I would like to know more about the solutions to restrict registering for a website for humans only. Captcha may seem a proper solution but as it turns out it's not as good as it sounds. And it's not a problem if a solution is not an option for blind, deaf people etc..

My newest web app uses a process that makes this really easy for the user and secure for me. <ol> <li>User goes to login page, enters their email address and clicks an "I am signing up" checkbox.</li> <li>The user clicks "register", their email address gets inserted to a temporary SQL table (called <code>signups</code>) and an email with a verification link is sent to the email address.</li> <li>The user clicks the verification link which takes them to a "create password" page.</li> <li>After the user creates his password, the email address and password are inserted into the <code>users</code> table–and the entry in the <code>signups</code> table is deleted.</li> </ol> <img src="https://i.stack.imgur.com/ZIech.png" alt="web app signup example"> This makes it easy and reliable. The <code>signups</code> table also includes a random SHA1 hash (for the verification link), a timestamp set for 12 hours after the sign up, and IP Address. All entries in the <code>signups</code> table that have an expired timestamp get removed at certain parts of the day. <hr> <h3>Update</h3> Since writing this answer, I have found that keeping a signup form secure from robots is a never-ending battle. As time goes on, new technologies and methods are being developed to circumvent security measures. The best thing any dev team can do is periodically be checking the quality of signups, and thinking of ways to make their signup form both more secure and intuitive to use. Yeah, it is a good bit of work and resources that go into it, but having confidence in your signup form and quality of signups is well worth the expense.

Depending on how targeted your site is, using a <code>honeypot</code> can be quite effective. In short, you have a field on your form with a common name -- let's say <code>email</code>. Your actual <code>email</code> field has some other random name like <code>larp</code>. Hide the <code>email</code> field using CSS, and include a text label instructing users to leave that field blank, should they happen to see it. If any registrations come in with the <code>email</code> field filled in, send a success message back then drop it.

What are the best ways to prevent fake registrations?

3 Answers

My newest web app uses a process that makes this really easy for the user and secure for me.

User goes to login page, enters their email address and clicks an "I am signing up" checkbox.
The user clicks "register", their email address gets inserted to a temporary SQL table (called signups) and an email with a verification link is sent to the email address.
The user clicks the verification link which takes them to a "create password" page.
After the user creates his password, the email address and password are inserted into the users table–and the entry in the signups table is deleted.

web app signup example

This makes it easy and reliable.

The signups table also includes a random SHA1 hash (for the verification link), a timestamp set for 12 hours after the sign up, and IP Address.

All entries in the signups table that have an expired timestamp get removed at certain parts of the day.

Update

Since writing this answer, I have found that keeping a signup form secure from robots is a never-ending battle.

As time goes on, new technologies and methods are being developed to circumvent security measures. The best thing any dev team can do is periodically be checking the quality of signups, and thinking of ways to make their signup form both more secure and intuitive to use.

Yeah, it is a good bit of work and resources that go into it, but having confidence in your signup form and quality of signups is well worth the expense.

answered Oct 02 '22 20:10

honyovk

Depending on how targeted your site is, using a honeypot can be quite effective.

In short, you have a field on your form with a common name -- let's say email. Your actual email field has some other random name like larp.

Hide the email field using CSS, and include a text label instructing users to leave that field blank, should they happen to see it.

If any registrations come in with the email field filled in, send a success message back then drop it.

answered Oct 02 '22 20:10

Jeremy J Starcher

Verifying the e-mail address and allowing only users who have verified their e-mails is the easiest and quickest solution.

answered Oct 02 '22 21:10

Shirish

Related questions
                            
                                Change jstree node text colour based on type
                            
                                Backbone.js collection with multiple sorts
                            
                                DELETE method on jQuery Blueimp FileUpload not allowed using Codeigniter/PHP (405 error)?
                            
                                Preloading a background-image with a temporary gif image
                            
                                Why are inline JS blocks unsafe?
                            
                                Samsung smart tv unique device identifier
                            
                                Ember can't find find() method on model
                            
                                While loop only returning final result
                            
                                Posting a JSON object to an iFrame
                            
                                D3 line graph with arbitrarily many lines (and a specific data format)
                            
                                Filling log in form with zombie in node.js
                            
                                Javascript / jQuery get all url parameters and add/change one
                            
                                CKEditor - Does not show up
                            
                                Google Analytics Event Tracking
                            
                                difference between layout engine and javascript engine
                            
                                changing all <td> color onclick for a particular table
                            
                                Grey-out (disable) HTML textarea when checkbox is ticked
                            
                                How do I add a text input to a Samsung Smart TV app?
                            
                                fs in Node.js Doesn't Understand ~/
                            
                                iisnode and express

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!

Donate Us With

What are the best ways to prevent fake registrations?

Tags:

javascript

security

humanize

registration

Adam Halasz

People also ask