Searching, I see a trend stating that captchas have progressively become less favorable in the risk/benefit analysis. But I have seen positive comments about honeypots. Plugging what I see into AI, I get a recommendation to use honeypots for basic bots and only use custom captchas when form submission is suspiciously fast or there are too many failed attempts by the same actor. What is currently best practice against bot-form-submissions?
On a side note, I have also seen a comment somewhere about not caring about bot account creations unless part of DOS or DDOS, and to better focus one’s attentions on curtailing the negative effects of bot-created accounts into the area of account interactions. But I do not know how true that is.
I am currently a webdev by necessity with very little experience. Boss wants to protect against bots submitting forms related to creating accounts and filling in account info. Boss is a professional dev but not in webdev and has suggested implementing captchas. That is why I am posting this.
Use reCAPTCHA in conjunction with a honeypot form field. Set the captcha acceptance to low; this should work fine. You can also rate limit the form post method.
Reagan said:
Use reCAPTCHA in conjunction with a honeypot form field. Set the captcha acceptance to low; this should work fine. You can also rate limit the form post method.
Thank you. So, do you mean to set the acceptance low instead of the AI suggestion of selectively displaying the captcha based on whether or not the submission behavior looks suspicious, or do both?
No, I was saying you can use an invisible captcha from Google; it provides a score which can be used to assess the user’s possibility of being a bot. It requires no direct input from the user. You can use this in conjunction with honeypot fields and make a judgment based on your own criteria. Then, as a fallback, use rate limiting if you suspect suspicious activity.
I’d wager you can defeat most bots with a timer. If a form submits in a quicker timeframe than a human could react, make it look like it worked, but secretly discard the submission… I bet you get 98% of dumb bots with that. The remaining 2% are sophisticated attackers, and yeah they’ll likely farm out reCAPTCHA solves to a sweatshop… Only so much you can do without authentication against a known human with MFA or something similar.