Alternative to Captcha?

Question

I have a simple reg form (Name, Email, Password) on my website and im looking to implement some sort of anti-bot/spam protection, Captcha seems like a very long winded way, plus they really annoy me when I see them on sites. Has anybody an alternative method to protecting against spam which is lightweight and simply integrated?

what colour is the sky? "", check if they enter blue, problematic for colour blind and and non English speakers. — , Jun 28 '11 at 23:12
Good question. I looked at Captcha for my site that I am working on now. After I read the user agreement and saw something along the lines of "we have rights to your users data" I decided that Captcha might not be a good idea. I haven't spent much time looking but I am still looking for the best way. — pllee, Jun 29 '11 at 01:29
looks like its still in development, but you might be interested following the progress of MotionCAPTCHA where the user has to trace the shape seen in the box: http://www.josscrowcroft.com/demos/motioncaptcha/ — WebChemist, Dec 07 '12 at 05:30
See if you can use slider captcha: Demo: http://www.myjqueryplugins.com/QapTcha/demo There are many alternatives listed here: http://plugins.jquery.com/plugin-tags/captcha — Arun Kumar Arjunan, Jun 29 '11 at 02:19

score 14 · Accepted Answer · answered Jun 28 '11 at 23:13

14

One alternative is to use a hidden form field as a honeypot for bots. This field can be filled using an appropriate value from Javascript, or it can just be left blank. Either way, if the value isn't what you expect, then you can treat the submission as spam. This won't stop bots that are specifically targeting your site, but it will stop most of the common spam bots that just see a form and fill it out.

answered Jun 28 '11 at 23:13

jncraton

9,022
3
34
49

11

This is something a spambot would say ;) – pllee Jun 29 '11 at 01:30
1

This can be highly effective, especially if you name your honeypot field "email" and call the real email field something else. However this can be an issue for the blind using screen readers, as some will read aloud hidden form fields. Chances are slim, but something to keep in mind if your site needs to be ADA compliant – WebChemist Dec 07 '12 at 05:33

score 5 · Answer 2 · answered Jun 28 '11 at 23:12

5

The most simple solution is to ask user solving a mathematical equation like 3 + 2. Nobody, I think, will make a spam bot for a beginning site. Or, If you want, use ReCaptcha .

answered Jun 28 '11 at 23:12

OOO ''MMM''

240
3
7

Using a javascript `eval` on `3 + 2` will get past that pretty easy. `three and two gives you:` would be a little harder to crack. – GFoley83 Jun 27 '13 at 04:23

score 4 · Answer 3 · edited Dec 30 '19 at 19:59

4

Create a JavaScript counter and start it when the user begins typing, and analyze the data with comment length.

Sample rates are:

0ms < bot
5ms < copy & paste
60sec < Real human
1hr < Elder man with Alzheimer

edited Dec 30 '19 at 19:59

the Tin Man

158,662
42
215
303

answered Jan 15 '13 at 11:44

PsyChip

89
2
9

score 4 · Answer 4 · answered Jun 29 '11 at 01:03

Captcha

They are annoying as hell, but most effective against detecting automated bots. If big sites like Google,Yahoo!,etc did not need captchas to detect bots then they would not use them because like you said they aren't very user-friendly.

OpenID

I keep repeating this but we don't need yet another username/password and I think you should be implementing openID instead to authenticate your users. I have made a library available at https://github.com/alfredwesterveld/php-openid which resembles a lot like the login which can be found at stackoverflow.com. If you want to first view a demo you could try openID on a little demo I made available at http://westerveld.name/php-openid/. When using OpenID the users probably has to perform captcha verification once to create an account.

Protecting against Bots

Spam

If for example you would like to detect if the comment is SPAM you could use something like akismet.

Akismet filters out your comment and track-back spam for you, so you can focus on more important things.

For personal blogs you can use this for free(or donate if you like product). For a small commercial blog you have to pay $5/month to detect spammy comments.

Other

Some other forms of verifying human would be:

Sent email verification with unique link or something.
Only allow users which you know are human. The rest should first proof they are users to you.

All these forms of verification could be broken and even CAPTCHA(especially simple ones) can be broken by really smart bots, but right now is the best solution against verifying.

score 2 · Answer 5 · answered Jun 29 '11 at 01:05

2

I once used "Which is hotter, fire or ice?" followed by a textbox and that stopped every spambot in its tracks. Example here

answered Jun 29 '11 at 01:05

Jason Finneyfrock

193
1
6

Don't supply a link by itself. Instead, include the significant information in the answer so _when_ the link [rots](https://en.wikipedia.org/wiki/Link_rot) and breaks the answer will be useful. "[answer]" explains it. – the Tin Man Dec 30 '19 at 20:10

Ravan Scafi · Answer 6 · 2011-06-29T00:56:54.560

1

NEW EDIT: I just implemented something like it: http://jsfiddle.net/ravan/FK4st/2/

EDIT: A better alternative is to display like 3 squares, one color each, and ask the user to click on a specific color. You can also use multiple divs overlayed with low opacity in order to get color meshs. No difference for user, but a headache for spammers.

Old Answer: You can ask something to user, like:

What day is today?

What day of the week comes after tomorow?

How much is 2+2?

Notice that it is not as secure as captcha, but should filter some spammers.

edited Jun 29 '11 at 00:56

answered Jun 28 '11 at 23:15

Ravan Scafi

6,382
2
24
32

7

first 2 are bad ideas, due to timezone issues – Jun 28 '11 at 23:19
4

your color picker in jsfiddle keeps telling me I'm a spammer when I click the right color. Also, occasionally throwing up similar colors and waht about colorblindness? – TH1981 Jun 29 '11 at 01:14
It's just the concept, it need to be implemented server side. Implemented just like one regular captcha. If color blind, display a link to a regular captcha. – Ravan Scafi Jun 29 '11 at 01:25
Please don't use "edit" or "update" tags to mark your text. See "[Should “Edit:” in edits be discouraged?](https://meta.stackoverflow.com/q/255644/128421)" "[Why is writing an “Update” section in an SO question frowned upon?](https://meta.stackoverflow.com/q/368283/128421)" "[Are Edit: and Update: notes in posts encouraged?](https://meta.stackoverflow.com/q/270775/128421)" – the Tin Man Dec 30 '19 at 20:13