Mobile app version of vmapp.org
Login or Join
Bryan171

: How secure is a static CAPTCHA? I have seen some webmasters using a CAPTCHA that doesn't change at all. And many of them use JavaScript to validate these value. For example: if(captchaCode !=

@Bryan171

Posted in: #Captcha #Javascript

I have seen some webmasters using a CAPTCHA that doesn't change at all. And many of them use JavaScript to validate these value. For example:

if(captchaCode != "4ERJZ")


Since most of the web browsers have a inspect element or such feature how secure is using this type of CAPTCHAs?

10.02% popularity Vote Up Vote Down


Login to follow query

More posts by @Bryan171

2 Comments

Sorted by latest first Latest Oldest Best

 

@Cofer257

Using JavaScript for validating a CAPTCHA is absolutely pointless because 99% of spambots don't execute JavaScript.

They are not advanced web browsers with "inspect element" features, they are basic programs that fetch the HTML of a page, look for a form, then send a POST request to the form's action parameter.

Their purpose is to trawl as many web pages with forms as they can find and submit advertising or other spam with the hope it will be seen by at least one person (in the case of a contact form, for example) or preferably many people (in the case of blog comment spam for example).

In general they do not target specific sites, so if you use a unique spam-prevention system it will likely work very well. If a particular approach is very common (such as reCAPTCHA or Wordpress comment forms) they will detect those and try to get around them.

So using a unique image, even if it doesn't change, is a reasonable approach. You must validate on the server side as JavaScript is mostly ignored by spambots. However, if a spambot's author catches on they may change their program to simply input the static key for your site. Now your approach is broken.

10% popularity Vote Up Vote Down


 

@Carla537

On small sites, a static CAPTCHA can provide some security against automated spambots that trawl e.g. Google for sites to attack.

Even though the CAPTCHA is fixed for each site, each site (hopefully) has a different one.
Basically, with a normal (dynamic) CAPTCHA, the payoff for solving it is the ability to make one post. With a static CAPTCHA, you get to make as many posts as you want on that site (at least until somebody notices), but you still need to solve a different CAPTCHA for each site. For small, low-ranked "long tail" sites, that payoff for a spammer may still not be worth the effort of spending a few seconds solving the CAPTCHA.

That said, if you're going to go that route, using an actual image CAPTCHA is probably overkill, and will unnecessary hurt the user experience. The same results can be achieved just as well just by e.g. asking your users to answer a simple question like "What is the name of this site?" or "What color is the sky on a clear day?", or even just "Please type 'friend' (not 'enemy') in the box below:".

This is not just theory: the MediaWiki QuestyCaptcha extension works like this. I use it on several small wikis I admin, and I've found it extremely efficient — so far, I haven't had a single spammer solve the (trivially simple) questions. (The fact that most of them are in a fairly obscure language may help.)

Using JavaScript to validate a CAPTCHA is a bad idea anyway, though, at least unless you also validate it on the server side (or unless your post submission process essentially requires JavaScript). That's because many spambots don't run JavaScript at all, but simply submit the HTML form directly to the server.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme