Use plain html to protect forms from automated submission. It works and has no overhead whatsoever to the forms.

Cheers,
The WebVisum team

I’m not a security expert, but as a web developer am aware of the issues and agree a good spam filter is far better than capchas! Also simple things like email varification for login accounts can help. Time filters preventing repeat posts in short intervals from a single user is another technique I’ve seen used.

My bank uses both user defined password and random questions pre-defined by the user on account setup. The account setup requires both email varification and postal address varification. I’m sure there is much research being done from finance institutes which could be useful for other web applications.

it’s this one.

http://unknowngenius.com/blog/wordpress/spam-karma/

it works.

Not being a security specialist and understanding all the issues, implications and problems involved in securing a system I’m not sure I can give a fully balanced reply (if there are any security bods out there I’d be interested to hear your views). What I can say is that from an accessibility perspective CAPTCHA doesn’t seem to be doing it for the user regardless of if you have a disability or not - Wilco’s comments about usability duly noted.

The problems really lie in the very essence of what CAPTCHA’s are “Completely Automated Public Turing test to tell Computers and Humans Apart” the emphasis obviously being distinguishing between humans and software which of course is what screen readers are. The Carnegie Mellon University, the inventors of CAPTCHA, have publicised on their site captcha.net that they’re trying to perfect audio CAPTCHA however it seems to me that maybe a different solution is needed altogether. Both visual and audio CAPTCHA’s have problems which does give rise to the question of can accessibility and CAPTCHA really ever go hand in hand?

I’m inclined to say that as spam is an industry wide problem and a problem for the Internet in general there needs to be industry wide collaboration to look at alternatives to for securing the web. In fact I read today that Dr Larry Roberts, who led the team that designed and developed the web’s precursor, Arpanet, has warned that the Internet is heading for a fall and there are serious issues around security and user authentication. Again, I think this points to the need for governments and industry to work together to solve the problem and not necessarily individual organisations. It would also help turn the tide of CAPTCHA’s becoming the de facto security option of choice as Catherine pointed out.

Possible ways forward are openID’s, certificates and passports and such. That said I am not a security specialist so couldn’t comment on the issues around implementing these.

It comes dpown to the need for sites/companies to think about how users use their sites and how, if necessary, they can provide an alternative way of accessing their services. Too often it seems people treat their websites like some piece of abstract technology and not a means of providing services to/communicating with people - a means which should be complimented by other means.

One more point - Henny - “for every airline, ticketing or retail site that has CAPTCHA there’ll be another that doesn’t…” Maybe at the moment but captcha seems to becoming standard which is worrying.