So you’ve got a website! Now what? If you want to connect with your visitors, you’re going to need a contact form. But what are the security advantages and disadvantages associated with a contact form?
I’m sure you, like me, have had your fair share of spam email; people trying to sell you everything from prescription drugs to watches. Worse still, some of these offers will probably be coming through your companies contact form, which is both annoying and a time waster.
Securing response forms with a CAPTCHA
OK, I confess, this is a buzzword. After everything I said about buzzwords and jargon being a pain, I go and do this! But, there’s a a very good reason.
There is a way of preventing a good percentage of the unsolicited email you receive, and it’s a security feature you can add to your contact forms. It’s called CAPTCHA, which stands for Completely Automated Public Turing test to tell Computers and Human Apart. If you go to the contact page of the Octane website, you’ll see one in action.
Manually submitting contact forms
However, CAPTCHAs aren’t a silver bullet, or some kind of cure-all. Because of the various tools I use, I can see where people come from before they send me a message via my contact form.
The vast majority of the spam I get is from India. So rather than this being some automated system trying and failing to complete my response form and navigate its way around the CAPTCHA, it’s a real person at the other end. That’s a problem you can’t solve with software alone.
However, some feel having a CAPTCHA on your response forms might be doing more harm than good. As an example, a recent body of research shows that CAPTCHAs have a measurable effect on conversion rates:
“From the data you can see that with CAPTCHA on, there was an 88% reduction in SPAM but there were 159 failed conversions. Those failed conversions could be SPAM, but they could also be people who couldn’t figure out the CAPTCHA and finally just gave up. With CAPTCHA’s on, SPAM and failed conversions accounted for 7.3% of all the conversions for the 3 month period. With CAPTCHA’s off, SPAM conversions accounted for 4.1% of all the conversions for the 3 month period. That possibly means when CAPTCHA’s are on, the company could lose out on 3.2% of all their conversions!”
Those figures do certainly offer pause for thought. But it’s also worth mentioning this is a relatively small study group, and I have a feeling that the type of visitor could play a major part in conversion and abandon rates.
Respondr response form script
Because I got sick of relying on other people, I wrote my own response form script, called Respondr, which you’ll find being used here on Octane, as well as on the Blah, Blah! Technology blog, and several clients of mine.
Rospondr is free to download, and if you’re a web developer, it should be easy enough for you to install and configure. Rospondr also includes a built-in CAPTCHA, which can also be configured.
In the time I’ve been using CAPTCHAs, I’ve seen several people get stuck with them, but very few have abandoned them. My feeling is, people know why they’re being asked to enter a security code, because they’re just as sick of unsolicited mail as I am.
But if you are concerned about people abandoning your contact form, make sure your telephone number is near by, so they can call you direct.
Masked passwords versus usability
I’ve always disliked masked passwords. What’s a masked password? It’s any text field on a contact form that turns all of the characters you’re typing into bullet points. Let’s face it, if you can’t see what you’re typing, how can you be at all sure you’ve typed the right thing?
Recently, usability expert Jakob Nielsen weighed in on the subject of masked passwords:
“The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security.”
This is a problem for both new and seasoned web users alike. As a web developer, I don’t use masked password form fields. If a client asked for them, I explain why they’re such a bad idea, who’s positives are massively out-weighed by the negatives.
If you’re worried about people looking over your shoulder, that’s a people thing and not something software can get around. At the very least, if web developers are going to use masked passwords in their response forms, they should include a little check box which enables and disables it, to give the user the option.
Conclusion
Ultimately, if you choose to use CAPTCHAs or masked passwords on your company website, it’s about balance; are you doing the right thing by your customers / clients visiting your website?
And knowing your audience is essential, which is why I highly recommend you track the visitors to your website, to help widen that knowledge.