Why you should always use a CAPTCHA
30 Dec 2010

asp.net captcha mvc

Having Googled the question "should I use Captcha on my site" I was presented with quite a few blog entries arguing that any benefits acquired from implementing a Captcha are sometimes outweighed by the disadvantages. The main points being:

  • Captchas frustrate users to the point where they may choose not to leave feedback for your blog. How many times have you being asked to complete a Captcha and required a couple of attempts to get it right? Annoying, yes?
  • Captchas don't work. Sad but true, it doesn't take much to get past a Captcha with various algorithms available if someone was really determined. Also, at the end of the day, there is nothing stopping a human being coming along and posting whatever feedback they want.
  • Is your site realistically going to be targeted by a malicious script? Let's face it unless you are Google or Facebook what are the chances that your site is going to be singled out for attention?

This all sounded reasonable to me, so I removed the Captcha solution I had implemented for this blog. Bad idea!

Firstly, Captchas do work. Maybe they can be cracked but a majority of the automated attempts to post feedback will simply be trying to auto complete your form fields and submit the form. In which case your Captcha will work!

Secondly, it doesn't matter how small your readership or online presence is you will eventually come to the attention of a malicious script or two.

So, in the end, it really comes down to a balancing act between your users frustration and your own frustration. No Captchas will make it significantly easier for users to leave feedback. However it will also mean you will constantly be removing automated feedback. If you are like me the turnaround time from someone leaving a comment to comment moderation is usually a couple of hours. That means for a couple of hours the automated feedback is going to be shown on your site, making it look very unprofessional... and potentially embarrassing.

At the end of the day I prefer to have the Captcha. I have no doubt that over the years more than a couple of people have wanted to leave feedback on my blog and have abandoned their attempt on typing the wrong Captcha. However the alternative is either not publishing feedback until it is moderated (I don't think I need to write a blog entry to explain why that would frustrate your users) or be on hand 27-7 to moderate.

The Captcha solution implemented here is courtesy of ASP.NET MVC Captcha and I don't plan on removing it again anytime soon.

Update Jun 14, 2011: I have currently removed the Captcha implementation from this site as I am trialling a different method of spam protection. You can learn more about this new method at Hidden Form Fields to Prevent Bot Spam. I have read both positive and negative comments about how successful this has proved on other sites and will update this article further depending on the outcome of my own test.