Captchas Are Considered Bad – Why Captchas Are Bad And How You Can Improve

June 10, 2021 0 Comments

What is a captcha?

If you have ever joined a large website, then you have seen a captcha. Twitter uses it, Facebook uses it, and WordPress uses it. Captchas are a small test that you must complete to prove that you are human. The test usually involves looking at text and writing that text in a nearby box.

What are captchas meant to do?

The simple answer is keep your website spam free. That is the purpose of a captcha. More generally, your goal is to stop automated spam, assuming every user of the site is a robot until proven otherwise.

Why are captchas bad?

On the surface, the captchas seem easy to use and interact. Well, they only look like this for people who have perfect vision and an elastic mind. If you have these qualities, congratulations. If you don’t, this is how captchas will be difficult for you and your users:

  • Warped letters are difficult for users to read. Combine that with a strikethrough and you’ve got a bad idea.
  • Users cannot differentiate between 0 and me; and I, l and 1, in certain sources.
  • Blind people cannot use them. Even color blind people find some captcha implementations difficult to use.

Worst of all, even people with super eyesight and brilliant spatial awareness find simple captchas. upset. This alienates users, which reduces revenue.

How can you do captchas better?

The best way to make captchas better is to flip the concept. Instead of asking each user to prove they are human, you can trick each robot into telling you that it is an automated spam machine. The easiest way to do this is to set a few traps.

Traps and why they work

To explain what a scam is and how you will prevent your site from being littered with spam, you must first know how a spam bot works. If you don’t know what you’re up against, you will never beat it.

The two types of robots

There are two types of spam bots. The first type is a breeding robot. This type of spam-bot records a word-by-word form, and then publications the form with the fields completed at a later date. It’s like a spam version of TiVo. Usually the bot will do this over and over again, literally replaying the recording it has made of the form.

The second type of spam-bot is the form filler. Form fillers crawl the web, find a form, insert spam, and send. Some form fillers are dumb and will put the same information everywhere. Others recognize common field names like username, email. A robot like that will put spam in a text area, as that is generally where your users’ content goes on each post.

Form filling traps

The easiest way to catch a form filling robot is to create a field that a human won’t do (ideally hypocrisy) to complete. You can do this by warning users not to fill in a certain field, but that’s just as bad as asking users to fill in a captcha. Much better is to hide your trap. A form filling robot does not watch the form, it reads and analyzes it. You can create a field that is invisible to humans, but is analyzed by the robot. You can hide a field using CSS or by changing the style of a field directly using JavaScript. As long as the visibility of the field is set separately from the form, the robot will always fill in the field and its users will not even know of its existence.

Replay capture

With replay bots, you have to take advantage of the fact that forms are collected once before time. The forms are compiled and then, sometime later, they are reproduced. You can record when a form occurred by including a date and time stamp with each submitted form. By comparing that date and time with the current date and time, your site can deduce whether or not an unreasonable amount of time has passed between generating the form and submitting the form.

When robots get smarter

The obvious problem with adding a timestamp to your form is that once it becomes widely known as a tool for stopping spam, the people who program the replay bots will generate good timestamps the moment it is played. form. The way around this is to encode the timestamp using a secret key. The data is decoded when the form is submitted and then evaluated. It is highly unlikely that a replay robot will be able to guess both your secret key and encryption algorithm, giving you security against spam, no matter how smart the robot gets.

Leave a Reply

Your email address will not be published. Required fields are marked *