Using captcha without displaying it
How I use captcha without making my users complete the barely readable word
Capthca sucks. For more information on how much captcha can suck see John Willis’ post Top 10 Worst Captchas.
But at the same time it can be really annoying for webmasters to have their forms unprotected with all the spam bots running free out there.
What I wanted was to have the commenting feature protected against spam bots without having the innocent human users ruining their eyes on captcha like images, or complete any mathematical equation or any other additional question fields.
My ideea (and as I did some Google searches, I found out other people had similar ideas) was the followig algorithm:
If yes, he’s ok. Let him comment.
No? He’s a suspect. Read him his rights and give him the ultimate “are you human?” test.
//complete the text field with the correct word from the image: $('secretword').value='nospam'; //hide the div containing the captcha image and the text field: $('captcha').style.display='none';
To make my life a lot easier I made my captcha output only one word, nospam, so I didn’t have to get the secret word from the server each time.
I was able to get away with this because I doubt anyone is going to make a special spam bot for VileWorks.com so their stupid spam bot brain will never know that the “secret word” is nospam. The same word, over and over again.
If anyone would go through the trouble of adapting their spam bot to my script, I would simply change the word. Or I would go myself through the trouble of setting the captcha back to outputting random letters and get the secret word back from the server each time.
Is this a good solution for future protection against spam for large web sites?
Is it a good solution for me and a whole lot of other website owners?
Yes. As long as nobody can make a lot of income by any form of spam on your specific website and as long as there aren’t thousands of websites that use this same specific system, nobody’s going to bother to adapt a spam bot to your website.
Spam is only profitable when done massively. It might take a spammer only a 20 minutes to program his spam bot to beat the system I’m talking about, but it would take me even less time to delete his comments, ban his ip and slightly change something in my code so he would have to reprogram his spam bot.
Unless he was some sociopath trying to annoy me, he would never go throught all the trouble.
Bottom line is: the best solutions are specific solutions.
Ever seen those forms asking you to prove that you are human by entering “the result of 8 + 5″? Do you think it’s hard to make an automated solution that reads two numbers and outputs their sum? Of course not. Nobody bothered because they aren’t popular enough to be of any interest.