Can you expand on that? A separate honey pot sign up page invisible to real users, or something else?

You add "hidden" inputs to your HTML form that are named like "First Name" or "Family Name". Bots will fill them out. You will either expect them to be empty or you fill by JavaScript with sth you expect. It's of course reverse-engineerable, but does the trick.

Doesn't that break password manager autofill?

Thanks, I’ve seen scripted attacks bypass this sort of hidden input unfortunately (perhaps human assisted or perhaps just ignoring hidden fields).

They often do actually ignore truly hidden fields (input type=hidden) but if you put them "behind" an element with css, or extremely small but still rendered, many get caught. It's similar to the cheeky prompt injection attacks people did/do against LLMs.

Thanks.

Sure, it's really basic of course.

Watch out, it may break accessibility of your service. If somebody fills these fields I would add extra verification e.g. accessible CAPTCHA.

Do you test this against password managers? Seems like this approach could generate false positives