My task this week was to figure out an alternative captcha to Google’s ReCaptcha. Here’s a quick history lesson on the ReCaptcha and some other options to it.
I’m hella sure everyone is familiar with that jumbly mess of words that was Recaptcha v1. It’s not pretty, frustration-inducing, and is probably only flawlessly solvable by superhumans. There are also human farms who do nothing but solve reCaptchas all day.
To be fair, my doctor’s handwriting is only a sliver more legible
Just this year, Google came up with reCaptcha v2 (Techcrunch article, a sleeker way to keep the robots out of your forms.
Simple, and real sexy
You just have to click on that checkbox, and voila, you’re done! It works by detecting your behaviour prior to checking that box. If your behaviour is suspicious, (e.g. if you fill in the form too quickly) it busts out a second level of verification which is either reCaptcha v1, or an image selection game like this:
There was another one asking you to pick out cakes which I liked better. But road signs are okay too, I guess
All that is fine, but still rather annoying when it gets to the second level verification. After way too much form testing for a company website, everyone in my office seems to be hitting second-level for any reCaptcha v2 (not just the one we were testing).
The general consensus is that ‘no captcha is the best captcha’. This means ways of detecting spambot behaviour without having a solvable component. Still, here are some alternatives to the reCaptcha I stumbled upon.
Honeypots are simple, CSS-hidden inputs that are not visible to the user, but visible to a bot which typically parse just the HTML. Great to have as a backup or second verification to another captcha.
I’m not sure what the real term for these are, but I’m just gonna call them matchers. They require some matching interaction that doesn’t just fill in a field somewhere.
Here’s one that requires you to drag and drop a matching color:
Great selection of colors as it overcomes the issue of color-blindness. I tested it on a color-blindness simulator:
This one was nice, but was part of a paid service. It’s implementable, but having to introduce a drag and drop library felt like an overkill just for a captcha. I wanted to keep our captcha as lightweight as possible. Also, I ain’t gonna cross-browser test that thing on IE8 (apparently we have clients who visit the site on Windows XP. Cue gasp).
Not to say that robots are worse at math than humans are, but this would work assuming that bots don’t have built in intelligence to detect math questions like these:
I actually quite like this one, simple, no worries about cross-browser testing and gets the job done. It wasn’t a preferred choice of the team though.
Select the color
Here’s one I came up with:
It doesn’t pass the color-blindness test with flying colors though (ahem), but I figured adding the keyword for position (third) would compensate for that. Shapes could work as well (e.g. pick the red triangle) to get over that.
It’s simple, and not totally foolproof (you can always get bots to detect the hex color and do some simple math to determine if it’s reddish), but good enough for a super-duper lightweight solution.
Well, I’m still figuring out what works best – though ideally I’d like to find out just how spam bots work, and how intelligent they really are.
It’s a bit of a compromise – just how complicated does a captcha have to be for the sake of thwarting bots? Do we stick to the tried and true Google ReCaptcha? Do do use a fancy sliding-drag-drop thing? Is that level of complexity necessary? How likely is your website to be spammed? So many questions to answer. Til next time!