I think you should use Captcha for account creation only.For other Forms instead of using captcha images you can use other techniques like mathematical operations to confirm whether the person isn’t a bot.:)
Why not use Fegall’s idea and not include the captcha. The form will have a minimum time rather than almost immediate that the bots will do, so allow an account that waits the specified period. If this is the ‘minimum’ time allowed to create the form, then it is pretty equal for the sited and non-sited users and no annoying CAPTCHA’s and would stop most spam bots from creating multiple accounts. Love this idea!
As I said previously, we use a timer system and it does work. Now the occasional bot does get through, its not 100%, but it really is occasional; we converted to the timer method to solve a problem; which was that bots started to figure out how to get past the captcha so we decided to try something else. The timer method is far more effective.
Why not lol? When it’s a question of security for your site then to avoid spamming you should use Captcha…
Who said anything about neglecting site security and not stopping spammers? This thread is discussing alternative methods to resolve the same problems that captcha’s resolve.
It’s a perfectly valid discussion when you consider that Captcha’s:
-
Are of limited effectiveness, bot’s are continually evolving their recognition skills and learn how to get past them. I’ve had to update captcha image sets many, many times as bots have figured them out.
-
They are often difficult to read and sometimes illegible.
-
They are an accessibility nightmare, even with audio recognition
-
End users hate them
Therefore, other solutions that catch bots out have been outlined in this thread.
CAPTCHA is a modern day necessity. You will get tons of spam without it. Even a contact form I had got spammed until I added visual verification.
If anyone needs an incredibly easy to integrate CAPTCHA that is also free and open source, you should check out Securimage at this site:
I use it and it works very good. You can integrate it into your site with only a few lines of code. I can’t recommend it highly enough.
This is untrue, you need some kind of bot protection however captcha’s are not the beginning nor the end, there are other solutions to stop spam bots as has been discussed extensively in this thread.
So “CAPTCHA is a modern day necessity. You will get tons of spam without it.” is simply untrue, other traps such as form timers and honeypots work just as well.
And they are also much kinder on legitimate visitors. Captcha may make a site owner feel secure, but it’s a misery for users.
Just to note, I’ve converted 15 sites, some old ones with CAPTCHA’s and some with Honey Pots to the timer suggestion. It works great and I am getting about 30% less spam on these sites, plus they are far more accessible as people have indicated throughout this thread. I know that bots could be built to pause to beat timers but nothing works forever, so while it works well I will use it.
Steve
I was under the assumption most Captcha’s now a days have a read out feature. So as long as those you have issues can hear, they can have the Captcha read out the letters or phrase to them.
But have you ever tried that? It’s like listening to an announcement over a PA system at a train station—i.e. muffled and incomprehensible. 
As Ralph says, the audio versions are little better. And sometimes I don’t want noise. My computer at work doesn’t have sound, and even if it did, I wouldn’t want to have the sound on when other people were working. Likewise if I’m on a train or in another public place, or watching TV at the same time, or anything like that … sounds gets very irritating.
Wow i never thought about doing anything like this! But i love it!! Captchas make me mad as i can be. Mostly because i can not read them! I am going to use this idea for any forms that public can access.
Not to hijack, one way i used to do is was make a hidden field it was named something like “spam” and it would be an input field. I would check to see what the length of that field was in the PHP script and if there was text in it i presumed it was a bot and the form did not finish and displayed a error message. Weather this helped or not i am not sure.
Yes, that sounds like the “honeypot” method mentioned above. The only problem with it is that it may not be hidden for all users, so you have to warn them somehow—either with a label saying “don’t fill this in” or by offering an answer they can type in.
I recently had to digitally sign some paperwork on a website by literally drawing my signature in a field with my mouse. I know, what a PITA.
However, how does that sound as an alternative? Require a user to scribble anything into a field, using their mouse or arrow keys. A spam bot wouldn’t understand the concept of drawing… yet.
EDIT: taking that concept even further, what about simply monitoring cursor movement and/or page scroll? Any type of movement within the page can be assumed human.
Sound interesting, but my problem with that is it means hassling legitimate posters too, which I don’t like. I don’t like being put through the hoops just because there are @ssholes out there (like at airports, where you have to put up with being studied in the nude now. 
). I’d prefer a solution that snags the miscreants but leaves me alone. 
what about simply monitoring cursor movement and/or page scroll?
You’d have to make sure it accounts for users such as those with screen readers.
Very true. I’ve been pondering that issue. Still, those using a screen reader must still interact (using the keyboard or voice) with content within a browser, such as changing the focus in a decidedly human manner.
As a partial alternative, you could go ahead and monitor cursor movement. Any humans not using a screen reader get a free pass. Bots and - unfortunately - those using a screen reader, or not using their mouse will have to deal with a manual captcha.
Hmm … I generally tab through forms because I have some co-ordination problems and it’s easier than using a mouse. My elderly friend does the same, because fine movements are difficult with arthritis. And we both struggle with Captcha, although for slightly different reasons. So I suspect that approach may end up penalising the folk who already have the most difficulty with forms. 
“Captcha keeps Spammers Away” 
Hehe Use it in your own advantage. If you don’t use it expect spams on your mails.
If it is a database application then just insert a minimum time into a spammer_catch table that matches their PHP Session variable. Even if they have cookies turned off the Session will be written to their URL. Then when the page is posted test if the time matching their session is long enough for a fast human typist, if the time is ok then let them through otherwise stop their attempt. On top of this log how many times they try; if only a few then ok but if hundreds or thousands then try to block their I.P. and SESSION.
You could also not use the DB and instead just write the time to the user’s session.
This approach does not bother human typists, people using screen reader or have other accessibility challenges and does not matter if Javascript is on or off, or like I mentioned if cookies are shut off. However this will not work for a non-dynamic HTML only site, PHP or ASP.NET, or Java would need to also be used.
IMHO CAPTCHAS cause way too many troubles for end-users.
Steve