Alternative solutions to using Captchas.

Some people say “captchas are a necessary evil” I prefer to think of them as just plain evil. Cruella DeVil evil.

Everyone hates them, we don’t need to get into why they suck here, we all know, we’ve all experienced the pain. This article will be about alternatives to using captchas. I’ll just state briefly that capchas are a barrier to user interaction. Most users associate them with frustration or time wasted based on past experience. (Never mind that they are easily hacked) Given that statement, solutions outlined in this article will conform to this short checklist:

  • Solutions must be unobtrusive to the user
  • Solutions should result in as little maintenance as possible, we don’t want to review every comment
  • Solutions will not rely on user accounts

And with that out of the way, lets dive into the solutions.

Render a fake form, then replace it

Have the initial returned HTML contain a fake comment form, and then replace it using JavaScript afterwards. Spam bots crawling the web might see your initial form and try to take advantage of it. If it points to a different URL than the real one, and you can dismiss those requests right away without even glancing at them. You may even want to return a success page so the bot thinks its succeeded with its devious intentions.

Multi-step submission processes

Using JavaScript so as to be unobtrusive to the user, make form submissions a multi-step process. An example would be on form submission first requesting a token (that probably expires within few seconds) that you then send along with the actual form data in a second request. Again this is easily defeated, but the bot has to specifically handle this situation or it will stop dead in its tracks, or it may even think it has successfully submitted the form.

If you want to get really clever, the first request for a token may return a full “success” HTML page that has a token hidden within it.

Add a dummy captcha field

I love this one because it actually puts captachs to a good use, it’s quite ironic. Put captcha fields into your form, and then hide them with either CSS or JavaScript so that the user never sees them. On form submission have the validator verify that the captcha input field is blank. A bot might come along and solve the captcha (they are pretty good at that) but this only proves they aren’t human.

Randomize form field names

Generate each form with unique field names every time it is rendered. For example, rather than:

<input name="email" type="text">

generate a random name like this:

<input name="786AgdYdsDj+gh8$dfg" type="text">

You will need a server side solution for tracking which random name is for which field, but that’s fairly trivial. If you get an email address in the author name field you might have caught a spam bot. (But don’t assume for sure!)

One time use forms

Forms generated on the server should be valid for submission only one time. How do we do this? Use a nonce. By providing a unique token (that we can verify we created) in each submission, we make sure no form is submitted multiple times and that the form submitter visited our web page first. Example:

<input name="nonce" type="hidden" value="my-random-nonce-value">
<input name="nonce-timestamp" type="hidden" value="12000400045">

For more information about using nonces see A Guide to Nonce

Track the time between form rendering and submission

Computers tend to do things very quickly, way faster than a human ever could. By tracking the number of seconds that pass between the time that we render the form till it gets submitted back to the server, it will give you a hint as to who is submitting the form when the response time is way too short.

Remember email/IP combinations

Once a submission is received server side you can compare the users email address (assuming your form supports one) and their IP address against past submissions. If you find a matching non-spam entry and/or no matching spam comments, that information is an indication that this may not be one either.

Monitor IP addresses for abuse

Track the source IP of form submissions, if you are seeing a lot of submissions from a single IP address in a very short period of time you may be faced with a spam bot. Worse you might be under a DOS attack.

Allow users to flag comments as spam

Adding a simple “Flag as spam” button to all displayed comments allows visiting users to flag inappropriate comments for review. Its a simple solution to recruit a little human help.

Math problems, that don’t require user input.

Some sites require users to solve a simple math problem, eg: 2 + 2. These can be less frustrating then traditional distorted word captchas, but they still fail our first requirement, its an extra step for the user. An alternate approach to this solution is to provide a math problem in hidden form field. Take the following example:

<input type="hidden" name="math-test" value="2+2">

The server could expect to receive the value of this field to be replaced with its solution. The problem should be solved using JavaScript rather than by the user. Perfect? No. This is very easily beat by a spam bot, but its an extra barrier that the bot might not be prepared to handle.

After submission check fields values for likely spam

Akismet is a great third party solution that will analyze comments to determine if they are spam or not. Its free for personal use, and fairly reasonably priced for businesses. If you can afford it this is your best friend, if not you can implement a simple mechanism to help you detect possible spam. For example, consider flagging comments that contain external links for further review.

This solution catches one case that none of the other ones mentioned here do, real people people manually entering spam. Jerks.


No one of these solutions are perfect, they can be targeted and beat, but with the combination of multiple strategies we can reduce the amount of spam that slips through, and drastically improve the experience both on the user & the maintainer. And after all, that should always be our number one goal.

Do you have have a favorite spam barrier? Add it below in the captcha free comment form. (No spam please.)


web-developer, programmer, UX, development, code, programming, application design, nonce, web-security


Comment functionality has been disabled. Contact me on Twitter.

Emanuele said:

Another not perfect way it

Tyler Egeto said:

Thanks for sharing Emanuele, I haven’t seen keypic before. It looks like it is working similar to Akismet with the combination of a nonce, though I’m not 100% sure. Another one for the list anyways.


Browse All >