To add or not to add a reCaptcha. What are my options?

23 Oct To add or not to add a reCaptcha. What are my options?

To use a Recaptcha or not.
For most web developers this is a no-brainer, you always include a reCaptcha on a web form and in most cases this is the quickest and most effective solution to stopping form generated spam.

It has been suggested that there are alternatives that can be effective and still allow flexible design opportunities as well as a smoother user experience. It has been my experience that alternative measures alone are never effective enough at the enterprise level.

Automated web spam is not new.  Bots have been creating spam since the invention of the online form and in that time the ‘sophistication’ of these bots has increased to a level at which there isn’t a reasonable way to 100% guarantee they will not get through your choice of filter.

As described in this study, even google’s reCAPTCHA v2 can be beat by a specialized bot about 40% of the time taking roughly twenty seconds per solution. There are even reCAPTCHA solving services using humans to solve the reCAPTCHAs claiming a rate of one every 15 to 25 seconds and costs around $2 per thousand solved.


The fact that these bots take 20 seconds to solve a reCAPTCHA roughly 40% of the time is actually good news for most websites. Twenty seconds is too long for this kind of sophisticated bot to waste overhead on totally random, low priority targets.  As a result, for most websites the reCAPTCHA is very effective at stopping spam.

Using other methods for reducing spam may work for less sophisticated spam bots that don’t require the overhead required to beat the reCaptcha. These bots are not picky, they scan the web for vulnerable forms to attack.  Once successful a continued onslaught of spam can be expected.  While methods such as hidden form fields, timestamps, client-side JavaScript checkboxes, or sliders may work for a short term. Very often the site will be discovered by a more sophisticated bot and an inbox full of spam will be the result.

The benefit of reduced spam through your contact form will far outway the design limitations or customer inconvenience incurred by utilizing a reCaptcha field.  If you have ever experienced Google’s new noCaptcha reCAPTCHA (2014) you know that it is far less inconvenient than the original Captcha. Design limitations still exist but this is a small price to pay to not have to sift through hundreds of spam emails interspersed with legitimate customer contact attempts.  A reCAPTCHA field on a form is so commonplace these days that it is an expected inconvenience to filling out a contact form.

There are other places on a website that a reCAPTCHA is necessary. Wherever there is an opportunity for input from the user on your website a malicious bot or spider has the opportunity to abuse it.


When conducting online polls a reCAPTCHA field is necessary.  Online polls are targets of malicious hackers trying to influence poll results.  A simple reCaptcha can help reduce this kind of activity making your poll more accurate and the information collected more useful.  The combination of a reCAPTCHA, IP address log, and cookies can be an effective method for reducing multiple polling attempts.

Comment spam is a problem when your blog is left unprotected.  Malicious programs attempt to post links on your blog to nefarious websites. If you are using the blogging platform WordPress there are many effective methods to reduce or eliminate blog spam. Akismet comes installed with WordPress by default.  Once activated, spam that makes it through Akismet’s filter can be marked as spam by the user. Information is sent to Akismet and added to the community-created database, increasing its effectiveness.  Drupal and Joomla also have modules to reduce comment spam.  The combination of these methods and a reCAPTCHA is very effective at almost eliminating spam entirely.

Dictionary attacks are attempts to crack a password by trying words from a very large list of possible passwords. A brute force attack is similar except a brute force attack will try every single possible combination of letters and numbers.  These kinds of attacks require the ability to attempt the different passwords repeatedly.  While a reCaptcha will stop the automated attack most of the time, simply not allowing a password to be entered more than three times incorrectly in a short time frame is usually enough to make a successful attack take twenty years or more.

‘To add or not to add a reCaptcha’ – always add one unless you like reading through spam.


Want to learn how to install the latest noCaptcha reCAPTCHA from Google?  Click here.

Want to know more about reCAPTCHA?  Here is a great Ted talk.

No Comments

Post A Comment