Assuming
1) bots can't run javascript
2) protected pages need not appear in search engines

you could use create a unique javascript redirect for every page load.

Attempting to load the page without javascript would simply result in a "javascript required" message, otherwise a redirect to page.html?uniqueid=1234 would be initiated.

Assuming uniqueid changes for each page request and only remains valid for a few seconds pages should be entirely inaccessible to bots.

Of course, people who disable javascript may be miffed.

Kaled.

one nice 'captcha' method i've come across is to have an input field styled as display:none;

as it still appears in the html Source an automated bot will fill it in.

in the server side i check to see if any content has been entered into this non-displayed input box, if it has i discard the form data.

have an input field styled as display:none;

Known as a "honeypot", also works if input type="hidden", but this version has the added advantage of smarter bots that ignore input type="hidden".

... how to protect your authentication system against from computer bots and brute force retries?

Follow vBulletin's example: In your server-side program, in the initial login attempt, store a session ID and time in the database. For successive login attempts, a) allow only one login attempt every X seconds, and b) after X failed login attempts lock out this IP address for Y amount of time (an hour, etc.)

This could be further enhanced by trying to set and read a cookie as mentioned, bots are not browsers and don't accept cookies (usually.)

I battled spam bots for about 2 years on a forum and no matter what I did they still made it through. Adding a question that only a human can answer has stopped them cold. Not a single spam post in a year and as far as I can tell no registrations either.

one nice 'captcha' method i've come across is to have an input field styled as display:none;

I've seen this mentioned before, won't a text reader load the input box though? I'm unfamiliar with how they work but my assumptions is they simply discard the CSS.

You missed this part:

in the server side i check to see if any content has been entered into this non-displayed input box, if it has i discard the form data.

I like to use a variation on this myself - I populate this field with a particular value, then in my program if the submitted value does not match on what I have hard-coded in the program, it dumps and does not proceed.

Sorry I should of clarified it more, my question was in reference to people with visual disabilities. If you have a input box relying on CSS to hide it they would see it? Yes, No?

Fill it out and get banned. Just asking because i really have no idea.

----------------------

I can give you two other variations on that as well, if your using a standard piece of software like phpbb the input fields may be standard on the form. The bots will post it directly without actually loading the form. Changing a value or name is very easy way of detecting a bot.

The other mod I've used removes a standard input field, specifically the website and signature field. Again the bots post the form directly without actually loading the form. This one was a little better because it would ban the IP for any form submitted with a website filled out. The user could add it once they successfully registered.

Simple but effective.

DOH, should have gotten it from "text reader". Never thought about that . . . so a hidden input field is probably better.

That is one of the reasons I'm hesitant to add a bot trap. Only thing I can come up with is putting warnings around it.