With the large number of bots and spammers that plague the web today, an effective method to prevent automated submission and signups is needed. This article discusses the effectiveness of honeypot captchas against ordinary captchas used by most sites.
Overview
A Captcha (Completely Automated Public Turing test to tell Computers and Humans Apart) is used by websites to distinguish between human visitors and automated bots to prevent malicious acts such as spamming.
The typical captcha will show some random numbers/letters on the screen which need to be typed in before proceeding further. Such captcha can easily be solved using OCR libraries with a high accuracy rate (>95%).
Thus, existing captchas are not entirely secure against bots. Using Honeypot captcha is one of the techniques to improve captcha’s security against bots.
Honeypots
A Honeypot is a trap for automated bots, which marks it as a spammer. The honeypot captcha is similar to the ordinary captchas and needs to be solved before proceeding further.
However, after solving such a captcha, the visitor will not proceed further until he performs some action (such as clicking on a link/button), which helps identify him as a human visitor instead of an automated bot. This prevents most block bots since most such bots do not perform such actions after solving captchas.
As with most defensive technologies, honeypot captchas are best used with other measures such as rate limiting and captcha security levels.
Advantages of Honeypot Captcha vs. Regular Captchas
Apart from being more secure, there are other advantages: No captcha frustration experienced by those visitors who cannot solve the standard captcha. This enables an improvement in the overall user experience. It is easier to implement a honeypot captcha compared to other defensive technologies such as reCaptcha.
Disadvantages of Honeypot Captcha vs. Regular Captchas
The disadvantages, though, can be: There may be a false positive where bots cannot identify the honeypot field and continue solving the regular captcha instead. A high false-positive rate can result in a bad user experience since many users will not proceed further on the site due to failed captchas.
Although this issue can be avoided by using advanced honeypot captcha variants, it is still a valid concern.
Honeypot Captcha Implementation
The following are the different types of honeypot captchas that are currently available in the open-source domain:
Textbox Honeypots
This type of captcha requires the users to select the textbox containing a specific string or pattern. After solving such a captcha, if no action is performed, the user will not proceed further. If an action is performed immediately after solving the captcha, then there is a high probability that he is a human visitor instead of an automated bot.
Image Honeypots
Like textbox honeypots, image-based honeypots require users to identify images with a specific pattern or image. After solving such a captcha, if no action is performed, the user will not proceed further. If an action is performed immediately after solving the captcha, then there is a high probability that he is a human visitor instead of an automated bot.
Video Honeypots
Similar to textbox and image honeypots, video-based captchas require users to watch a short video. After watching such videos, if the user does not act, he will not proceed further on the site. In most cases, clicking on any play/pause button helps in identifying humans from bots.
Hidden Honeypot Cross-Site Request Forgery (CSRF) Form
This type of captcha requires users to act on a different site. The users are presented with a form to be submitted on another website. Users need to identify whether the displayed captcha is hosted on that target website and then submit the filled-out form (only if that specific captcha belongs to that target website).
This method can also be used as a general CSRF token technique. However, it has some performance issues due to its usage of JavaScript for each request which needs to be performed by the user.
Multi-Valued Honeypot
This type of honeypot captcha requires users to solve multiple honeypots (of any kind) before proceeding further on the site. Each solved honeypot will remove one div from the captcha image, making the solving process very difficult for bots. This type of honeypot captcha is recommended when security is the top priority, and the false-positive rate can be ignored for a while.
Benefits of Honeypot Captchas
Here are five benefits associated with using honeypot captcha:
1. Captcha codes prevent bots from automatically registering new accounts on your site:
With most registration and sign-up forms getting spammed daily, it is essential to figure out these fake registrations as they often result in a loss of money to the business.
By creating a honeypot captcha field, you are effectively blocking out automated bots from accessing your registration form because only humans can fill out this type of captcha code.
2. Captcha codes make it easy for actual users to access your site:
By adding a honeypot captcha on any sign-up, log in or registration forms, you are essentially allowing only real people to access your website. This means that if someone is trying to hack into your site or steal personal information, they will be automatically blocked by the captcha.
While some hackers may find a way around this security strategy, most will understand that their attempts are futile and move onto something else instead of wasting time trying to break through an invisible field.
3. It is a very easy security measure to implement:
In comparison with other captcha types, honeypot captchas are the simplest to set up as they do not require any coding or programming on your part. You have to add simple input fields that people can fill out and then use CSS styling to achieve an invisible captcha field.
Most site templates already come with the code required for this type of captcha, so you need nothing more than just copying the code and inserting it into your registration form or website page. All bots will be blocked once this has been done, while real users will have no trouble accessing your site.
With almost zero effort required on your part for this security measure, why wouldn’t you add a honeypot captcha to your website?
4. Honeypot captchas are future-proof:
Since bots and spiders cannot read, honeypot captchas will not be affected by any technology or software programs changes. As long as human beings can read the captcha code, it will continue to work efficiently in blocking automated bots from accessing certain parts of your site.
Compared with other captcha types, this security measure is much more likely to stand the test of time.
5. Spam filters that use honeypot captchas are less likely to be triggered by false positives:
False positives occur when spam filters incorrectly identify real users as spammers due to an unfortunate similarity (or their behavior). When real people are blocked from accessing certain parts of your website due to false positives, it can be highly frustrating as they cannot figure out why their account is restricted.
This often leads to customer complaints and possible refunds, which could have been avoided if the spam filter had not mistaken someone’s account for that of a spammer.
With honeypot captchas, any human input will always be accepted regardless of the similarity between an automated bot program and a real user account. As long as there is enough difference between what a real person enters in the field and what bots enter, the captcha should always identify users correctly regardless of how similar they are to spammers.
Honeypot Captchas are easy to implement on websites, and they are future-proof. They also work efficiently in blocking automated bots while allowing real users to access the website without difficulty. With no effort required, this security measure is something you should be looking into for your website today.
