Sneaky CAPTCHA Tricks
Stephen Moseley, a Web designer and developer at media production company Hannisdal Express has a sneaky way of stopping CAPTCHA bot attackers: incorporate a hidden field with CSS (Cascading Style Sheets). The field is coded so that human users never see it. Bots, however, read the page's code and note that there is a field to be filled in, and proceed to do so. That, of course, is enough to mark the visitor as a potential cracking program rather than an actual user.
"The bots should fill it in, and if you compare the inputted value to the value you start with, you can quit execution right there," says Moseley. "You do, however, have to make sure to label this so that people with screen readers can understand not to fill it in. I've used this on some nonhigh traffic forms and it works pretty well. It probably won't stop serious spam bots for a large site, though."
Moseley also suggests using simple math problems in CAPTCHA tests. As he explains, though, this approach has two problems: "possible discrimination against the mentally handicapped and the fact that you would need to make the questions random (i.e., you don't want it to always be 2 + 2)."
The Bottom Line
What all these variations on CAPTCHA mean for Web administrators is that CAPTCHA will continue to be useful. However, the old, simple CAPTCHA systems are hopelessly obsolete.
And even the improved CAPTCHA strategies may not be useful for long. Carnegie Mellon's von Ahn believes that, for the immediate future, image-based CAPTCHAs will be effective. Eventually though, within 50 years at the most, von Ahn thinks that computers will be bright enough to solve any form of CAPTCHA.
But what about right now? To secure a Web site in 2009, companies would be well advised to look at reCAPTCHA, which comes with a wide variety of application and programming plug-ins and an open API (application program interface). With these, no matter what software you're running on your Web site, you should be able to easily add reCAPTCHA protection to your Web-based applications.
Looking ahead, you should start following image-based CAPTCHA technologies. They promise to have a longer effective life.
All that said, it should also be kept in mind that, even as bot-based CAPTCHA attacks are held at bay, there's no effective defense against humans breaking CAPTCHAs for money . All that any CAPTCHA system, or any other security measure, can really do is slow down would-be crackers.
At the end of the day, Web security must be concerned not only with keeping out attackers, but with minimizing the damage they can cause when they have broken into a site.
Steven J. Vaughan-Nichols has been writing about technology and the business of technology since CP/M-80 was cutting edge and 300bit/sec. was a fast Internet connection -- and we liked it! He can be reached at firstname.lastname@example.org .
This story, "CAPTCHA Allows Comments, Keeps Spam Bots Out" was originally published by Computerworld.