Hi, i am building a site at the moment and i am trying to decide whether to add Captcha to my site to protect the following: - create account form - contact form (as it is saved in the database) - change email form - change password form 01 - do you think this will p*ss users off - i don't think it will as they really will only ever need do enter the Captcha once... 02 - i am surprised to see that Facebook and Twitter do not use them, how do they stop robots from processing multiple forms 03 - what is your general view / feeling on using Captcha's
Use captcha. It takes like 3 seconds more, and pretty much every site out there has it. Don't use recaptcha though, use something else, I hear solvemedia is uncracked so far. If you REALLY dont want to use captcha or a 'question', then you can do this little trick which works for most bots.. <input type="hidden" value="" name="signup" /> Code (markup): Then when the user submits, the value will still be blank, right? - Most (if not ALL) bots will not leave a field blank like that.. So they will put a "1" in it or something.. So run a check on submit, where if $_POST['signup'] != "", fail the process. EDIT: I might be wrong though.. It certainly used to be the case.. I dunno if bots are more clever now.
Usually a simple CAPTCHA will be effective on a web site. I created a social networking web site years ago that didn't utilize a CAPTCHA system and before it started to receive GOOD traffic I had Nigerian Scammers writing scripts. Also, on a strip club web site I have...there's a contact form with no CAPTCHA. With in weeks I started to get bombarded with spam emails. In fact, at one point I was receiving over 100+ emails of spam a day. Once I created a CAPTCHA it immediately stopped.
There are 2 types of bots. Bots that act as a web browser and bots that use your current web browser. What you posted technically won't stop a bot. However, if you added a HIDDEN field to a form via JavaScript/Jquery that will stop most bots that act as a web browser but still won't stop bots that use your browser. The only effective way is to use CAPTCHA.
Oh and I wanted to add... If you alternate between random consonants and random vowels and limit to 5 characters long your captcha will be pronounceable. May not be a word..but will make it very easy to type the CAPTCHA in to the box. Examples: wopas lupef nodak bigot penis
Ok, thanks for the replies all... i have done a lot of articles on this topic since the post and a lot of people said they are a waste of time because 90% of them can be broken
OK here is my opinion. All captchas are breakable. Maybe not automatically but there are web services that will do that and all a programmer has to do it to take the captcha image and submit it to the webservice and get the text back. However a programmer will only spend his time and energy on setting up a bot for a website where he thinks he/she can make money. So if your site has 20 or even 100 visitors a day the chance that someone will spend a few hours on setting up a bot is slim. Yes there are some generic bots and they are easily blocked by captchas. Hidden fields will stop the generic ones but if a programmer writes a bot just for your site this will not stop them. If you implement a captcha make sure it is not a very basic one like this one because it is very very simple to crack it. As soon as you make it a bit more challenging like this one your site will be much more secure. The more popular your website gets the harder you need to work on stopping bots. Here are some methods of doing this. 1. rename input fields etc reguarly 2. change html structure ( add some random divs and spans etc. depending on how the bot has been written it will break them. They are easily fixed but if you keep doing this they will get fed up) 3. track page loads especially check how fast someone loads the pages. if someone tries to load 3 pages per second you know something is dodgy. 4. you can even implement multiple captcha scripts and randomly load them. This will also annoy bot creators there are other things you can do as well but like I said unless your site is getting quite popular nobody will spend time to create a custom bot for your site. Until then you will just get the generic bots and they are easily stopped by simple basic captchas. hope this helped.
Oh and if you wonder where I got my insight from - I write bots - not for spamming but for retrieving and automating tasks.
Thanks Stephan, big help... here is what i am thinking could work best.... a script that checks that there is at least 5 seconds between $form_display_time and $form_submit_time with a captcha (the capthca should take a user at least 4 seconds to decipher)
sounds like a plan. but like I said if your website isn't popular or provides information/data that is valuable for a bot creator a simple captcha should do fine. even without with ignoring page loads. When you see your website become more and more popular then you need to start looking at those things. Security including captchas are always something that need reviewing on a regular basis. like if it is a new site I would assess them every 6 months. If they still work and keep the spam and bots out no need to work on it. the more popular the site gets the more often you need to review those things. Sometimes you will have to assess security every single week and make small changes. Maybe you should try to write your own bots to understand how they work and where the limits are. Then you also know better how to combat them.
Definitely use CAPTCHA. Your users won't mind. Most anyone that spends time on the internet is used to them.
Facebook does use some sort of CAPTCHA, but only when the maximum limit of submissions occur. From experience, the best way to prevent SPAM is by using your own type of CAPTCHA. For example, your own question and answer CAPTCHA. The reason being is that once a type of CAPTCHA is exploited, then all websites using that sort of CAPTCHA can be exploited as well.
captcha is a MUST have thing for a site that requires user registration and stuff.. so its good to have it. use reCaptcha by Google. Its the best.
Use a captcha but not ReCaptcha as most of them are un-readable.I also like the ones which show you 6 pictures and you have to click on the horse, for example.
We are 200 members looking real captcha provider. if you want to hire us. please contact with me via PM.