WebAIM - Web Accessibility In Mind

E-mail List Archives

Thread: Has anybody come across the "honeypot" technique with respect to accessibility?

for

Number of posts in this thread: 9 (In chronological order)

From: Mike Barlow
Date: Mon, Aug 15 2016 11:58AM
Subject: Has anybody come across the "honeypot" technique with respect to accessibility?
No previous message | Next message →

This technique was just pointed out to me in a separate forum as a way of
preventing form spam:

http://jennamolby.com/how-to-prevent-form-spam-by-using-the-honeypot-technique/

What is the honeypot technique?

The honeypot technique is a fast, effective way to prevent spam bots from
submitting your forms. Spam bots love form fields and when they encounter a
form field they will fill it out, even if the field is hidden from the user
interface. To leverage this, you can create a form field that should be
left blank, but hide it from human users. When the form is submitted you
can check to see if there's a value for the field and block the form
submission.

So I was wondering if anyone on this forum has adopted this approach over
the more common CAPTCHA (Completely Automated Public Turing test to tell
Computers and Humans Apart) approach?

*Mike Barlow*
Web Application Developer
Web Accessibility/Section 508 SME

Lancaster, Pa 17601
Office: 732.835-7557
Cell: 732.682.8226
e-mail: = EMAIL ADDRESS REMOVED =

From: Jim Homme
Date: Mon, Aug 15 2016 12:06PM
Subject: Re: Has anybody come across the "honeypot" technique withrespect to accessibility?
← Previous message | Next message →

Hi Mike,
I have not, and at the same time, I will probably google to see if popular content control systems such as Drupal and WordPress can allow the user to easily create hidden form fields.

Thanks.

Jim


=========Jim Homme,
Accessibility Consultant,
Bender HighTest Accessibility Team
Bender Consulting Services, Inc.,
412-787-8567,
= EMAIL ADDRESS REMOVED =
http://www.benderconsult.com/our%20services/hightest-accessible-technology-solutions
E+R=O

From: Jared Smith
Date: Mon, Aug 15 2016 12:08PM
Subject: Re: Has anybody come across the "honeypot" technique with respect to accessibility?
← Previous message | Next message →

The honey-pot technique should have no accessibility implications if
implemented correctly. We hide ours with display:none and place it
after the submit button so it should not be accessed by any user. If
it is for some reason, we give it a label that informs the user to not
enter anything into the field. It works incredibly well at stopping
bots.

I wrote about this and other accessible spam-reduction techniques
several years ago at
http://webaim.org/blog/spam_free_accessible_forms/

Jared

From: Angela French
Date: Mon, Aug 15 2016 12:51PM
Subject: Re: Has anybody come across the "honeypot" techniquewithrespect to accessibility?
← Previous message | Next message →

I used this technique in the form that you all helped me out with last weeks.

From: Lucy Greco
Date: Mon, Aug 15 2016 1:00PM
Subject: Re: Has anybody come across the "honeypot" technique with respect to accessibility?
← Previous message | Next message →

hello: we use the "honeypot" aip on our druple platform and find it
works well both wp and druple support it just use there plugin or api and
don't do more work then you have to lucy techneek

Lucia Greco
Web Accessibility Evangelist
IST - Architecture, Platforms, and Integration
University of California, Berkeley
(510) 289-6008 skype: lucia1-greco
http://webaccess.berkeley.edu
Follow me on twitter @accessaces


On Mon, Aug 15, 2016 at 11:51 AM, Angela French < = EMAIL ADDRESS REMOVED = > wrote:

> I used this technique in the form that you all helped me out with last
> weeks.
>
>

From: Dejan Kozina
Date: Mon, Aug 15 2016 4:08PM
Subject: Re: Has anybody come across the "honeypot" technique with respect to accessibility?
← Previous message | Next message →

I've been using this for 8 years or more and, as far as I (and my
customers) can tell, it just works great to deter spam without false
positives, easily beats any captcha from an accessibility point of view,
works without Javascript and is fairly easy to intenationalize.

I hide the paragraph containing the label and the input field thru CSS
aplied from an external stylesheet, mark the input field as name="url"
or something frequently used in contact forms, the label says 'Leave
this field empty' in the page language, and the fake fieks is cheched
server-side: if the field is not empty I redirect the client to
windowsupdate.com (because when I started doing this outdated Windows
was the main cause of all evil).

I'm curious to hear from the list what an appropriate response to a form
spammer would be today:
- ban the IP straight at the firewall?
- respond politely with 'Die a thousand painful deaths, robot, die!'?
- redirect to 127.0.0.1 to see if it manages to spam itself?
- redirect to a contact form on nsa.gov?
- respond with 'I'm a nigerian widow with couple millions to abscond'?
- send as response a curated collection of viruses?

:-)
djn


On 15/08/2016 19:58, Mike Barlow wrote:
> This technique was just pointed out to me in a separate forum as a way of
> preventing form spam:
> http://jennamolby.com/how-to-prevent-form-spam-by-using-the-honeypot-technique/
> So I was wondering if anyone on this forum has adopted this approach over
> the more common CAPTCHA (Completely Automated Public Turing test to tell
> Computers and Humans Apart) approach?
> *Mike Barlow*

--
-----------------------------------------
Dejan Kozina s.p.
Kunaverjeva ul. 9
1000 Ljubljana (SLO)
tel.: +386 (0) 4193 1419
tel.: +39 348 7355 225
http://www.kozina.com/
e-mail: = EMAIL ADDRESS REMOVED =

From: Mike Barlow
Date: Tue, Aug 16 2016 6:06AM
Subject: Re: Has anybody come across the "honeypot" technique with respect to accessibility?
← Previous message | Next message →

Thanks all for the feedback.

And @jared, great blog article there! I'll definitely keep it in mind for
the future.

*Mike Barlow*
Web Application Developer
Web Accessibility/Section 508 SME

Lancaster, Pa 17601
Office: 732.835-7557
Cell: 732.682.8226
e-mail: = EMAIL ADDRESS REMOVED =

On Mon, Aug 15, 2016 at 6:08 PM, Dejan Kozina < = EMAIL ADDRESS REMOVED = > wrote:

> I've been using this for 8 years or more and, as far as I (and my
> customers) can tell, it just works great to deter spam without false
> positives, easily beats any captcha from an accessibility point of view,
> works without Javascript and is fairly easy to intenationalize.
>
> I hide the paragraph containing the label and the input field thru CSS
> aplied from an external stylesheet, mark the input field as name="url"
> or something frequently used in contact forms, the label says 'Leave
> this field empty' in the page language, and the fake fieks is cheched
> server-side: if the field is not empty I redirect the client to
> windowsupdate.com (because when I started doing this outdated Windows
> was the main cause of all evil).
>
> I'm curious to hear from the list what an appropriate response to a form
> spammer would be today:
> - ban the IP straight at the firewall?
> - respond politely with 'Die a thousand painful deaths, robot, die!'?
> - redirect to 127.0.0.1 to see if it manages to spam itself?
> - redirect to a contact form on nsa.gov?
> - respond with 'I'm a nigerian widow with couple millions to abscond'?
> - send as response a curated collection of viruses?
>
> :-)
> djn
>
>
> On 15/08/2016 19:58, Mike Barlow wrote:
> > This technique was just pointed out to me in a separate forum as a way of
> > preventing form spam:
> > http://jennamolby.com/how-to-prevent-form-spam-by-using-
> the-honeypot-technique/
> > So I was wondering if anyone on this forum has adopted this approach over
> > the more common CAPTCHA (Completely Automated Public Turing test to tell
> > Computers and Humans Apart) approach?
> > *Mike Barlow*
>
> --
> -----------------------------------------
> Dejan Kozina s.p.
> Kunaverjeva ul. 9
> 1000 Ljubljana (SLO)
> tel.: +386 (0) 4193 1419
> tel.: +39 348 7355 225
> http://www.kozina.com/
> e-mail: = EMAIL ADDRESS REMOVED =
> > > > >

From: _mallory
Date: Tue, Aug 16 2016 9:07AM
Subject: Re: Has anybody come across the "honeypot" technique with respect to accessibility?
← Previous message | Next message →

I've used it but pull it offscreen, with a label clearly saying to
leave it blank.

There are bots who won't fill in display: none things, esp if they
are using Javascript or a fake browser (as some anti-spam detections
look to see if cookies can be given etc... fake browsers get around
this) and can't focus on display: none items.

Although, that's with our honeypots expecting bots to fill crap
in that field. We also keep the fields close to the top of the
form-- some bots stop partway and submit for some reason.

_mallory

On Mon, Aug 15, 2016 at 12:08:39PM -0600, Jared Smith wrote:
> The honey-pot technique should have no accessibility implications if
> implemented correctly. We hide ours with display:none and place it
> after the submit button so it should not be accessed by any user. If
> it is for some reason, we give it a label that informs the user to not
> enter anything into the field. It works incredibly well at stopping
> bots.
>
> I wrote about this and other accessible spam-reduction techniques
> several years ago at
> http://webaim.org/blog/spam_free_accessible_forms/
>
> Jared
> > > >

From: Dejan Kozina
Date: Tue, Aug 23 2016 6:33AM
Subject: Re: Has anybody come across the "honeypot" technique with respect to accessibility?
← Previous message | No next message

Just a quick follow-up: there is a reasoned listing of Captchas and
alternatives at
https://www.w3.org/WAI/GL/wiki/Captcha_Alternatives_and_thoughts

Seeing what the alternatives are makes me like this honeypot thing even
more, as the others seem all to depend on third party services (think
reliability, page load performance and visitor's privacy).

djn

On 16/08/2016 14:06, Mike Barlow wrote:
> Thanks all for the feedback.
>
> And @jared, great blog article there! I'll definitely keep it in mind for
> the future.
>
> *Mike Barlow*

--
-----------------------------------------
Dejan Kozina s.p.
Kunaverjeva ul. 9
1000 Ljubljana (SLO)
tel.: +386 (0) 4193 1419
tel.: +39 348 7355 225
http://www.kozina.com/
e-mail: = EMAIL ADDRESS REMOVED =