Forms on the web are vulnerable and subject to malicious behavior. With the explosion of forums, wikis and blog comments, programs having been created to spam these useful communication mechanisms. Often these forms do not require any authentication. Users can simply complete the form and submit it to post their comments.

A newly popular technique for prohibiting malicious applications from submitting forms are CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) Security Images. These are images created at runtime that have a random sequence of numbers and letters that are distorted so only humans can interpret them.

CAPTCHA image
 

There are several code examples and small libraries online that illustrate how to implement this feature, just Google. Here are a few:

ASP
http://www.tipstricks.org/

PHP
http://phpsec.org/articles/2005/text-captcha.html
http://www.evolt.org/securing_forms_random_image

ASP.NET
http://www.hotscripts.com/Detailed/43986.html
http://www.lanapsoft.com/products.html

While this is great for forms exposed to the public, many developers are also using them on login forms. I don’t understand this practice. One would think a properly implemented password would be sufficient. The image just complicates matters and some are barely legible by humans. I know Yahoo! displays them for subsequent attempts to submit an authorization form, but not on the first try. I guess that’s a compromise for usability’s sake.