So Reddit doesn't require email confirmation, just a username and password. PG definitely prefers that style, as I've read. I bet other YC sites do the same thing.
Aren't you asking for trouble, though? Isn't that too easy to abuse, especially for a social-voting site liked Reddit? Help me understand why these sites are not worried.
Email confirmation isn't a CAPTCHA: If you can write a robot to sign up for reddit.com, then surely you can write a robot to send a "HTTP GET" request for every link in your email account.
There are three obvious purposes for email confirmation:
- Users often forget their usernames/passwords. Usually the only way to remind them is by sending them email. If they used an invalid email address (purposely or accidently), you will end up with support emails saying "I forgot my username and password but I don't have any evidence that it is actually my account!" Email confirmation ensures that you can communicate with the user on a side channel.
- When raising money / selling advertising, how many users' email addresses you know is a big deal. People use this metric to judge how "engaged" the user in the site.
- It makes it difficult to have multiple accounts. Again, advertisers/investors look at the number of unique users when deciding to fork over money.
If the user will be storing any important information/money solely using your service, you should go through the confirmation process ASAP so that they don't get locked out of their data/money. If your site is a "waste your time and hopefully click on my ads" service, then:
(1) Have a page where the user enters his proposed username/password, with no email field. This makes it look really simple to sign up.
(2) When the user submits #1, bring up a page with the email address field. This page should already show the user as being logged in & show/hint that the user has already unlocked whatever functionality requires an account. The big print on the page explains why you are asking for it and your amazing privacy policy. The fine print tells the user that it is optional but highly recommended, and remind about your amazing privacy policy.
(3) If/When the user submits their email address, send the user an email. But, unlock the account functionality without requiring confirmation.
(4) In the email, provide a brief explanation of confirmation and provide the confirmation link. Automatic password reminders can only be done after this initial confirmation link has been requested.
The thing that protects you the best is obscurity. If you have hordes of determined bad guys targeting your site it's probably not so bad -- it means your site is very popular (or stores credit card numbers).
Generally, IP addresses are a much more limited resource than email addresses. Although open proxies and botnets make them less so. Reddit probably fights off abuse primarily based on individual IPs and entire address blocks. IP geo-location can help a lot in certain cases too.
CAPTCHAs really do the most to slow down the worst kinds of abuse.
I agree. Obscurity is fine in this case, because if abuse becomes a problem, it will be new accounts that are the problem. So you can just add confirmation, captcha, etc. on the fly when the time comes.
I just don't like the confirmation email. It's such a hassle. You could still add an email field when signing up, but only for the sole purpose of giving the user a chance to get his/her password back in case he/she forgot it.
On the subject of CAPTCHAs: I'm seeing a lot of variations of this lately, like "what is 2+3?" in a graphic, or "click on all the ducks" next to 6 photos with 2 ducks. You get the picture.
I think CAPTCHA is on the way out. If we have to prove you're human, there are better ways than "try to interpret this blurry, distorted graphic and type it here". Opinions?
there are a couple ways of thinking about this, but i certainly don't think captchas are on the way out. (well, one way out is something like OpenID)
since captchas are based on feature detection in domains where humans are still far superior to computers, the ultimate captcha would be something based on faces.
the problem is the permutability of the variables in the captcha means a lot more overhead for more variables graphically produced. i mean, to produce a string of text is far easier than to produce 10 faces. and in picture captchas are you left with pass/fail for every picture, so it leads to much less permutability, compared to text. in this regard, i think text-based captchas still have a place and will stay for quite a while.
and the newer "what is 2 + 3" is so bafflingly breakable that i can't believe it is actually being used.
a method i think worth exploring is by tracking mouse clicks, like show a banner-sized picture and ask users to click through items in a certain sequence, like "mouse, truck, building, blah blah." then you calculate the deviation from the hit-zone. however this cannot be done without a mouse. to make it keyboard-friendly you'd probably need to present a bunch of icons and ask users to select those icons in some order. in fact, i imagine this to be a good password replacement scheme (but again, as a password scheme you'd need 26x2 + 10 icons to match the permutability of a d+w password. hence the mouseclick)
but in any case, captchas are fairly distracting when they appear, so the captcha idea i wrote above is something i would do only when i have enough time to play with.
"2 + 3" and codinghorror.com's "ORANGE" CAPTCHA are 99% effective.
There are many (mostly unpopular) sites without effective protective measures against SPAM. For attacking these sites, botnets are effective.
Almost all popular sites have some effective protective measures. For these sites, coding and deploying a constantly evolving botnet to keep up with this arms race is just not effective. It is more cost effective to hire third-world (or even first-world) labor to attack them.
There was an article on news.ycombinator.com a few days ago about how posting a comment on TechCrunch is more effective advertising than AdBrite. Go look at the comments on TechCrunch and pay attention to how many of the frequent commenters link back to their sites. (The kewter.com guy sticks in my mind the most, as that domain name is hard to forget).
With that in mind, imagine paying a few US college students $6.00 an hour to read+comment on weblogs, forums, and social networking sites for hours at a time. Tell them that they are to carry on educated, intelligent, and intriguing discussion. For each post, they need to include a link back to (their profile on) your website. You could even hack together a few tools to make it really easy for them to participate in dozens or hundreds of discussions per day--for example, build an email-confirmation sidebar widget for Firefox and some collaboration software that allows human-net to collude.
first off, where do you get the 99% effective statistic? I'm genuinely curious, because I cannot think of a reason why the simple addition test is effective at all; i am still as baffled as ever.
as for hired spammers, i don't see a protection against that, nor do i challenge your argument about it, but the subject is CAPTCHAs. CAPTCHAs are turing tests; they tell computers from humans, not humans from humans. the difference is that botnets take very little money to run, once the software is mature. hiring takes money, and that in itself is a barrier. i don't know the true costs of running botnets vs hiring commenters; perhaps as you said, hiring is more cost-efficient, but it seems almost trivially easy to defeat the "2 + 3" mechanism, so trivial, that i would assume it to cost significantly less to defeat than hiring somebody even at 6 dollars per hour.
if the hired commenters post "intelligent" content, well then, it is, by definition, intelligent content. if "intelligent" only means "coherent" and "somewhat related to the topic of discussion," fine, it can be spam, but it still fits two criteria: 1. a human posted it, 2. it required mental effort to create. a legitimate user who is a maniac wouldn't fare any better. as such, i would believe that a hired commenter who posts "intelligent content" is as at least as intelligent as a nonhired user who posts "unintelligent content."
The 99% effective statistic came from the author of codinghorror.com. His CAPTCHA for every comment is a single static image of the word "ORANGE" in a slightly stylized but plainly readable font. I've seen other bloggers claim that simple addition puzzles are almost 100% effective as well (at least, they were when they were introduced).
I think that spammers simply don't want to create a special case handling of every site they come across.
I think in less than 5 years, a botnet will be able to participate in discussions in a way that is nearly indistinguishable from humans. If a robot posts better-than-average commentary, do you care if it is a real human or not?
Interesting. Perhaps spammers are just lazy -- if they aren't following the latest captcha techniques. I still find those examples incredible, but as long as they work, happy.
And to answer your question, no. When you play chess with a strong computer, or a living grandmaster, both are formidable opponents playing the same game. Talking to an educated person and a strong AI capable computer would be participating in the same discussion. (I don't know if this is objectionable but it makes perfect sense to me; if you see otherwise, do explain.)
However, if and when that happens, the world is going down a wildly different path, and that problem you point out will be a minor one, compared to some dramatic job cuts it will likely bring about and the businesses that it wipes out.
Aren't you asking for trouble, though? Isn't that too easy to abuse, especially for a social-voting site liked Reddit? Help me understand why these sites are not worried.