Drop the captcha – it’s time to get sneaky


“Please enter the letters and numbers you see below.”

How many times have you read that and looked at the letters and numbers you’re supposed to identify and thought, “I can’t even…”? You press the refresh button to bring up different digits, which turn out to be worse. This is the point you decide you can’t be bothered and you go to a competitor’s site and sign up there instead.

A little history: CAPTCHA is an acronym – it stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”. The term “captcha” was first used in 2000, but this type of test was in use before that. The purpose of a captcha is to allow you to prove you’re a human and not a spambot signing up to whatever it is you’re signing up to.

Captchas aren’t all bad

OK, let’s get this out the way. They stop spambots. Or at least, they’re supposed to. Everything evolves, and now there are bots that can solve captcha puzzles, whether they be letters and numbers to identify, or a simple sum.

reCAPTCHA, which is owned by Google, actually uses the answers given by humans to digitise books and annotate images, so it’s giving something back too.

Captchas are all annoying

This is the real problem – people hate them. Captchas annoy users, and the average users’ attention span is short enough without putting obstacles in their way. But we need captchas!

Don’t we?

You need to be sneaky

Despite the fact that spambots are getting cleverer, they’re still quite stupid in a lot of ways. One of these ways is that when a bot sees a web form, it fills it in. Every available field. It leaves nothing empty. And this is something you can use to your advantage.

Introducing the honeypot

A honeypot is a form field that is hidden to the human user but is visible to the spambots. Bots don’t read a web page the way we do – they read the code that’s behind the page. So even if we’ve hidden this form field using CSS or JavaScript, the bots can still see it. And, as they will complete every form field, they’ll fill this field in. And you’ve just caught a bot. BOOM.

The idea is simple – humans can’t see this form field, so they can’t complete it. But bots can and do. So if your form is sent with this field completed, you’ve got a bot. If it’s empty, you’ve got a human.

What you do with a form submission from a bot is up to you – once it’s been identified as from a bot, you can choose to kill the program that sends the message to you before it gets to the email stage. You can add it to your database for later analysis (once you’ve sanitised the data!), or blacklist their IP address. You can set it to let you know that a bot has been active on your form, then do a little jig in the knowledge that you’ve outwitted them.

Humans don’t know honeypots are there

This is the best bit – an internet user will have no idea that your form is protected from spam by a honeypot. They’ll fill in the form without having to get annoyed about a Captcha. Huzzah!

Won’t the bots get smart to it?

They already have, to an extent. Some bot authors are now including programs to spot honeypots – the bot will look for input fields called “Name”, “Email” and “Message” or “Content”. You need to ensure that your honeypot is smarter:

  • place a honeypot in different positions in different forms – don’t use the same place every time.
  • give the honeypot a different input name each time – this will throw the bot off the scent. Don’t call it “honeypot”.
  • change the names of your normal fields to something random. This will make the valid fields look like honeypots a bot and hopefully confuse it enough.
  • if you’re hiding your honeypot with CSS, don’t use something like “hide” as a class name.

Since we changed from using captchas to honeypots, we get way more mail through our contact form and it’s all legitimate. We haven’t had a single spam message. I’m not saying you’ll be as successful in getting more mail – but using a honeypot instead of a captcha will decimate the amount of spam you receive.

If you’d like to know more, get in touch.