-1

Are there any tools available to test the effectiveness of user Turing tests such as CAPTCHAs or honeypots, without intentionally getting the site targeted by spam bots?

Or, do I simply have to implement a solution, deploy to production, and watch the results while hoping for the best?

kalina
  • 3,354
  • 5
  • 20
  • 36
Martin
  • 121
  • 7
  • 1
    Here is a very simple CAPTCHA-effectiveness test you can do yourself: Step 1. Browse to your site. Step 2. Check if there is a CAPTCHA on the site. Step 3. If you do have a CAPTCHA, then you know it is not effective. -- It is really that simple: any CAPTCHA you might have is NOT effective, anyway. Don't bother checking anything else. – AviD Dec 28 '14 at 13:44
  • @AviD What do you think of this:http://venturebeat.com/2014/12/03/google-boils-down-the-captcha-to-a-simple-checkbox-to-prove-youre-not-a-bot/ Also see: https://www.google.com/recaptcha/intro/index.html – makerofthings7 Dec 29 '14 at 16:43
  • @AviD From your profile, it looks like you're a security expert/specialist. What about CAPTCHAs is ineffective? What do you recommend as an alternative? – Martin Dec 29 '14 at 17:31
  • 1
    @makerofthings7 yeah, seen that, but haven't looked at it in depth yet. It does look potentially interesting, and likely to actually be based on GOOD solutions. I also think it is likely that they will soon jump to the next step, and forgo the checkbox too.... – AviD Dec 30 '14 at 08:54
  • 1
    @MartinCarney it depends on the context, and what you are trying to protect. Most often, a simple rate throttling mechanism on the server is all you need - assuming you are trying to prevent misuse and flooding your site's features, which is irrelevant of being a human or not. See also my answers here: http://security.stackexchange.com/a/790/33 and http://security.stackexchange.com/a/22930/33. – AviD Dec 30 '14 at 08:56

1 Answers1

0

Without testing captcha systems yourself, you must rely on the results others have already gotten. Any method is subject to the uncertanties of future developments on both sides of the arms race between captchas and bots, so basically you are just looking for whatever the best available technology is right now. Examples of that today are:

Of the two, I'd suggest KeyCaptcha as the better (stronger) alternative.

I'm assuming above that you just want to find a good captcha system quickly and easily. But if you're interested in the technical details so you can spend time coding your own captcha system, then go take a look at the "KittenAuth" overview at http://thepcspy.com/read/the_cutest_humantest_kittenauth/

Martin
  • 121
  • 7
commenter8
  • 11
  • 1
  • 2
    This question is about tools to *test* a captcha's effectiveness, not to solicit suggestions for captchas to use. – Martin Dec 29 '14 at 16:28