RE: Captcha alternatives

> ...in reality most of the bots are simple and cheap...

This bit about bots is very true. Unusual / obscure anti-spam protection doesn't only work because it's unusual or obscure. It works because bot authors are looking for easy wins. They don't want to build a custom bot for every site they hit. Your anti-spam strategy can be as simple as "are you a human? Type 'yes' or 'y'." For a small site that doesn't warrant being targeted by bot authors, that exact strategy has worked for me for something like ten years. I used to get hit with a dozen spam submissions a week, but I haven't had a single one since I added that very simple question. Obviously I'm talking about a *really* small site, but that's the point: your anti-spam system must take your site's value into consideration.

I think my point is this: if everybody built a simple, human-friendly CAPTCHA, but each one were a little different, only the biggest (high value) sites would need something stronger.

-----Original Message-----
From: Marc Haunschild (Accessibility Consulting) <marc.haunschild@accessibility.consulting> 
Sent: Wednesday, October 13, 2021 21:55
To: David Woolley <forums@david-woolley.me.uk>
Cc: w3c-wai-ig@w3.org
Subject: Re: Captcha alternatives

Hi David,

> Am 13.10.2021 um 22:27 schrieb David Woolley <forums@david-woolley.me.uk>:
> 
> On 13/10/2021 15:13, Marc Haunschild wrote:
>> Getting spam is a problem that no visitor of a website has.
> 
> Although, for simple e-commerce sites, spam associated with response forms may be the main issue

More than this: mitigating spam attacks was part of the question I answered to.

Using a CAPTCHA as a security feature is a complete other thing - and I’m not sure, if someone should rely on this.

>> In many cases simple and stupid solutions can help a lot, like putting a confirmation page between the form and the final send button or checking the time between opening a form and sending it.
>> No human sends a form in less than a second / robots so!
> 
> These only work whilst they are unusual.

Yes. True.

So why not using them while they still work?

Anyway AFAIK every CAPTCHA we have today can be solved by AI. In theory. But in reality most of the bots are simple and cheap - because even cheap and simple bots still find millions and millions of places to put their messages.

As I said: fighting spam needs a strategy. The strategy surely needs updates every now and then…

My knowledge about this is very limited and maybe outdated.

If you want to solve a problem the right way, you’ll need an expert.

Summary: if it’s just about spam use a quick and dirty solution as long as it works.
If you have to rely on this solution for security reasons or simple solutions don’t help, you might not want to ask a11y guys for advice.

From an a11y perspective I recommend: get rid of CAPTCHAS. They make things harder for real people and robots don’t care.

Just my 2 Cents 

Marc

Received on Tuesday, 19 October 2021 15:00:40 UTC