extra hidden input field

Discussion in 'Security' started by jamespv85, Sep 21, 2009.

  1. #1
    Anyone here applying an extra hidden input field in their forms to to fight against spamming? Is this a good precaution, or just an extra burden on coding/checking for it. Captcha seems to be working well so far.
     
    jamespv85, Sep 21, 2009 IP
  2. matessim

    matessim Active Member

    Messages:
    514
    Likes Received:
    5
    Best Answers:
    1
    Trophy Points:
    70
    #2
    Captcha is enough for me, if you see any problems with it, you can try hidden fields, though, i wouldn't even think ill need it with a good captcha system.
     
    matessim, Sep 26, 2009 IP
  3. cpace1983

    cpace1983 Peon

    Messages:
    58
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #3
    Anymore, I like to use the user friendly mode of captcha- a simple question. What I mean is this:

    Is ice hot or cold?

    And then the user inputs cold, which allows the form to post. However, this question could easily be beat by a bot. However, what if we COMBINE the two technologies:

    Is <ice.jpg> <hot.jpg> or <cold.jpg>?

    Obviously, with renamed JPEGs. Wouldn't this be harder for captcha aware bots to break?
     
    cpace1983, Sep 28, 2009 IP
  4. ErikTheRed

    ErikTheRed Peon

    Messages:
    33
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #4
    If the spammer's bots are capable of breaking your captcha, a hidden field won't do much I think.

    Yes, especially if you were able to change up the image hash every time it loads (imagemagcik maybe), this would add an extra layer of security.

    The problem with the "simple-question" captcha is always coming up with enough questions. It may be enough to fool most of the spam bots on the market, but if someone wants to spam you bad enough, they can usually get by this method.

    Seems easier to just use the recaptcha api. (Not as user-friendly I know, but it's pretty darn secure).
     
    ErikTheRed, Sep 29, 2009 IP
  5. cpace1983

    cpace1983 Peon

    Messages:
    58
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #5
    I don't normally self promote, but I just recently wrote a blog post on this exact problem, and resolution (too few questions, and an attacker re-writing their captcha-aware bot to use challenges):

    http://remote-linux-support.com/blog/2009/09/easy-alternatives-to-captcha/
     
    cpace1983, Sep 30, 2009 IP