

Ask HN: Help with my CAPTCHA woes - hellweaver666

Hi guys,<p>I currently work for an organisation who are quite security conscious and implemented CAPTCHA across various login screens on our sites a couple of years back.<p>Our CAPTCHA is quite easy to read but I can still see from customer feedback and statistics that they are a source of irritation to our users and have actually in some instances even caused customers to cancel accounts!<p>Our dev manager understands the need to get rid of the CAPTCHA's on the site but refuses to do so unless someone can come up with a solution that will prevent automated logins.<p>Has anyone got any suggestions?<p>Thanks
======
Tichy
Haven't tried but suggestions I have heard are

\- submit forms with Javascript (though bots will emulate in the future)

\- create honey pot text fields that are invisible but bots will fill in
anyway (I guess hide them with CSS)

\- I suppose the names of the honey pot and real form fields should change
constantly

------
DavidPP
A quick question, you said that the CAPTCHA is implemented across various
login screens. Do that mean that you have to fill a CAPTCHA everytime you
login ?

I don't know what your application do, but what is wrong with automatic login?
I understand why automatic account creation IS a problem, but use automatic
login is something I use everyday (via 1password).

But if you really need to do it, Tichy solutions seem goods

------
karim
Maybe you could send an sms to a new user with a confirmation code ?

~~~
Zev
Unless you're a bank or something similar, you should _never_ have to send
people a confirmation code via text. And what if the person doesn't have a
cell phone?

------
pclark
how about just ask a simple question? What is the capital of France? London
Paris Donkey.

~~~
RiderOfGiraffes
All of the "multiple choice" versions are prey to the spammers simply trying a
random one. At the moment they don't because it's not worth their effort, but
as more an more sites use the "Odd one out" or "What is ... :A, B, C" type
CAPTCHA the spammer will simply scrape the questions and put a random answer.
The odds are good enough that it will be worthwhile.

However, for now that method does work. If you use it, though, modularize and
be prepared to change it later.

And for what it's worth, I find the existing CAPTCHAs infuriating, and I only
tolerate them if I really want the service they're protecting.

