What are the best ways to prevent fake registrations?

Question

I would like to know more about the solutions to restrict registering for a website for humans only.

Captcha may seem a proper solution but as it turns out it's not as good as it sounds. And it's not a problem if a solution is not an option for blind, deaf people etc..

Answer 1

My newest web app uses a process that makes this really easy for the user and secure for me.

1. User goes to login page, enters their email address and clicks an "I am signing up" checkbox.
2. The user clicks "register", their email address gets inserted to a temporary SQL table (called signups) and an email with a verification link is sent to the email address.
3. The user clicks the verification link which takes them to a "create password" page.
4. After the user creates his password, the email address and password are inserted into the users table–and the entry in the signups table is deleted.

This makes it easy and reliable.

The signups table also includes a random SHA1 hash (for the verification link), a timestamp set for 12 hours after the sign up, and IP Address.

All entries in the signups table that have an expired timestamp get removed at certain parts of the day.

---

Update

Since writing this answer, I have found that keeping a signup form secure from robots is a never-ending battle.

As time goes on, new technologies and methods are being developed to circumvent security measures. The best thing any dev team can do is periodically be checking the quality of signups, and thinking of ways to make their signup form both more secure and intuitive to use.

Yeah, it is a good bit of work and resources that go into it, but having confidence in your signup form and quality of signups is well worth the expense.

Answer 2

Depending on how targeted your site is, using a honeypot can be quite effective.

In short, you have a field on your form with a common name -- let's say email. Your actual email field has some other random name like larp.

Hide the email field using CSS, and include a text label instructing users to leave that field blank, should they happen to see it.

If any registrations come in with the email field filled in, send a success message back then drop it.

Answer 3

Verifying the e-mail address and allowing only users who have verified their e-mails is the easiest and quickest solution.