Do you guys think captchas are necessary? I think they just ruin the whole look of the website + they annoy users to high hell. Is there any way around the implementing of captchas?
SeekSift uses a reverse captch/honeypot (explained here: http://www.nedbatchelder.com/text/stopbots.html) and it works really well, w/o the annoying user interface problem you've described.
Interesting, and good, ideas. I think they could be defeated by a well designed spam bot, but most (if not all) currently used techniques could as well.
I haven't used a screen reader, nor have I looked at their source code, but it did make me wonder if such a setup (with user invisible fields) might still be read by the screen readers (depending on how they convert the raw html into content for the listener).
If I ever get around to fixing my comment system on my blog (I don't really like comments... and thats probably why my current commenting system is passive-aggressive), I'll try implementing these ideas. Good link.
IMHO captchas still have their place. Any type of turing test would require intervention by the user. I dunno how low the threshold of annoyance is for most users, but I tend to think that "reproduce this text" produces a lower cognitive load than, for example, "what is 4 + 3." If your text is extremely jarbled that's a different matter... note to self.
Picture matching is a viable alternative and can reduce cog load, but it also increases the time between captcha and the intended action. I use a 3-character captcha. We'll see how that holds.
Although often not considered, the greatest flaw of captchas is they make some functionality unavailable for disabled web users (audio captcha for the deaf, standard distortion captchas for those with poor eyesight, flash captchas will also be impervious to screen readers).
I have played with captchas a bit and I think its important to make captchas which rely on thinking and comprehending, not on some facet where human senses are still more acute than electronic sensors (this is a deadend, as computer cycles get cheaper and algorithms improve I don't really believe that human senses will be superior to dedicated electronic ones in well... anything).
My favorite captcha (perhaps my own idea, not quite sure though) is to have something like this "Please enter the missing item: 532 533 534 535 536". This satisfies my requires for a 'fair' captcha: 1. it is delivery neutral (a screen reader, a blind individual, or a fully healthy individual can all understand this captcha), and 2. It is relatively resistant to brute force because the question doesn't contain the answer.
As is stands, the vast majority of captcha implementations are discriminatory (you need to, at minimum, have a choice between an audio and a visual captcha, or use a captcha that is delivery neutral).
The best way to avoid needing a captcha is to build a non-consistent UI (which is to say, to differentiate yourself, hopefully by making it better) that the existing spam algorithms won't recognize. Much like diverse genetics give species resistance to disease, diverse design and UIs give the internet resistance to spam.
I think there are algorithms that solve simple IQ tests like that. And how would the non-consistent UI work? Not use http Post anymore, just do everything with AJAX?
Solving that test is indeed pretty simple, I think its O(n^2) give or take. Even if it was n^3 the value of n is so low it isn't restrictive. The benefit is that it is relatively uncommon (not being targeted), and it is more difficult than the average captcha (less likely to be targeted). It is also resistant to brute force (many captchas have the answer to them included in the question, this one requires some parsing and solving, not simply trying words near the captcha randomly). This captcha is not perfect, but I think it is better than most current captchas, and it is deliver neutral (doesn't penalize the impaired). Thus it seems like a step in the right direction, but is not a final destination by any means.
By non-consistent UI I mean breaking the "Name, Email, Webpage, Body" paradigm. I think a good (although certainly harder to implement) example of this is http://www.djangobook.com/en/beta/chapter01/ . If you click on the little tabs/indexes on the side of the page a little comment box pops up that is relevant to the specific position. This UI is sufficiently different from a standard commenting system that a standard form filling spambot would be clueless. This is only an example, but perhaps it helps explain my idea of diversifying a bit. Other types of spam bots would not be affected, but perhaps similar changes would make them less effective as well (your example of using Ajax is a good possible example).
I had good results with doing an own small modification to our forum software. I had never done anything with PHP before, but knowing enough c programming that was still done below an hour (finding the right place to modify was the only hard part).
I think the point is not which modification I made - nothing that was much different from some other usual spam-prevention mods which are in use. The trick is that no spammer cares about a single site enough to work around a custom solution.
I've noticed these things get harder and harder all the time. In the end it will be like a test to block humans out.
Of course, the only thing you really care about when someone/thing does a captcha is that the, uh, thing won't spam and that it will give you money. This problem might go away if someone succeeds in designing a system for making micropayments with a much smaller granularity than Paypal.
If I weren't busy with another idea, I would suggest someone work on this. It could also be used for a secure login if done with face recognition, which is fast maturing.
I've been looking at honeypots and I'm learning how to implement them on my app. Basically I'm building (well for the mean time until a better idea comes up.) is a "classified ad" site that doesn't suck and is a beauty to look at. And the problem I see with apps like these(or rather a subset of the main problem) is the amount of spam that gets fed into them everyday. Alot of interesting ideas flowing from this discussion.
Ofcourse some sort of captcha is necessary. If you are bothered about the looks, then the real question is what kind of captcha should you implement. You can go for the audio only captcha , or perhaps even a flash based visual one.
Repetitive captcha tests can be avoided if your application limits the frequenzy of submissions made . But this in turn is a larger annoyance for commenting systems.
One way to be transparent to normal users, as long as your site uses javascript anyway, is to do a javascript (or flash, I suppose) hashcash implementation. If javascript on a typical browser takes 45 seconds to work out a solution, then that's enough to prevent spambots from just implementing it without driving the amount of spam they can send out way down.
