Why Honeypot Can be Important for Your UI/UX

Ever felt the urge to skip a page when you were momentarily stopped by a captcha? I bet you did!

Every time I fill in an online form or simply login, I have to prove my existence as a human. Oh c’mon! People will be going to the Moon for a vacation in a few days, and I’m still having to select picture blocks to confirm that I’m not a robot? There must be another way to keep bots away than to make people curse and make faces in the middle of an avalanche of work.

There is a way. A neat and sweet sounding thing called honeypot. It’s a captcha that wears the Invisibility Cloak and doesn’t bother users, but works diligently to keep spambots away.

How does it Work?

Keeping things short and simple, here’s how a honeypot captcha works:

Instead of preventing a bot from filling in a field, honeypot captcha lets the bot walk into the trap. The thing is, bots are smart and ever-learning but they cannot yet detect an external CSS or Javascript file. Honeypot captcha takes advantage of this naivety (a.k.a. stupidity) of bots. An extra field is added to the form but is hidden from humans using CSS or JS. Now, bots go into a frenzy when they find a form, and fill out each and every field, including this trap field. And voilà! The form gets blocked.

Honeypot captcha is clever in that it does not bother the user. As user experiences are becoming more and more seamless, it would be a shame to give the site visitor a grand welcome only to slam an annoying reCaptcha on the face. As a UI/UX designer, there’s a vast field of opportunities to make beautiful forms that make people drool, and to peacefully wrap them up with a gorgeous submit button without having a hideous reCaptcha before it.

Technical Perks

From a technical point of view, too, honeypot is a good option as it captures only the malicious traffic and not the entire set. This means less storage space, less data to analyze and faster output.

Honeypots capture information about the type of attack, so the weak points can be easily analyzed. This helps administrators learn about new methods of attack, and work on them.

The Hiccups

There are few hiccups, though.

People who have an autofill option on their system might find it difficult to pass through a honeypot as the features would fill in all fields, including the hidden field. However preventing autofill option on the page can successfully answer this problem. See, not much of a botheration, after all.


Like all good things, honeypot isn’t free from drawbacks.

Malicious traffic is only collected when the attack is on the honeypot machine. If the attack is on a different machine, then…Oops! The bad guys can steal the show.

Honeypots will report an attack only when activity is directed against them. If the attack is on variety of other systems, then it will have no idea about what’s happening around them.

And it’s vulnerable to identification. That is, an expert might identify a honeypot by its specific set of behaviours, and plan the attack through the honeypot itself.

So, is Honeypot Really that Sweet?

Be it Captcha, reCaptcha or honeypot, no anti-spam measure is foolproof. Bots will always find a way to wriggle in. But keeping user experience in mind, honeypot turns out to be the optimum solution to having a form that repels bots and attracts humans. The sad part is that many websites are still hugging reCaptcha, thus introducing a bump in the smooth navigation a user deserves. It’s probably time to switch to a better option.