Robert Brodrecht

How to Avoid CAPTCHA




CAPTCHA, short for Completely Automated Public Turing test to tell Computers and Humans Apart, has become user-hostile.

If you search Twitter for #CAPTCHA, you’ll see a lot of people complaining about something that shouldn’t be a problem. CAPTCHA is slowly starting to be the antithesis of its name. It can no longer effectively tell computers and humans apart because the obfuscated text is too difficult for humans to discern. If you think visual CAPTCHA is bad, don’t even bother with audio CAPTCHA.

I wanted to outline a few simple tricks that take very little time to implement that you should try before you decide to implement CAPTCHA.

  • Try to trick a bot into identifying itself. The easiest way I’ve found is to hide a field named “phone” via CSS and make sure the value stays empty and was sent with the form (i.e. in PHP if(!isset($_GET['phone']) || $_GET['phone'] !== '') { die('Hello, bot!'); }). You can even set the label to read “Leave this blank” just in case your user has CSS disabled. Most bots will try to fill the “phone” field with a series of digits. Since most humans can’t see the field, it will submit with no value. Bots, on the other hand, typically don’t read CSS and will populate the field in an attempt to get around typical validation for a phone field. If the field is empty, assume it isn’t form spam. If it has a value, reject the submission. This will clear up a ton of form spam.
  • Try a simple challenge question, such as “Is fire hot or cold?” If the trimmed, lowercased value of the field is not “hot”, return an error. A free-form question with a free-form answer is easy to implement and will trick any bot that isn’t specifically targeted at your site, especially if you name the form field “phone” because a bot will enter 7 digits. The bonus is that these questions are really easy to change if a bot starts specifically targeting your site.
  • If the above fails, try coming up with a series of easy challenge questions and pick one randomly. This is a more complex version of the second idea, and will basically make it easier for a spam bot writer to manually spam a form than to write a spam bot smart enough to figure out the answer to any random question.

None of the above should take more than 15 to 30 minutes to implement and will make your users much happier than confronting them with a CAPTCHA.