1

Hello Guys I have been using ReCaptcha in my apps register forms. I have seen a lot of examples of captcha in signup forms. My question is if I implement a custom Captcha such as when a user Registers I send a confirmation email and a auto generated code/passphrase/ turing test that is converted into an image with some sort of effects to distort it. Since we are sending a confirmation email anyway why not use it for a turing test and get rid of captcha in the form?

I understand that the advantages/disadvantages can be

1) If the user has entered an incorrect email then he wont get access to turing test but that is the whole point of a confirmation email. 2) Distorted image may not be readable and/or refresh-able but since we are just distorting sth that is an autogenerated by code we can make it a little bit more readable than scanned images that captcha images.

I can only think of the above two situations. Please point out any thing else that you think should be taken into consideration.

Flood Gravemind
  • 3,773
  • 12
  • 47
  • 79
  • 1
    There's the fact that many people have images disabled by default in their email to prevent you from tracking when they read it. – Paul Oct 04 '13 at 15:59
  • One benefit of using Captcha on registration is to thwart scripts that very quickly register millions of bogus accounts, filling your database. Wouldn't you lose that doing as you propose? – hatchet - done with SOverflow Oct 04 '13 at 15:59
  • @hatchet they make make millions of bogus accounts but they need millions of email addresses to confirm registration. Beside we only do a temporary registration without any privileges until the user has confirmed his email and passed turing test. We just redirect them to a special page asking to confirm email. – Flood Gravemind Oct 04 '13 at 16:02
  • @Paulpro we can also turing test them with language questions. – Flood Gravemind Oct 04 '13 at 16:04
  • They could just generate random bogus emails. They don't care if they don't get the email if their goal is just to overload or mess up your system by filling up your database with crap registrations. Where do you store the temporary registration info? – hatchet - done with SOverflow Oct 04 '13 at 16:04
  • @hatchet If you have a good ddos protection I am surethis can be overcome. There are a lot of sites that dont use Recaptcha at all and still run fine. – Flood Gravemind Oct 04 '13 at 16:13

1 Answers1

1

Having a CAPTCHA that covers the registration process is important to protect you from bots whose sole purpose is to generate as many users as possible with the intent of using those users to post/add content on your site with links back to a site that they are trying to improve SEO on. This is only one way in which malicious users can utilize multiple accounts on a site for their own purposes.

The registration email protects your users as much as you by creating a way a means of resetting lost passwords, proving ownership, etc.

Both parts should be included when validating users. I also recommend running ip counting on new user attempts. Typically, locking after the 2nd user created is fairly safe as long as you provide a link that states why they have been prevented and a means of creating additional accounts on that ip.

None of these procedures is failsafe but together they provide a medium level of anti-spam protection. Of course, these days people defer user maintenance to social media sites like Google and Facebook.

Community
  • 1
  • 1
Nathaniel Johnson
  • 4,731
  • 1
  • 42
  • 69