: How secure is a static CAPTCHA? I have seen some webmasters using a CAPTCHA that doesn't change at all. And many of them use JavaScript to validate these value. For example: if(captchaCode !=

@Cofer257

Using JavaScript for validating a CAPTCHA is absolutely pointless because 99% of spambots don't execute JavaScript.

They are not advanced web browsers with "inspect element" features, they are basic programs that fetch the HTML of a page, look for a form, then send a POST request to the form's action parameter.

Their purpose is to trawl as many web pages with forms as they can find and submit advertising or other spam with the hope it will be seen by at least one person (in the case of a contact form, for example) or preferably many people (in the case of blog comment spam for example).

In general they do not target specific sites, so if you use a unique spam-prevention system it will likely work very well. If a particular approach is very common (such as reCAPTCHA or Wordpress comment forms) they will detect those and try to get around them.

So using a unique image, even if it doesn't change, is a reasonable approach. You must validate on the server side as JavaScript is mostly ignored by spambots. However, if a spambot's author catches on they may change their program to simply input the static key for your site. Now your approach is broken.

Vote Up Vote Down

@Carla537

On small sites, a static CAPTCHA can provide some security against automated spambots that trawl e.g. Google for sites to attack.

Even though the CAPTCHA is fixed for each site, each site (hopefully) has a different one.
Basically, with a normal (dynamic) CAPTCHA, the payoff for solving it is the ability to make one post. With a static CAPTCHA, you get to make as many posts as you want on that site (at least until somebody notices), but you still need to solve a different CAPTCHA for each site. For small, low-ranked "long tail" sites, that payoff for a spammer may still not be worth the effort of spending a few seconds solving the CAPTCHA.

That said, if you're going to go that route, using an actual image CAPTCHA is probably overkill, and will unnecessary hurt the user experience. The same results can be achieved just as well just by e.g. asking your users to answer a simple question like "What is the name of this site?" or "What color is the sky on a clear day?", or even just "Please type 'friend' (not 'enemy') in the box below:".

This is not just theory: the MediaWiki QuestyCaptcha extension works like this. I use it on several small wikis I admin, and I've found it extremely efficient — so far, I haven't had a single spammer solve the (trivially simple) questions. (The fact that most of them are in a fairly obscure language may help.)

Using JavaScript to validate a CAPTCHA is a bad idea anyway, though, at least unless you also validate it on the server side (or unless your post submission process essentially requires JavaScript). That's because many spambots don't run JavaScript at all, but simply submit the HTML form directly to the server.

Vote Up Vote Down