Is there a true alternative to using CAPTCHA images?
Thinking outside the box...
In most cases this applies: The business purpose for CAPTCHAs is to identify that the person accessing a page is a human being. The underlying reason for needing to know it it's a human is to prevent automated form submission, and the main reason for preventing that is to prevent brute force attacks.
So the ultimate purpose of a CAPTCHA in most cases is as a tool to prevent brute-force attacks.
If this is your underlying reason for wanting to use a Captcha, read on. Note that there are other reasons for using CAPTCHAs, and these suggestions may or may not be applicable.
That said, there are alternatives to CAPTCHA for preventing brute-force attacks. The OWASP web site lists a few with pros and cons of each approach:
1. Locking Accounts
The most obvious way to block brute-force attacks is to simply lock out accounts after a defined number of incorrect password attempts. Account lockouts can last a specific duration, such as one hour, or the accounts could remain locked until manually unlocked by an administrator. However, account lockout is not always the best solution, because someone could easily abuse the security measure and lock out hundreds of user accounts. In fact, some Web sites experience so many attacks that they are unable to enforce a lockout policy because they would constantly be unlocking customer accounts.
The problems with account lockouts are:
- An attacker can cause a denial of service (DoS) by locking out large numbers of accounts.
- Because you cannot lock out an account that does not exist, only valid account names will lock. An attacker could use this fact to harvest usernames from the site, depending on the error responses.
- An attacker can cause a diversion by locking out many accounts and flooding the help desk with support calls.
- An attacker can continuously lock out the same account, even seconds after an administrator unlocks it, effectively disabling the account.
- Account lockout is ineffective against slow attacks that try only a few passwords every hour.
- Account lockout is ineffective against attacks that try one password against a large list of usernames.
- Account lockout is ineffective if the attacker is using a username/password combo list and guesses correctly on the first couple of attempts.
- Powerful accounts such as administrator accounts often bypass lockout policy, but these are the most desirable accounts to attack. Some systems lock out administrator accounts only on network-based logins.
- Even once you lock out an account, the attack may continue, consuming valuable human and computer resources.
2. Inject random pauses when checking a password.
Adding even a few seconds' pause can greatly slow a brute-force attack but will not bother most legitimate users as they log in to their accounts.
3. Lock out an IP address with multiple failed logins
4. Design your Web site not to use predictable behavior for failed passwords.
As for this:
I have a registration form to be filled, but I don't want my user table to be filled with trash.
In your particular case, I'd go with the a two-tier approach:
First, I'd use the "Inserting random pause" option just to limit how many bogus submissions could be entered in the first place.
To deal with potentially bogus registration attempts, use a verification mechanism. Register them but not as active, send them an email with an "Activation" link. For those that activate - at least you know you have a valid email address of someone who actually wants to register. Then implement a scheduled task that automatically deletes un-activated accounts after X hours or X days.
Google has come up with a new technique called reCaptcha that is simpler and reportedly more reliable than existing solutions.
It consists of a single checkbox, that when clicked, sends metadata to Google's servers, which in turn uses some proprietary AI to determine if the click originated from within a script, or a human.
See this venture beat article for additional information.
One alternative to a classic captcha is Microsoft Asirra (which I consider quite interesting). Instead of reading scrambled text, you have to select the cats from pictures containing either cats or dogs. They have over 3 million photos, so you should be safe against the more determined attackers. It is not very probable that someone will index all these images just to fill your database with junk, and moreover, the chance of not being able to select the cats from the first try is low.
UPDATE: Google can solve Cat Captchas.