Website Security: To CAPTCHA Or Not To CAPTCHA

Listen to podcast:


Good morning internet fans, Ryan Perry here, Simple Biz Support. Today is Thursday, February the 11th, therefore it is Internet Marketing Thursday, and as usual I have Virginie Dorn with Business Website Center down in beautiful Petaluma. Good morning Virginie.

Virginie Dorn: Good morning Ryan, how are you?

RP: I’m doing great, thank you, the weather in Northern California is, we’re hittin’ low 70s, high 60s this week so I can’t complain.

VD: Oh. That’s been good. I know it reached 76 over the weekend and we’re still in winter. Loved it, loved it.

RP: Yep. At the same time I’m hoping that we do get some more storms, clouds. I haven’t been to Tahoe yet so I need some fresh snow so I can get up there and do some snow skiin’.

VD: My husband is in Tahoe right now.

RP: Very nice. We could probably talk about Tahoe for awhile just because it’s so beautiful up there, but we’re actually going to talk about CAPTCHA. And as most everybody knows, if you sign up for something, if you’re trying to give information, a lot of times you can’t just hit the send button but you gotta also fill out the little thing that says “I’m not a robot, I’m actually a real person.” Sometimes it might be a picture of a home address and you gotta type in the numbers, it could be squiggly-wigglies. We’re going to talk about all that fun stuff today, why it’s important, how you should use it, and where you should use it on your website.

VD: Yes. So we can get started of why you should use it on your website. If you have a good web designer, he should have been asking you, or she, “Do you need a CAPTCHA on your form or login page?” And CAPTCHA, again, that’s security code, CAPTCHA is the technical word behind it. Many people call it a security code, whatever you call it, it is that annoying thing you have to fill out before you send your form. But this is to protect the site owner primarily about being spammed for email, so that applies to contact form. But it also apply to login pages or sign up pages, and it’s especially true if you offer free membership and registration on your website. If it’s free of charge and you’re not processing any payment, a spam bug can go over and create 1,000 free registration and create quite a mess in your database with all those free memberships that have no value. So the CAPTCHA is one level of security you can add to that login or signup page to prevent that kind of robots from doing damage. But they’re not all created equal. Actually in average still it takes about 10 seconds for someone to enter a proper CAPTCHA and be able to be sent through to the next page. 10 seconds’ a long time, none of us have that patience. But there are now new CAPTCHA that one can use that are so much better than the old days.

RP: Well let’s also talk about the fact that CAPTCHA’s evolved, and part of that evolution is the fact that people have been able to break CAPTCHA in the sense that they’ve been able to figure out a way of automating how to fill in the form, or I don’t know how they do it ’cause I’m not one of those security guys, but they’ve been able to break the code essentially.

VD: That’s correct so that’s why CAPTCHA has evolved. At the very beginning it was fairly easy to enter ABC, 123; it was easy to read. And then those bugs were able to guess what the image was and then it became really weird and distorted with lines across, to a point when human people like you and I could not understand what the CAPTCHA was, and had to refresh or try multiple times to fill it out. Again, it went from really easy to read to super-complicated, and now we’re going back. We’re going to a complete different ways of doing it which will, I’ll be showing you samples of the evolution of bad to good to better, and the new and best from Google themself.

RP: Yeah. And the evolution’s really important because especially if you’re trying to sell a product or, again like you talked about, maybe a free sign up, it’s really important that you CAPTCHA that person. If any roadblock along the way is going to decrease the number of people that convert on your website, in a 10 second delay you’re going to piss off a lotta people and that’s really going to hurt you. At the same time, where’s the value of being spammed consistently? So I love the fact that it’s getting easier and they’re making the technology better. It’ll be interesting to see with some of these new ones that you’re going to talk about, how the hackers are going to get around it if they can.

VD: Yes. And I want to add something more than the reason site owners primarily do it is to not be spammed and not fill up their box. But worse than that is your contact form can be hijacked by a hacker if you don’t have a proper CAPTCHA in place, and being used to send email, like a thousand emails to a bunch of people from a stolen email list. So it’s like they took your car for a joy ride and then bringing it back to you. The problem is when your web mailer, which is your form on your website, is being used that way, you reach your limit of emails being sent through your server very quickly. So within 10 minutes you might have had 10,000 emails go through your web mailers and you don’t even know it happened because they were not sent to you. They just used your form to send their messages. And then that means for 24 hours you’re not able to send a single email; you have to wait that full 24 hours to clear the server in 99% of the times. And then if it happens again the following day it means you’re out of commission of your email program because again, they are using your form without you even knowing it. So again, CAPTCHA is a must-have, it is not a question of if you should or should not have it. But I’d like to show you the bad ones because there are some really crazy ones out there.

RP: Yeah, and while you’re pulling that up, the other thing that we’ve touched briefly on is if you have to log into your website as an example, especially with WordPress. You go to your website, wp-admin. That brings you to it. That’s a vulnerability right there because 99.99% of the websites, that’s where they’re going to go. Hackers already know that. All they have to do is figure out your username and password. By adding a CAPTCHA at that level is going to be another deterrent to keep people from breaking into your website also.

VD: That’s very true. So make sure you add those to the log-in page, very, very important. Let’s take a look at some various CAPTCHA, just Google, ‘bad CAPTCHA’. Oh my gosh, there’s millions of them. You have those when you can barely see what it is because the color is so close to it. With symbols, there are so many dots and little symbols, you think, “Is that an I, an L, a T?” And then you go again and again trying to enter them. This used to be a very common one, and I mean that was the most popular one for the last two years. But that’s again old school now because it makes it very hard to read and you have to constantly… That’s the old re-CAPTCHA, to clear, clear, clear. Now this one, I don’t know what they were thinking. Like which words do you want, do you want all of them? Only the red one? Look at LinkedIn themselves, big boys. Really good luck. This looks not.

RP: I don’t know what language that is.

VD: Looks Russian to me. It looks like the black symbol and the letter A. I mean it goes on and on. And sometimes when people develop a new website, they’re so tired by the time of the end of the development, they don’t pay attention to little things like a CAPTCHA. If you make it hard for people to contact you via your form, they’re just not going to contact you and may say, “I’ll call them later”, and then they never get around it. So making it as easy as possible to contact you through your form and protecting your login page is extremely important. Now the evolution of CAPTCHA has gone a bit that way. The weird cross, a little wiggly, and then it got a little bit easier and where you can put the same color on the color background like blue on blue with straight line letters or numbers. This is actually hard to break so that got a little bit better. In the past six months at our company, we were using the sum system which is really foolproof in terms of the script, the malicious script trying to enter your form where you can say, “What’s one plus one?” That’s two. And then we always joke. Then if your visitor doesn’t know what two plus three equal to, you don’t want to talk to them. They’re not qualified enough to be doing business with you.

VD: But what I want to show you over the next five minutes is the new re-CAPTCHA from Google themselves. This is the method they use, and also, this is a CAPTCHA Google gives away at no charge. You just have to Google it and you can download the file. And they ask you to just click on the little box to prove that you’re not a robot. So very simple. The person actually just needs to click. There’s no more entering of a sum or entering of text or symbol. You actually just click. A few weeks back, I think it was very recent, like a week or so ago, Google has added a two-step process. So something must have happened because it used to be where you can just click on the square and submit your request and you were done. So let’s take a look. This is Google. If you want to submit, let’s say, your website, for Google to review it, you would put your website here. And here is where you will click. You can click anywhere. This is at 100%. I’m just making it a little bit bigger for everybody to see. And it’s as simple as clicking anywhere, and somehow, their algorithm knows you’re not a robot.

VD: But this is the new two-step process, the recently added, would actually ask you to read, which is in this instance a construction vehicle? So you will do this one and this one and then click verify. And as you can see, it turns to that green check mark proving you’re not a robot. Very quick. I just click three times. I didn’t have to enter or type anything. Just clicking.

RP: Right. The other thing I like about it, it’s a little bit more engaging in the sense that “Oh, okay, it’s like a quiz. I gotta figure out which one of these are construction equipment.” The downside is there’s definitely going to be some language barriers there possibly as far as people maybe understanding the difference between a construction vehicle and just a car or a truck possibly.

VD: Correct. Yes, again, that second pop-up is fairly recent. I’m assuming they’ve done that because some hackers cracked their algorithm for the single click here. Otherwise, they would not have had the need to do that. But it’s still very intuitive. Out of the all options we presented today, the squiggley, the number combination, the one you guessed from a picture what’s the number on the side of the house type of thing, symbols entering, this is the easiest one to use. And this is the one we actually recommend to all our customers nowadays. It’s that one. It’s very easy to install for your webmaster. You should not be charged anything more than the cost of the form. The CAPTCHA should just be a freebie because, again, it’s very quick and easy to install and works great.

RP: And you said this is a Google product so you just want to go to Google and type in Google CAPTCHA and you should be able to find it pretty easy.

VD: Yes. And it’s called a re-CAPTCHA, which is I think if you do CAPTCHA that’ll be the same. And you… They actually have the landing page here that tells you how it works and you can get it by just downloading that file here. And they update it from time to time. And like you and I talked. We love Google products. We think sometimes it’s a bit like the mafia. You get extra bonus points if you’re using every Google product like Google Analytic or Web Master or whatever. This is a Google product presented by them, given by them. If you use it on your website, I think it can’t hurt.

RP: Right, alright. Definitely. So that is the CAPTCHA also known as re-CAPTCHA and the idea’s to secure either log-in information where people are trying to access maybe it be your website, or you have user access for back end, incorporating the CAPTCHA to keep those bad people out, keep the robots out, and then additionally for your forms. Now, one of the things I didn’t realize is that I always thought if I filled out a contact form, the email was always going to go to whoever, let’s say admin@simplebizsupport, but you’re saying they can actually use your log-in or your form and submit emails to other locations?

VD: Yes, it can be hijacked. Absolutely, it’s happened and the reason… Usually how we find out about is because our customers will call and say, “Well, somehow I can’t email anymore.” Or “I’ve… My contact form doesn’t work anymore.” And we talked to the hosting provider and they say “Well, 10,000 emails were sent last half hour.” That’s when we realized then the form got hijacked and they reached their maximum for the day and that’s a 24 hour period so if it happens at 3:00 PM, you have to wait another 24 hours to 3:00 PM next day for your web forms to start working again. So that could be huge because it’s not just a contact form, it applies to your log-in, registration, sign-up, purchase, anything that process things like a form will stop working for 24 hours. So if you have a membership site or an e-commerce site and you’ve been hijacked and you’re not on your own server inside your own office, you’re at the mercy of the hosting provider telling you to wait 24 hours for any of them to start working again.

RP: That would be bad for business. And then worst case is that then, if you don’t fix it the hosting company is going to come after you and go, “Look, you’re creating issues on our end. You either need to fix this or we’re going to let you go.”

VD: Yes, yes. Yeah, it can be a nightmare. So just put a CAPTCHA, it is a must have just like locking your doors if you have a brick and mortar business.

RP: Right. Alright, perfect. So that’s it for today’s show. Another interesting tidbit on security that I don’t think a lot of people talk about being the CAPTCHA device. Really simple, easy to install, if you’re on a WordPress website there are a gazillion plug-ins. Finding the right plug-in is very important and I actually have a couple of clients who have the re-CAPTCHA when you log in. Every time I log in, I have to do a little mathematical thing before I log in. It’s just a smart way of doing things. So, check out re-CAPTCHA. Google, looks like re-CAPTCHA will get you to their product that they’re offering. If you have any questions or comments, feel free to leave a note below. Myself or Virginie are always keeping an eye on this information and following up with people. Speaking of following up, I’m going to follow up with you next week. It’ll be Thursday again in seven days so we’re going to have another episode of Internet Marketing Thursday. One of these days, we gotta count the shows and see where we’re at. I don’t know if we’ve… We gotta be close to 100 shows at this point. We’ve been doing this for a while it seems. Virginie, as always I appreciate the time and energy and I will see you next Thursday.

VD: Take care, have a great Thursday.

RP: Thank you. Everybody, have a great week and we will see you next week, same computer, same time.


About the Author:

Ryan Perry is the founder and CEO of Simple Biz Support, Inc. Ryan started video blogging in 2009 as an alternative to written blogs to create visibility and credibility online. During the workweek, he enjoys helping small business owners harness the power of video to grow their companies. On the weekends, he enjoys hiking and searching out waterfalls throughout the state of California.

Leave A Comment