Skip to content

Prevent illegitimate user registration

At the moment, it is extremely easy for a bot to register many user accounts. A mechanism should be implemented to prevent this from happening. It may also be necessary to use the same mechanism for comments.

Using Google Captcha is highly unfavourable. Not only does it add another dependency, it makes the site more dependent on Javascript in general. It also requires running proprietary software, as well as giving data to Google.

The problem is that everything that can be done easily by most people can also be done fairly trivially by an AI. This is amplified by the fact a bot would only need a success rate of a few percent to be able to leave many comments.

Ideas that have been considered, but won't work:

  • Display an image, ask the user what it is(multiple choice). Easily defeated by a trained AI

  • Sentiment analysis. Ask the user to rank a snippet of text as positive/negative. This is pretty easily done by a computer, and even just guessing would yield a 50% success rate.

  • Ask the user an easy question("Who is the president of the United States"). Probably defeatable by Wolfram Alpha.

  • SMS verification. Requires sending texts messages, which significantly complicates things and costs money.

  • Manual registration approval. This will probably get included at some point, configurable in the yml file. However, it's not a great solution, as users won't be very happy with waiting.