the usefullness of the account, and you reduce the desire to crack the captcha on new account signups, or at least the profitability in doing so.

    Doesn't this increase the desire to get more accounts faster?