Practical non-image based CAPTCHA approaches?

Question

It looks like we'll be adding CAPTCHA support to Stack Overflow. This is necessary to prevent bots, spammers, and other malicious scripted activity. We only want human beings to post or edit things here!

We'll be using a JavaScript (jQuery) CAPTCHA as a first line of defense:

http://docs.jquery.com/Tutorials:Safer_Contact_Forms_Without_CAPTCHAs

The advantage of this approach is that, for most people, the CAPTCHA won't ever be visible!

However, for people with JavaScript disabled, we still need a fallback and this is where it gets tricky.

I have written a traditional CAPTCHA control for ASP.NET which we can re-use.

However, I'd prefer to go with something textual to avoid the overhead of creating all these images on the server with each request.

I've seen things like..

• ASCII text captcha: \/\/(_)\/\/
• math puzzles: what is 7 minus 3 times 2?
• trivia questions: what tastes better, a toad or a popsicle?

Maybe I'm just tilting at windmills here, but I'd like to have a less resource intensive, non-image based <noscript> compatible CAPTCHA if possible.

Ideas?

Answer 1

How about just using ASP.NET Ajax NoBot? It seems to work DECENTLY for me. It is not awesomely great, but decent.

Answer 2

Post a math problem as an IMAGE, probably with paranthesis for clarity.

Just clearly visible text in an image.

(2+5)*2

Answer 3

@lance

Who says you have to create all the images on the server with each request? Maybe you could have a static list of images or pull them from Flickr. I like the "click on the kitten" CAPTCHA idea. http://www.thepcspy.com/kittenauth.

If you pull from a static list of images, it becomes trivial to circumvent the CAPTCHA, because a human can classify them and then the bot would be able to answer the challenges easily. Even if a bot can't answer all of them, it can still spam. It only needs to be able to answer a small percent of CAPTCHAs, because it can always just retry when an attempt fails.

This is actually a problem with puzzles and such, too, because it's extremely difficult to have a large set of challenges.

Answer 4

Do lots of these JavaScript solutions work with screen readers? And the images minus a meaningful alt attribute probably breaks WCAG.

Answer 5

CAPTCHAs check if you are human or computer. The problem is that after that a computer needs to judge whether you are human.

So a solution would be to let one user fill out a CAPTCHA and let the next user check it. The problem is of course the time gap.

Answer 6

How about just checking to see if JavaScript is enabled?

Anyone using this site is surely going to have it enabled. And from what folks say, the Spambots won't have JavaScript enabled.

Answer 7

I had a vBulletin forum that got tons of spam. Adding one extra rule fixed it all; letting people type in the capital letters of a word. As our website is named 'TrefPuntMagic' they had to type in 'TPM'. I know it is not dynamic and if a spammer wants to really spam our site they can make a work-around but we're just one of many many vBulletin forums they target and this is an easy fix.

Answer 8

Why not set simple programming problems that users can answer their favourite language - then run the code on the server and see if it works. Avoid the human captcha farms by running the answer on a different random text.

Example: "Extract domain name from - s = [email protected]"

Answer in Python: "return = etc."

Similar domain specific knowledge for other sub-sites.

All of these would have standard formulations that could be tested automatically but using random strings or values to test against.

Obviously this idea has many flaws ;)

Also - only allow one login attempt per 5 minute period.

Answer 9

Tying it into the chat rooms would be a fun way of doing a captcha. A sort of live Turing test. Obviously it'd rely on someone being online to ask a question.

Answer 10

What about audio? Provide an audio sample with a voice saying something. Let the user type what he heard. It could also be a sound effect to be identified by him.

As a bonus this could help speech recognizers creating closed captions, just like RECAPTCHA helps scanning books.

Probably stupid... just got this idea.

Answer 11

Have You tried http://sblam.com/en.html ? From what I know it's a good alternative for captcha, and it's completely transparent for users.

Answer 12

I think bitcoin makes a great practical non image based captcha- see http://bitcoin.org for the details.

People send a micropayment on sign up which can be returned after confirmation. You dont get back the time you spent trying to figure out the captcha.

Answer 13

One option would be out-of-band communication; the server could send the user an instant message (or SMS message?) that he/she then has to type into the captcha field.

This imparts an "either/or" requirement on the user -- either you must enable JavaScript OR you must be logged on to your IM service of choice. While it maybe isn't as flexible as some of the other solutions above, it would work for the vast majority of users.

Those with edit privileges, feel free to add to the Pros/Cons rather than submitting a separate reply.

Pros:

• Accessible: Many IM clients support reading of incoming messages. Some web-based clients will work with screen readers.

Cons:

• Javascript-disabled users are now dependent on up-time of yet another service, on top of OpenID.
• Bots will cause additional server resource usage (sending the out-of-band communications) unless additional protections are implemented