What is a good invisible captcha?

Question

What is a good invisible captcha? My site requires JavaScript so anything which requires that is fine.

Read the answer here:
http://stackoverflow.com/questions/450835/how-do-you-stop-scripters-from-slamming-your-website-hundreds-of-times-a-second

And this question is not System admin related. The better place to ask would have been stackoverflow.com — Richard West, Jun 09 '09 at 21:06

score 48 · Answer 1 · answered Jun 09 '09 at 21:13

48

Add a new input field, label it "Please leave blank", hide it using CSS, and ignore the post if that field is filled in. Something like this:

<style type='text/css'>
#other_email_label, #other_email {
    display: none;
}
</style>
...
<form action='mail'>
<label id='other_email_label' for='other_email'>Please leave blank:</label>
<input type='text' name='other_email' id='other_email'>
...
</form>

So a human being won't see that field (unless they have CSS turned off, in which case they'll see the label and leave it blank) but a spam robot will fill it in. Any post with that field populated must be from a spam robot.

answered Jun 09 '09 at 21:13

RichieHindle

272,464
47
358
399

12

This seems nice, but it won't work if your site is specifically targeted - i.e. manually, somebody wants to inspect your form to fill your site with garbage. By looking at your HTML code they will realize they need to leave that field blank, so when creating the robot they take that into consideration and they are done. This only works for 100% automated spiders, looking to spam sites with links to others, but not if your site is the specific target for an attack. – Seb Aug 15 '09 at 16:55
Nice idea, but as a matter of curiosity, why would anybody browse with CSS turned off? – Dónal Oct 09 '09 at 14:04
@Don: One reason would be that they're using (or simulating the use of) a text-only browser or a screen reader. – RichieHindle Oct 09 '09 at 15:00
Browsers can autofill those fields anyway. For instance, Chrome will put your email into every it sees. If autofilling is on. – Alex from Jitbit Feb 11 '11 at 09:47

score 12 · Answer 2 · answered Jun 09 '09 at 20:51

Here's a simple math captcha by Phil Haack. It even works with javascript disabled.

In his own words:

The way it works is that it renders some javascript to perform a really simple calculation and write the answer into a hidden text field using javascript. When the user submits the form, we take the submitted value from the hidden form field, combine it with a secret salt value, and then hash the whole thing together. We then compare this value with the hash of the expected answer, which is stored in a hidden form field base64 encoded. If javascript is disabled, then we render out the question as text alongside a visible text field, thus giving users reading your site via non-javascript browsers a chance to comment.

the only problem is if the bot DOES have js than it will be useless. — My1, Dec 05 '16 at 22:11

score 5 · Answer 3 · answered Jun 09 '09 at 20:48

5

I've used the technique of a Display:None text box, and rejecting any submission that fills it in and had pretty good luck with that.

answered Jun 09 '09 at 20:48

Aric TenEyck

8,002
1
34
48

The "honeypot" method. Won't work on a high profile site like YouTube, Twitter, etc, but has worked very effectively for me. – Matthew Groves Jun 09 '09 at 20:50

score 1 · Answer 4 · answered Dec 13 '16 at 12:52

1

For what it's worth Google is rolling out 'Invisible ReCAPTCHA' (https://www.google.com/recaptcha/intro/comingsoon/invisible.html), I already got whitelisted with my site. At the moment implementing it, however the docs aren't that elaborated...:)

answered Dec 13 '16 at 12:52

evertjes

76
5

score 0 · Answer 5 · answered Jun 05 '19 at 02:03

0

MTCaptcha is a reCaptcha alternative captcha service that supports invisible captchas similar to the recently launched reCaptcha V3, where its invisible to most users but shows a captcha if it feels the traffic is risky.

answered Jun 05 '19 at 02:03

David Lightman

14
1

Evgeny · Answer 6 · 2009-06-09T22:17:32.213

-1

If you mean - use captcha that a human can't see as a human validation test - i think it's impossible.

This way a robot ignoring the captcha will pass for a real person! Seems like a trap for a naive spam robot.

If you want your captcha-protected site to work with clients that have no javascript - then you should hardcode it into html.

Also, if you can reliably identify trusted users (either by judgment call or by detecting some usage pattern) - you can let them post to your site without captcha.

edited Jun 09 '09 at 22:17

answered Jun 09 '09 at 21:32

Evgeny

10,698
9
60
70

A practical application of the honeypot technique shows it has been highly effective for [nearly a decade](http://www.kodewerx.org/forum/viewtopic.php?p=73950#p73950). And a few years ago I combined the honeypot with a [fill-in-the-blanks Q&A](http://www.kodewerx.org/forum/viewtopic.php?p=80205#p80205) challenge that is difficult for AI. e.g. Google can't answer these questions but most kindergarteners can. – Jason Oster Feb 21 '17 at 23:31

What is a good invisible captcha?

6 Answers6

Linked