Honeypot Captcha

2014-02-19

Honeypot - a less annoying Captcha

I was looking for a way to avoid spam comments on my blog, other than the typically annoying CAPTCHA method. After some research, I stumbled on another, more user friendly technique called Honeypot Captcha.

The idea

Use javascript to fill out one of the form fields with an arbitrary value. After the form is submitted, check that the value hasn't changed. If a spambot tries to fill out the form, it must run the javascript in order to know what value to fill in.

Another trick is to use CSS to hide the form field. This means that the spambot must download and interpret the CSS before it can know whether to fill in the form field or not.

The Implementation

HTML:

<input type="text" id="captcha_1" name="captcha_1" class="captcha" placeholder="Don't fill in this field" />
<input type="text" id="captcha_2" name="captcha_2" class="captcha" placeholder="Don't fill in this field" />

CSS:

.captcha{
    display: none;
}

JS / jQuery:

$(document).ready(function(){
    $("#captcha_1").val("filled in");
});

I use two separate form fields here, just in case the spambot runs javascript, but doesn't interpret CSS, or vise versa. On submit, I check that the first field (captcha_1) contains the value "filled in", and that the second field (captcha_2) is empty.

You could argue that this technique is easily broken if the spambot is tuned to it. However, the assumption is that a spambot doesn't care about this site in particular, and therefore won't tailor an attack against me.



comments powered by Disqus