Hi all,

Just wondering about the ergonomics of applying a bit of upfront REAL user (one word!!) validation by means of grapical charachters (Captcha image) that the user has to input in order to continue. my thoughts were based on the idea that spam robots could create user accounts on a system and then subsequently login and create threads and posts in an uncontrolled manner (ok, i know i could admin delete the user once it came to my notice, but bear with me). i was thinking that it may be good practice to require the graphical challenge on the following levels:

1. on frst registering, you are challenged to input the characters
2. on creating a new thread you are challenged
3. on creating your FIRST post, you are similarly challenged

the first two seem like no brainers to me. however, the 3rd one could still be open to abuse as the first post could be manually created, then subsequent posts 'injected' (not in the sql injection sense) programatically (i know this becuase i do a similar thing to supply info on a request basis to a finacial bb) onto the site. this brings me to the 'extension' of the idea proposed in #3. is it likely to put users off if there was a random element introduced into posting whereby randomly (either on a posts basis or a time basis), the post that you were creating would require a response to the graphical challenge?? from that point on, until the user entered the matching keys, all subsequent post requests would present the challenge again. once the challenge was met, then the user would be back in normal 'freestyle' posting mode.

i know it sounds a bit rambly but it's just a braindump really :)

thoughts on a postcard!!

jim

Edit]

Captcha - Wikipedia's Definition: (acronym for "completely automated public Turing test to tell computers and humans apart")

__________________
jimi

http://www.originaltalent.com

as an aside (and related to captcha), here's acouple of different approaches in .net to the issue:

http://www.eggheadcafe.com/tutorials...a-control.aspx

http://www.codeproject.com/aspnet/CaptchaImage.asp

the egghead one is actually pretty clever and uses htnl as an image - sounds rough but give it a look

jim

This is a sweet idea:

http://research.microsoft.com/asirra/

Eric

Seems like overkill to me. I'm struggling to get participation in my demo site. Anything that makes participation harder seems unwise. Now of course if I get attacked I will likely change my tune but that seems improbable now.


Pat

http://weboperahouse.com

There is a fine line between protecting your site from bots and spam and user expereience and, personally, I will err on the side of letting some spam through then giving the user a somewhat tideious experience.

At most, I would use a CAPATCHA on registration AND require the user to activate their account via an email. This should limit the amount of BOTS you have hitting your site and creating accounts and, unless someone has got clever enough to write a bot that logs into a predetermined email account and follows the register link, you can be fairly certain that a real person will still have to activate the account.

Not 100% bulletproof (nothing on the Net is after all) but some protection is better then none right? ;]

Also, that link to microsoft actually isn't a bad idea. I will have to read up on that.

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
^^Took that from planoie's profile^^
^^Modified text taken from gbianchi profile^^
================================================== =========
Technical Editor for: Professional Search Engine Optimization with ASP.NET
http://www.wiley.com/WileyCDA/WileyT...470131470.html
================================================== =========
Why can't Programmers, program??
http://www.codinghorror.com/blog/archives/000781.html
================================================== =========

i think you're prolly right (and likewise, pat above). the fine line between keeping the user experience smooth ergonomically and keeping the user experience positive re content is quite delicate. i might use CAPTCHA for the initial registration and 1st ever post. that way, if the registration is cleverly crafted, then the 1st post will have to be too. of course, there could be a small army of 'human' bots primed to do this stuff, but for the venture that i'm working on, this will perhaps be unneccessary :D

jim

i´vw found a very easy to implement captcha in the code project page.

http://www.codeproject.com/aspnet/CaptchaControl.asp

Just add the dll into your project and then drag and drop the control from the toolbox.