Blog

 It’s 2016! Why are we using CAPTCHA?

It’s 2016! Why are we using CAPTCHA?

CAPTCHA is a common sight around the web and it can be frustrating. We recently had a client request for CAPTCHA, and it made us think… there’s got to be a better solution to web form SPAM. Right?

captcha collection

Why CAPTCHA?

CAPTCHA protects sites displaying or collecting data with tests that humans can pass but bots cannot. CAPTCHA stands for Completely Automated Public Turing Test To Tell Computers and Humans Apart. These tests have been part of our web experience since about 2000.

captcha cartoon

Aside from freaking out sentient robots, CAPTCHA do serve a purpose. They are commonly found during online activities such as:

  • Submitting a form
  • Posting a comment
  • Completing registration

But there are also many drawbacks to using CAPTCHA:

  • It can degrade the user experience if input incorrectly
  • It can present accessibility issues for people when it comes to deciphering the codes
  • It creates a security arms race: CAPTCHA technologies progress to make it hard for bots, bots respond. Actual users get stuck in between.

why captcha

CAPTCHA, bugging humans since 2000.

Have you noticed CAPTCHA can be hard? What if this challenge means you are blocking bots but also losing human users? Research shows that while CAPTCHA are getting harder for bots  to break, they are also getting harder for humans to decode.

Recently at PINT, a client requested to use CAPTCHA on their site to prevent form SPAM. They were preparing to launch a new site design and wanted to ensure the leads coming through their contact form were clean. But why CAPTCHA? It is not necessarily the right solution.

Most bots scraping site forms are not tailored to a specific site, unless:

  • You’re running the website of a large corporation
  • Your business is one commonly at risk for a security attack

Therefore, CAPTCHA maybe better, but only in certain use cases.

PINT’s CAPTCHA Solution

People have pretty strong feelings about CAPTCHA. Those feelings came to light when some PINT team members were discussing our client’s form SPAM issue. One senior team member compared CAPTCHA to DEFCON-5. So our challenge was set to find something less off-putting.

One senior team member compared CAPTCHA to DEFCON-5. So our challenge was set to find something less off-putting.

PINT employed a strategy to prevent form SPAM called the Honeypot Technique. It is a different methodology than CAPTCHA that capitalizes on the default behavior of bots. A honeypot lures bots into exposing themselves and leaves the humans alone.

honeypot

In this case, we added an empty form field in the code, but one that a user doesn’t see.  Since it is not visible to the human eye, a human user would not fill it out. But a bot would, because they see what’s in the code, not what’s visible on the page.

Once we detect that the form field has an input, we can probably guess that this was not the work of an actual human being. Validation on the client side flags it and the form submission will fail. If JavaScript is disabled, server side validation will pick it up. And even though it’s a bot, we will display an error message on the page saying that they didn’t pass our spam validation.

Benefits

  • This method is virtually seamless for the user and does not degrade user experience. Users don’t have to guess images or figure out what an upside down backwards piece of text is saying. A good move might be to try this first and see how well it reduces your SPAM and improves your user experience.
  • It doesn’t require the use of another API or integrating another service on to your page, thus saving on bandwidth and load times.

Drawbacks

  • This doesn’t offer as much security as a ReCaptcha API would, but it should still work for a majority of clients who aren’t the specific target of security attacks. If you’re a bank, hospital, or other likely target, you’ll likely still want the rigor of a full-on turing test like CAPTCHA.
  • If a hacker is targeting your site specifically, they will most likely tailor a bot to your site that will allow them to mimic human like behavior and bypass the form check. (Nothing is 100%)

Google and the Future of CAPTCHA

The honeypot technique is just one option when it comes to form security. There are some changes web users can expect to see in the future from Google in this area as well. One you may already be seeing is the reCAPTCHA that detects human-like mouse movements to verify a real user is submitting a form.

The other is an invisible reCaptcha option:

In talking about implementing CAPTCHA on the average website, our solutions architect said, “There’s no need to use a sledgehammer to kill a fly.”

Need a flyswatter?

Related Articles

A person with short hair in a hoodie facing away in a computer chair at a desk with a view through two large windows with the lingering remains of light after a sunset. The desk has a lamp that is off and some papers. The edges of a keyboard and a computer monitor showing past the sides of the person in the chair. Case Studies

5 Key Findings from a Recent Client Usability Study

Introduction Good usability within a website means that the user is able to use the interface to complete her/his tasks quickly and successfully. It is...

 EDCO Logo and motto: "We'll Take Care of it!" with cartoon image of waste collection employee in uniform and cityscape background Case Studies

EDCO App Design and Development

Introduction Remember back in 2007 when Steve Jobs told us that iPhones didn’t need a bunch of apps?  No?  You’re forgiven if it’s been lost...

 A person using their phone in a grey hipster sweatshirt with their thumb in a hole in the sleeve. Case Studies

N.A.M.I. San Diego App Development

Project Summary  Since 2020, PINT has helped N.A.M.I. rearchitect and continuously improve its mobile applications oscER, oscER jr. and alfrEDU. The apps were initially rearchitected...