Yesterday I implemented Bemba’s new Captcha. This is is a test to determine whether a new user on Bemba is human. The purpose of Captcha is to block form submissions from spambots. This area has seen some developments over the years, and I think we have chosen the best solution available.

Early web applications did not feature a Captcha at all. Registering as a new user was quick and easy - a little too easy in fact. So easy that spammers started using automated programs to register thousands of accounts in a few short minutes. Something had to be done.

Captcha quickly was introduced and is still the most common test used today. The reason they are so effective is that people can recognize words even when they’re very distorted, but computers still can’t.

In the early days, Captchas were often generated on the fly. I would use the GD library in a PHP script to generate a few characters and show them as a GIF image. A cool development is reCAPTCHA, which uses all these human’s word recognition skills to preserve actual historical books. Recently I’ve added more sophisticated tools to my spambot fighting arsenal which led me in a different direction.

Since spambots do their “tricks” automatically, they will submit all fields which are present on a form. We have recently seen our first bot, using ‘be14587′ as value for every field. Throw a little heuristics in the mix, add a form field that is hidden from humans using CSS, and the Captcha image really doesn’t need to be generated from a set of individual characters any more.

This will make registering easier for our users and saves us complexity on the server. Win-win!

Our new Captchas will render from a predefined pool of words, instead of being generated from the alphabet. A real word is easier to read than a random string like XjGHygsYGy and much more user friendly too. You will see this new system when we go live.

As a bonus Aaron has come up with a few easter eggs if you will: words that have special meaning to Bemba and it’s environment.