Yeah, if you get any kind of traffic at all, and some script kiddie discovers that they can fill your disk quota with fake accounts, they will. I recommend reCAPTCHA (http://recaptcha.net/whyrecaptcha.html), since it's free and easy.
Seconding the reCAPTCHA recommendation - I can't think of a way to make it any simpler than this. It even works if you're developing from localhost.
I put off implementing our captcha for a long time, believing that it would take a day of research, implmentation, testing, debugging; with reCAPTCHA and ambethia's Rails plugin (http://github.com/ambethia/recaptcha/tree/master), it took less than half an hour.
I'm thirding recaptcha, only because most people who roll their own captcha solution somehow forget that there are some people out there who can't read or see captchas for whatever reason. Meanwhile, recaptcha takes care of most problems with reloads and audio captchas.
If I see a form, I instantly decide whether it's worth filling in based on how much I want to pass it. And I often press the back button when I'm feeling lazy.
…captchas really don't help.
Don't fix a problem until it exists, and even then try and find an alternative method to fix it if it may negatively affect your users.
We go on and on about premature optimization in our code; why do that in your signup process? If and when it becomes a big issue, sure, add a CAPTCHA. But until then, why?
I don't use a captcha on my site and I've never had an issue. I wouldn't worry about it until the problem arises. If your site is just starting out you want to keep that barrier to participation as low as possible.
Limiting new accounts to, say, 20 per day per IP should severely mitigate most attacks, especially the ones not specifically targetted at your site. For the targeted ones, deal with them as they come up, in a more or less manual way. You don't want to have 10000 new fake account creations per second but you don't need to bother your legitimate users with overly annoying measures like Captcha.
I've seen a couple of friends complain about captchas that they're a pain to fill in. They definitely don't make the signup process any simpler. I've seen some sites use simple math questions, like "what is 2 plus 5" or something like that. Don't know how effective they are in stopping spam, though.
18 comments
[ 3.3 ms ] story [ 50.0 ms ] threadLOL, I guess.
I put off implementing our captcha for a long time, believing that it would take a day of research, implmentation, testing, debugging; with reCAPTCHA and ambethia's Rails plugin (http://github.com/ambethia/recaptcha/tree/master), it took less than half an hour.
…captchas really don't help.
Don't fix a problem until it exists, and even then try and find an alternative method to fix it if it may negatively affect your users.
We go on and on about premature optimization in our code; why do that in your signup process? If and when it becomes a big issue, sure, add a CAPTCHA. But until then, why?
I wouldn't add one unless you need one, based on what you're seeing for your own app.
I strongly recommend storing the ip address and the signup datetime. It makes finding and deleting spam accounts easy.
And captchas (or any other additional signup question!) decreases signups pretty significantly
There are lots of captchas to implement in a couple of hours, and people are used to filling them out. It seems like a no-brainer to me.