Coding Horror

programming and human factors

ASP.NET CAPTCHA control, improved

I improved the ASP.NET CAPTCHA server control I mentioned yesterday:

  • Control respects all standard ASP.NET server control properties (font, border, accesskey, enabled, etcetera)
  • Hide ViewState property (it's required!)
  • Added CaptchaLength property
  • Added CaptchaFontWarping property
  • Improve font sizing algorithm
  • Improve warping algorithm (more mild distortion, no more drawing outside the box)
  • Remove "1,0,I,O" from possible Captcha characters to prevent confusion in entering text
  • Text is now optional
  • lots of other little improvements
If you are willing to sacrifice less OCR-ability for more human readability, you can adjust the CaptchaLength and CaptchaFontWarping properties to taste. For most applications, simply having a captcha of any sort is probably enough to block casual bot attacks, and shorter less warped phrases are definitely a lot easier to read. The default is 6 characters with medium warping, which is a good blend.

You can download the solution from my CodeProject article if you're interested. There are only two projects in the solution; an ultra simple demo website and the control library itself.

To see a CAPTCHA in action, check out the Yahoo mail signup page. Refreshing the page will generate a new one every time..

Written by Jeff Atwood

Indoor enthusiast. Co-founder of Stack Overflow and Discourse. Disclaimer: I have no idea what I'm talking about. Find me here: