Honeypot vs Captcha, Which is Better?

   For those who operate their own websites that allow guests to register for an account to be able to leave comments, or to sign up for services or post in forums, one of the fights problems you have to deal with is spammers.  Two years ago, I built up a site for OmniKraft.  This was actually the first large scale website I've developed and designed.  All the ones before were either static HTML pages or only offered basic features.  Before I built this site, OmniKraft's website needs were provided by Enjin.

   Within the first 24 hours of publicly launching the site (changing the DNS records), the site was hit with dozens of spam accounts and dozens of posts that I had to clean clean up.  I had thought that an email verification system was enough for my small site, but it wasn't.  I quickly found a CAPTCHA plugin to add to secure the registration process.  I learned the hard way (on a small scale fortunately) that I need to take a serious stance on protecting the sign in process.

Google's non-CAPTCHA
CAPTCHA system.

   With a standard CAPTCHA setup and a spammer detection plugin, they two actually did a great job keeping spammers out.  Maybe once out of every three months, a spammer would get on that had to be cleaned up, but it mostly did a good job.  Then I listened to a podcast that talked about a honeypot system.  For those unaware of what this is, a honeypot in terms of technology security is something that attracts the attention of someone who means to do something bad so it can be caught.  An example of this done in Minecraft for example (I'm a big Minecraft, so there. :P) is placing high value ore blocks, like diamond, in an area that someone using an Xray mod (can see through the ground to find valuable items) will see.  When they go for it, it's recorded who took it so they can be banned for using a cheat.  If you want a boring explanation, here is a link to Wikipedia.

   Why did this podcast bring up using a Honeypot registration system over a CAPTCHA?  The first reason is that it's less work for a valid user to register for the site.  Instead of having to use a CAPTCHA (some of which are a huge pain to use) and trying to solve it, they just register with no extra prompts.  "But where is the honeypot part at?"  Yeah, yeah, I'm getting there.  The honeypot is actually invisible to a legitimate guest.  The honeypot is there for the spam bot.

   In case none of you had to deal with spammers, they are rarely humans.  It's much more cost effective to use a robot (they took our jobs! -South Park), and when a robot sees a honeypot registration form, there is an extra field.  The plugin I have in place creates a hidden text field when someone wants to register an account.  This is hidden to a person, but to a robot, it scans the HTML code and sees a text field.  A typical bot will see this text field and responds to it by posting some kind of automated information it.  Registrations aren't created equally, so these bots are designed to figure out what fields there are and fill in valid information.  When it sees this honeypot field, it'll add something, assuming it's a valid field.  When the honeypot plugin sees this, it rejects the registration.

Give me some of that
tasty honey.

  Pretty neat, eh?  While a human can't see or even input anything in the text field (unless they really wanted to), a robot will and that act will prevent it from succeeding.  "But what if the bot is smart enough to avoid that?"  Shush, I'm telling the story here!  This plugin also allows me to setup a minimum time variable that needs to be met before the registration is allowed to happen.  If the form is completed sooner than that, then the registration is rejected.

   The results?  I've had a honeypot protected registration and password reset for about three months now and haven't had any new spammers.  It's still a bit early, but so far, I like offering an easier to use service for my visitors while also keeping their experience spam free.  Which is better?  Neither actually, it's all dependent on your needs.  The CAPTCHA system wouldn't be as successful as it is (besides minor changes and adjustments over time) if it didn't work.  It's been around for many years now and everyone is used to it, but just because everyone uses it doesn't mean it's the best solution.  For me, a honeypot is simpler for my visitors and has done just as good of a job (so far, a bit better too) as the CAPTCHA I was using before.

   Regardless of which choice you want to go with, do some research for the CMS platform of your choice to implement either a CAPTCHA or a Honeypot.  I would suggest giving both a trial too.  As long as they are properly configured and adjusted over time, both will ensure you provide a spam free experience.

SHARE

About Jimmy R. Tassin

Jimmy Tassin is the IT Manager of Midwest Regional Bank and has been involved with the Technology field for over thirteen years. His two hobbies are overseeing the daily operations of OmniKraft, a Minecraft server community, and writing at Goblinbyte.com.