Posted By Slobodan Kovacevic on December 9, 2006
Most people know what CAPTCHA is and if they don’t then I am sure that they have seen one. Furthermore, I am sure that everyone has been molested by bad CAPTCHA. Once I tried to register at a forum and it took me 8 times to get the CAPTCHA right – 8 times! I had to register at that forum, but if I didn’t after couple of tries I would just presume that the CAPTCHA isn’t working and I would have closed the browser.
Of course CAPTCHA is very useful and it can help you reduce spam, false/automatic registrations, etc. But at the same time is a big accessibility and usability problem – which means that your site or web app can lose precious visitors/users. In fact inaccessibility is such a big problem that there’s W3C document outlining CAPTCHA problems and possible solutions.
All this means that there are plenty of people searching for an alternative way to tell computers and humans apart. Here are some of the proposed alternatives and fixes…
The main problem with ordinary CAPTCHA is that text needs to be distorted or otherwise made somewhat unreadable to be able to fool OCR programs. The idea behind the photo CAPTCHA is that user is presented with several photos and he needs to select those that have, for example, kittens on them. This is great idea as it is easy for humans to perform such task, but virtually impossible for a computer.
As far as I know KittenAuth is the first system implementing this. Among others there is also HumanAuth a PHP script based on KittenAuth idea which claims to be conforms to certain accessibility standards.
This is purely technical solution which obscures the letters on CAPTCHA image not by distorting them. Instead it makes an animated GIF that has a lot of noise on it and where letters are never all shown in a same frame.
You can see PHP implementation of animated CAPTCHAin action or you can download the code and try it yourself.
Sound based CAPTCHA has the same idea as visual one, unfortunately this means it also have same problems. In order to filter out voice recognition bots sound sample must be distorted, which also have same negative effect on humans as with visual solution.
Multiple choice questions
Some sites use “complete the sentence” solution. They present a sentence to the user and he has to complete it with one of the options given in drop-down menu.
I like to read a _______ when I relax.
Drop-down would contain, for example: t-shirt, book, chair, hat. You could have a set of questions and answers and show them at random.
Problem with this solution is you have a limited set of possible answers (4 in my example), so theoretically every 4th random answer should be correct. That opens the system to brute force attack. Another problem is that you have to build a database of questions & answers, which leaves you with a limited set (even if you define couple hundred questions). In turn that means someone can easily make a note of all questions and correct answers.
Session variable / GET request detection
This isn’t CAPTCHA alternative per se, but it can be used to filter out spam-bots. The idea is that you put something in session when a GET request is made and when a form is submitted you check the session for that variable.
This can filter out stupid bots that submit request directly to POST without getting a page with the form. Of course this system can be easily fooled by creating a bot that acts like a web browser.
Dummy form elements
Again not a direct CAPTCHA alternative, but it can help with spam-bots.
The goal here is to add dummy form elements that can trick bots into filling them and hide those from users with CSS. Additionally, dummy elements should be named suggestively to fool the bots – for example, subject, name, URL… Then when form is submitted you check if any of these fields have filled and if so you have caught a bot.
You can read more about this solution in Form Spam: Increasing the Attacker’s work function.
Of course, this is far from perfect, but it just might help you reduce spam considerably by eliminating generic bots. Also a big plus for this method is that its unobtrusive and that users don’t even know it’s there.