By 
What is a captcha?
If you have ever joined a large website then you have seen a captcha. Twitter uses it, Facebook uses it, and WordPress uses it. Captchas are small tests that you must complete to prove that you are human. The test usually involves looking at some text and typing that text in a nearby box.
What are captchas supposed to do?
The simple answer is keep your website spam free. That is the purpose of a captcha. More generally, its goal is to stop automated spam by assuming every user of the site is a robot until proven otherwise.
Why captchas are bad
On the surface, captchas seem easy to use and interact with. Well, they only look like this to people who have perfect vision and an elastic mind. If you have these qualities, congratulations. If you don’t, here’s how hard captchas will be for you and your users:
- Warped letters are difficult for users to read. Combine that with a strikethrough and you have a bad idea.
- Users cannot tell the difference between 0 and i; and I, l and 1, in certain sources.
- Blind people cannot use them. Even colorblind people find some implementations of captcha difficult to use.
Worst of all, even people with super vision and brilliant spatial awareness find simple captchas. annoying. This drives users away, reducing revenue.
How can you make captchas better?
The best way to make captchas better is to turn the concept on its head. Instead of asking each user to prove that he is human, he can trick each bot into telling him that he is an automated spam machine. The easiest way to do this is to set up some traps.
Traps and why they work
To explain what a trap is and how it will prevent your site from being filled with spam, you first need to know how a spam bot works. If you don’t know what you’re up against, you’ll never beat it.
The two types of robots
There are two types of spam-bots. The first type is a replay robot. This type of spam-bot records a word-for-word form, and then publications the form with the fields filled in at a later date. It’s like a spammy version of TiVo. Typically, the bot will do this over and over again, literally playing the recording it has made of the form.
The second type of spam-bot is the form filler. Form fillers crawl the web, find a form, insert the spam, and submit it. Some forms are dumb and will put the same information everywhere. Others recognize common field names like username, email. A bot like that will place the spam in a text area, since that’s usually where users’ content goes on each post.
Traps for filling out forms
The easiest way to catch a form filler bot is to create a field that a human can’t (ideally can not) Fill. You can do this by warning users not to fill out a certain field, but that’s just as bad as asking users to fill out a captcha. Much better is to make your trap hidden. A robot that fills out forms does not watch the form, reads it and analyzes it. You can create a field that is invisible to humans, but is analyzed by the robot. You can hide a field using CSS or change the style of a field directly using JavaScript. As long as the field’s visibility is set separately from the form, the bot will always fill the field and your users won’t even know it exists.
catch reps
With play bots, you need to take advantage of the fact that forms are collected once before time. The forms are collected and then some time later they are replayed. You can record when a form was produced by including a date and time stamp with each form submitted. By comparing that date and time to the current date and time, your site can deduce whether or not an unreasonable amount of time has passed between generating and submitting the form.
When robots get smarter
The obvious problem with adding a timestamp to your form is that once it becomes widely known as a tool to stop spam, the people who program the playback bots will generate good timestamps at the time the message is played. form. The way around this is to encrypt the timestamp using a secret key. The data is decoded when the form is submitted and then evaluated. It is very unlikely that a playback bot can guess both your secret key and your encryption algorithm, giving you security against spam, no matter how smart the bot is.