Re: Example of accessible CAPTCHAS that work well from Matt May on 2011-12-12 (w3c-wai-ig@w3.org from October to December 2011)

From: Matt May <mattmay@adobe.com>
Date: Mon, 12 Dec 2011 13:18:35 -0800
To: Cliff Tyllick <cliff.tyllick@yahoo.com>
CC: "w3c-wai-ig@w3.org" <w3c-wai-ig@w3.org>
Message-ID: <67CF45F2-8F41-4216-BE49-446D0D386693@adobe.com>

The problem with a strategy like this is that, while you will confound the most basic spammer scripts this way, any benefit you derive will degrade over time, and in a manner that's highly dependent on the purpose and popularity of your site.

This is known as "Club lock" security, after the steering wheel locks that were at least once popular. The idea is that any visible countermeasure against attack will make nearby targets more attractive than yours, at least for a time. But in the long run, any site that's valuable enough to a spammer (an email service, say, vs. a niche blog) will eventually be targeted directly. Anyone can modify a script to ignore a certain field or type the word that was in quotes ("Type 'red' into this field") or whatever, and you've been compromised. The only question is at which point a spammer sees your particular site(s) as worth 3 minutes of extra scripting work.

In the long run, there are many better systems for avoiding spam without resorting to CAPTCHA or other logic puzzles or honeypots like this. Systems that use heuristics, like how many seconds it took to post a message, or networked spam filters like Akismet provide better protection without forcing actual users to do anything special.

-
m

On Dec 11, 2011, at 12:03 AM, Cliff Tyllick wrote:

About honeypots, Phill Jenkins wrote:

Seems to me this would fail with screen readers, magnifiers, and keyboard users if the key board navigation still gets to the so-called hidden field. I suppose one could add a negative tab-index to remove it from the navigation sequence, but I would like to test one out before recommending this alternative technique.

Phill, I'd take a much simpler approach. I'd label the field, "If you are not a bot, leave this field blank:"

I'd still hide the field and its label from as many people as I could, but anyone who does encounter it should know what to do.

Others have pointed out that extremely-high-volume sites are under such persistent scrutiny that the honeypot, however designed, would soon be overcome. I would think that for most sites this approach would be worth trying. If it doesn't work, try something else—but by all means, try not to burden your customer with your problems.

Cliff Tyllick

Received on Monday, 12 December 2011 21:19:47 UTC