facetofcathy (![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
facetofcathy) wrote2012-08-05 12:32 pm
facetofcathy) wrote2012-08-05 12:32 pm
ReCaptcha, so hard only the bots can solve it
Is fast becoming a common phrase in web-circles. Just recently there have been multiple posts on the Google forums about how really not usable is ReCaptcha. A quick Google showed me multiple forum sites that immediately had multiple complaints from users when they implemented ReCaptcha as the simple way to eliminate spam. It's also becoming common that the spammers aren't stopped.
CAPTCHA-less Security By karlgroves covers the broad-based approach to designing a secure site without CAPTCHA of any kind.
There's no plug-in quick fix here, it's an approach of design, coding and maintenance.
Two key features for dealing with account creation by spammers:
The Honey Pot
The key to this trick is that a human using a screen reader will be able to access the honey pot field, but they will know not to fill it in. Some honeypot suggestions seem to imagine that no one using a screenreader, or something else that turns off the CSS, will ever want to use your site.
The other, to my mind, much more important method of security is email confirmation.
CAPTCHA-less Security By karlgroves covers the broad-based approach to designing a secure site without CAPTCHA of any kind.
There's no plug-in quick fix here, it's an approach of design, coding and maintenance.
Two key features for dealing with account creation by spammers:
The Honey Pot
Honeypot
A spam honeypot is a field intended to trap spammers by detecting submissions of attempted spam or fraudulent registrations. One of the ways spammers try to exploit a site is the automatic submission of forms.
[...]
To implement a honeypot, create a hidden text field:
<label for="honeypot">Enter something here if you're a spammer</label><input type="text" id="honeypot" name="honeypot">
Then, use CSS to position the item offscreen. Using this method, you now have an accessible means of tripping up bots.
The key to this trick is that a human using a screen reader will be able to access the honey pot field, but they will know not to fill it in. Some honeypot suggestions seem to imagine that no one using a screenreader, or something else that turns off the CSS, will ever want to use your site.
The other, to my mind, much more important method of security is email confirmation.
Registration requires confirmation
For any of my sites that require membership to certain areas, users must register with a working email address to which I send a confirmation email. Users must click that link – which takes them back to the site – in order to confirm their registration and be granted access to the site. This tactic is pretty common on the web and the reason this works is two-fold: first, it stops bots dead because they often enter nonsensical email addresses which go nowhere and second, even in cases where the fraudulent submissions are run by humans who use a good email address, they aren’t going to waste their time clicking confirmation links. One of my sites has been up for 3 years and not once has a spammer confirmed their registration.