Practical non-image based CAPTCHA approaches?

Answer 1

What if you used a combination of the captcha ideas you had (choose any of them - or select one of them randomly):

• ASCII text captcha: //(_)//
• math puzzles: what is 7 minus 3 times 2?
• trivia questions: what tastes better, a toad or a popsicle?

with the addition of placing the exact same captcha in a css hidden section of the page - the honeypot idea. That way, you'd have one place where you'd expect the correct answer and another where the answer should be unchanged.

Answer 2

Best captcha ever! Maybe you need something like this for sign-up to keep the riff-raff out.

Answer 3

I just use simple questions that anyone can answer:

What color is the sky?
What color is an orange?
What color is grass?

It makes it so that someone has to custom program a bot to your site, which probably isn't worth the effort. If they do, you just change the questions.

Answer 4

Actually it could be an idea to have a programming related captcha set. For example:

There is the possibility of someone building a syntax checker to bypass this but it's a lot more work to bypass a captcha. You get the idea of having a related captcha though.

Answer 5

Unless I'm missing something, what's wrong with using reCAPTCHA as all the work is done externally.

Just a thought.

Answer 6

Make an AJAX query for a cryptographic nonce to the server. The server sends back a JSON response containing the nonce, and also sets a cookie containing the nonce value. Calculate the SHA1 hash of the nonce in JavaScript, copy the value into a hidden field. When the user POSTs the form, they now send the cookie back with the nonce value. Calculate the SHA1 hash of the nonce from the cookie, compare to the value in the hidden field, and verify that you generated that nonce in the last 15 minutes (memcached is good for this). If all those checks pass, post the comment.

This technique requires that the spammer sits down and figures out what's going on, and once they do, they still have to fire off multiple requests and maintain cookie state to get a comment through. Plus they only ever see the Set-Cookie header if they parse and execute the JavaScript in the first place and make the AJAX request. This is far, far more work than most spammers are willing to go through, especially since the work only applies to a single site. The biggest downside is that anyone with JavaScript off or cookies disabled gets marked as potential spam. Which means that moderation queues are still a good idea.

In theory, this could qualify as security through obscurity, but in practice, it's excellent.

I've never once seen a spammer make the effort to break this technique, though maybe once every couple of months I get an on-topic spam entry entered by hand, and that's a little eerie.