Should We Kill the CAPTCHA?

by on 26th July 2012 with 62 Comments

screenshot

Do you like CAPTCHAs? Don’t lie, of course you don’t. On a fun scale, you rank them right up there with dentists and IRS agents. However, as an intelligent web designer or developer you understand that they are a necessary annoyance.

But wait, are they really? Given the collective talent and intelligence of the web design community, is a fuzzy string of letters really the best that we can up up with? If users hate these things so much, why not come up with something new? Let’s explore this idea and see if we can inject some fresh ideas into the conversation.

Are CAPTCHAs Evil?

We’ve all been there before. You’re trying to log into a website or fill out a form and you’re thrown a piece of text that looks like it was hit by a tornado and informed that you have to decipher it in order to go any further.

Some people pretend that they don’t really mind this “necessary” step, but others turn green and go into a flat out Hulk rage at the mere sight of one of these evil gateways. And for good reason, just look at the screenshot below! In prepping for this article, I went to a site that contains a CAPTCHA that I wrestle with frequently. I kid you not, this is what I found right away:

screenshot

Is that not the best CAPTCHA you’ve ever seen? The first part is pretty garbled, but I could probably guess my way through it. The second part though is almost entirely outside of the visible frame! Wondering how often this happens, I hit the refresh button twice and came up with another gem:

screenshot

I’m not just being a jerk here, these are literally impossible to pass. On the occasions when the blasted thing managed to get all of the letters inside of the window, I would get something like this:

screenshot

Easy right? So that’s “a-t-u-t… ummm… t-e-r-i?” I feel like a nearsighted kid at the optometrist making haphazard guesses at the letters across the room. Only there’s no courtesy piece of candy granted to me at the end of this traumatic experience.

For the sake of one last laugh, a friend of mine claims to have encountered this awesome CAPTCHA a few days ago. Apparently we’ve moved past simple words and into complex equations!

screenshot

Not All Bad

“As you answer the CAPTCHA, you’re helping to turn scanned books into live digital text.”

To be fair, CAPTCHAs aren’t really evil. They serve a very valuable purpose. Spam is the real terror at work here and CAPTCHAs are merely the best way we can think up to prevent it.

You see, there are these clever bastards out there that dream up of ways to make the world worse and in doing so they invent spam bots that crawl all over the web and generally muck things up. With CAPTCHAs, we have a supposedly simple way to make sure that users are in fact humans and not blood-sucking spam demons.

Some CAPTCHAs even go further than that and make an attempt to further the world through humanitarian pursuits. For instance, the CAPTCHAs above are a specific breed known as a “reCAPTCHA.” These CAPTCHAs actually use people as OCR scanners. As you answer the CAPTCHA, you’re helping to turn scanned books into live digital text, a noble pursuit that helps the written treasures of the past live on in the digital age.

Is This The Best We Can Do?

“Sure, you can say that someone’s solution to a problem sucks, but can you come up with something better?”

It’s easy to complain when we encounter annoyances like CAPTCHAs online, especially if we fail to consider the valuable function they’re performing. However, it’s not valuable to whine just for the sake of getting it off your chest. Sure, you can say that someone’s solution to a problem sucks, but can you come up with something better?

I honestly believe we can. The CAPTCHA is a great idea in theory, but in practice it sucks and we all hate it when we encounter one. Unfortunately, it seems to be the spam prevention method that the web development community has settled on. They’re extremely popular and I have seen almost no one making any solid suggestions for how to move on to something else.

Alternative Ideas

My problem is not necessarily that the CAPTCHA exists, or even that it’s popular, it’s that we don’t seem to be innovating around it. Great idea folks, but let’s move onto something that sucks a little less shall we?

In light of this, I’d like to start a discussion on some alternatives that might be a little easier on a user’s state of mental heath. The following are some basic ideas that come to mind.

Random Trivia Question

Why not just ask users a question? It shouldn’t be some difficult Trivial Pursuit head scratcher but a simple query that virtually anyone who can read that language can answer with little to no effort. Here’s an example:

screenshot

This is much easier to deal with than the messed up atrocities of usability that we saw above. Granted, this is a simplified example that might be possible for a computer to parse on its own (Wolfram Alpha didn’t pass my test), but I’m sure you can come up with some better questions. If every CAPTCHA presents questions like this at random, it’ll be difficult for the spam hell hounds to keep up.

Multiple Choice Image Question

The current CAPTCHA system essentially just asks you a question about an image, so let’s run with that idea, but in a different direction that doesn’t make you want to pour Mountain Dew all over your keyboard just to watch it die. Here’s a quick example that I cooked up using a multiple choice format:

screenshot

photo source: Cristian Ghe

As you can see, this is an extremely easy question for a human to answer correctly. Even young children can ace this test. However, programming a computer to interpret the image is much trickier. You could make it even more difficult by using a really abstract representation of an object, perhaps a sketch or some cartoony clipart.

Simple Image Question

If you don’t like the multiple choice route for some reason, scrap it! We can still use simple images to create questions for users to answer. The example below shows how this could be done:

screenshot

photo source: keepon

How many bananas? Three of course! It’s that simple. The great thing about this format is that you could have a bunch of different questions for the same image and the spam bot would never know which one is coming. How many bananas? Does the photo above contain any oranges?

You could get really creative and ask about the nature of the image: Photograph or crayon drawing? The possibilities are endless and they’re almost all easier than deciphering the examples we saw earlier in this article.

Arbitrary Instruction

Let’s drop the image ideas for a second and go back to exploring our plain text options. What if we just gave the user a random series of instructions to carry out?

screenshot

Yet again, this is very easy for a human to do but a bot would quickly become confused. Even if you increased the complexity a little here, you’d still be well in the range of something that can be done quickly and easily.

A Note on Accessibility

Obviously, as with all CAPTCHAs, these ideas would need to be tweaked and improved so that the seeing and visual impaired would have options to pursue as well.

How Would You Make a Better CAPTCHA?

I’m just riffing here, I’m not remotely a security expert. It could be that all of these ideas are horrible, and that’s great! Give me some better ones! All I’m seeking to show is that we can and should be moving on past the annoying solution that our users hate by developing alternative methods that are easier, more fun and just as effective.

Now that you’ve seen some of my crazy ideas for killing the CAPTCHA and beating spam bots, I want to hear yours! Maybe you want to make CAPTCHAs fun and turn them into a game, or eliminate them completely in favor of some other type of security measure. Speak up and make the web suck less.

Comments & Discussion

62 Comments

  • http://www.twitter.com/MrSpijker MrSpijker

    You could introduce minigames, if the content of the website allows such interactivity of course.

    I’m not talking about completing stage one of mario or getting a knife kill by playing in a HTML5 version of counterstrike.
    Really simple things like: jump for the coin. The action required would then be: “one tap on the right arrow key -> jump”.

    Now this is only for a very select audience. Ing, maybe graphic design sites.
    So it would not be a global solution.

    It would, however give a better user experience then digitalizing books.

    And I don’t know if it is available yet but the captcha we are using today should have a user-friendly style/skinning option.
    Beautiful pages tend to get raped by the captcha box.

  • Vesa M

    2010 BBC decided not to use captcha with BBC id. Sure they need to serve very wide audience and the problems described in their blog entry describe problems met by special groups. http://www.bbc.co.uk/blogs/bbcinternet/2010/10/captcha_and_bbc_id.html
    Perhaps they need only half of the staff required to answer the angy calls to remove spam?

    I have found that regular people struggle with almost any kind of extra task to ensure that they are human. Specially the random trivia questions seem to be problematic as in some languages the format of the correct answer varies a lot.

    The best complaints/spam ratio so far has been archived with changing form fields that are hidden from the user’s eyes but lure bots to enter some text (thus invalidating the form).

  • Nights

    You realise you don’t have to type both words in, just the one in the particular font, right? From the top down: “buteoul “, ” skeythey”, and so on.

  • NZ

    Easiest way out – Are you a spammer? Click here…and the window closes.

  • http://www.albruna.nl Martin

    I’ll go honeypot all the way. No better solution and no issues with folks strugling with any form of captcha.

  • Ted Mcconnell

    Solve Media fixed this problem

  • http://www.xoyaz.com coyr

    Internet users (gloabally) known very well how to use a CAPTCHA. They know they should write the same letters. They do this without thinking because its a habit. It’s not required to read or know a specific language to use it. I think a better solution must include this feature.

  • http://atomware.deviantart.com Artis
  • http://www.bobwp.com Bob

    Yeah, as much as I hate them myself, and curse them, I do use it on my contact form. I avoid it like the plague in blog comments.

    Honestly there are some decent ideas in your post and I would be open to other options. But for now, CAPTCHA will do the trick.

    BTW, have you every listened to the audio option. Wow, sounds like other worldly beings mumbling together in some horror flick.

  • Jennifer
  • Sebastian

    I like honeypot, with an added js that changes a hidden value or something. if you dont have js you get another step where you have to confirm you are human. Most bots dont use sessons so this seems to work perfekt on the 1300 sites we have running this method.

  • http://www.twitter.com/MrSpijker MrSpijker

    Content aware questions also seem like a good idea.
    Although simple questions like:”is fire hot or cold” also tend to do the trick.

    As mentioned in my first post I like the idea of creative or interactive actions but I fear that the percentage of ‘leaving users’ would go up.
    Since in this case the game or action -difficulty would be quite subjective to the creator or administrator.

    The drag and drop is quite fine but overall I would like to see the captcha box modified to see it fit in it’s content (even though it diminishes the recogniseability).

  • http://www.confidenttechnologies.com CTISN

    Here’s another take on the picture-based alternative to CAPTCHAs: http://www.confidenttechnologies.com/products/confident-captcha

    It displays a grid of random pictures and asks the user to click on a specific picture (i.e. “Click on the dog”). The benefit is that it has an extremely large and dynamic database of images which makes it more difficult for bots to break.

  • Reid

    Check out Are You a Human (www.areyouahuman.com). Play a quick, fun game instead that awful squiggly text.

    Disclaimer, I’m a founder of the company so of course am a bit biased. Would be happy to answer questions

  • http://www.thedroidgeeks.com/ John Bash

    Instead of CAPTCHA, I will opt for “Random Trivia Question”. Its all fun in answering those silly questions and I like it that way.

  • Ian Cohen

    Reid–you guys were hacked out of the gate, it appears. Security is no game, Sir. Reference: http://hackaday.com/2012/05/25/captcha-bot-beats-new-are-you-a-human-playthru-game/

  • http://alexsmolen.com Alex Smolen

    Any CAPTCHA that can’t be automatically generated, with a solution and by the billions, needs to have more human classifiers than the attacker, which doesn’t scale for sites targeted by motivated attackers.

    Even if the CAPTCHA can be automatically generated, it needs to leverage a simple advantage that humans have over computers, like garbled character recognition, that doesn’t yield easily to machine learning.

    And, if you manage to do that, you still have mechanical turk-style solvers that will bring the cost to solve to pennies per hundred.

    One approach to the problem that CAPTCHA attempts to solve is to make it economically unfeasible for an attacker to perform an action repeatedly. Proving you have access to a cell phone, or a credit card, or something that’s difficult to produce in bulk, is less annoying and more secure than a CAPTCHA, albeit with it’s own set of challenges.

  • Howard Katz

    What about the problem where hordes of worker bees offshore are paid 1 cent or 5 cents or whatever to decipher these things? None of the schemes above solve that particular problem, do they?

  • http://elevatesem.com Sal Hakim

    It’s true, the CAPTCHA is annoying and there are many times I think to myself “really right now.” I like the other ideas of simple math images which I think is a much better verification method. I also have seen where you can drag and drop images for e.g., Math equation 2+1 Please drag and drop 3 marbles to verify.

  • http://lumosphotography.com Jeff Farmer

    I briefly thought the answer to your proposed “random trivia question” was the letter “i”. Which letter comes after “C” and before “E”? Well, of course that would be the letter “i”… but wait… no… that would be “i before e, except after c”… hmmm… what else could it be?…

  • Mark

    They website http://www.yourtaxvote.com (currently in Alpha stage) does exactly this.

  • http://www.moisesgarcia.es Moises Garcia

    I have been using for 2 months a really simple solution, which doesn’t interfer with human input. And it’s to use CSS. Let me explain.
    You have a form with several inputs, one of them will be the one you check if a robot have filled it or not.
    You hide that input with CSS (display:none) and onSubmit, when you check the vars sent to the server, if you are a human, that input should be empty, because a human is using a browser to fill in the form. Just in case, that input text has some value, you can be certain it was a robot, because robots, scan the code and fill out all input forms they can and they don’t render CSS.

    What do you think?

  • http://webdesignershost.com Web designer hosting

    I think Captcha is not the problem as a concept
    but the way it is being implemented In ReCaptcha.
    There are many reasonable Captchas systems that you can easily figure out the words – But ReCaptcha is so difficult I mostly refresh about 20 times till I get something readable.

  • KW

    Anything image-based is HELL for people who use screenreaders.

  • http://paulkragthorpe.com Paul Kragthorpe

    @Moises Garcia – I do the same. When you decide on a hidden entry to use, use a common name for it. Bots are likely looking for “name, address, url, email, phone…etc” fields. If you put the hidden value in and call it “bots_suck”, they may not fill it out. You follow? address2 works well, as a lot of sites put a 2nd field in for address. If you don’t need it, use it as your spam blocker ;) It’s been working very well so far for us.

  • http://www.lirullu.com Elya

    I think there definitely could be better options. We are currently working on the new type of CAPTCHA called Lirullu (www.lirullu.com). We made it touch screen friendly and brought an unobtrusive commercial element. It would be great to hear your feedback at project.lirullu.feedback [at} gmail.com. It is not available to install just yet, so feedback is still timely :) Thanks and drop us a line!

  • http://www.maliamallory.com Malia Mallory

    I like your suggestions. I’ve actually seen some of these recently that are advertisements. To answer, you have to type in the slogan shown in the ad. Though I can see it was someone’s idea of genius marketing, it backfired because it was so annoying.

  • Kimin Nesi

    You do realize that RECAPTCHA’s aren’t there just to do a “are you human” test right? They also help translate the world of print to typed words. Each word you see on there was a word from a book that the translator software could not figure out because of an ink smudge or really old book copy or whatever other reason and with each word you type you help make another book digital. I don’t exactly remember the numbers but there have been MANY books digitalized thanks to RECAPTCHA. Old those books you read on google books use RECAPTCHA data. Sadly I don’t see any other ideas in the article or in the comments that does more than just test if the user is a computer or a human and step into trying to teach computers more.

  • Kimin Nesi

    You do realize that RECAPTCHA’s aren’t there just to do a “are you human” test right? They also help translate the world of print to typed words. Each word you see on there was a word from a book that the translator software could not figure out because of an ink smudge or really old book copy or whatever other reason and with each word you type you help make another book digital. I don’t exactly remember the numbers but there have been MANY books digitalized thanks to RECAPTCHA. All those books you read on google books use RECAPTCHA data. Sadly I don’t see any other ideas in the article or in the comments that does more than just test if the user is a computer or a human and step into trying to teach computers more.

  • Kimin Nesi

    You do realize that RECAPTCHA’s aren’t there just to do a “are you human” test right? They also help translate the world of print to typed words. Each word you see on there was a word from a book that the translator software could not figure out because of an ink smudge or really old book copy or whatever other reason and with each word you type you help make another book digital. I don’t exactly remember the numbers but there have been MANY books digitalized thanks to RECAPTCHA. All those books you read on google books use RECAPTCHA data. Sadly I don’t see any other ideas in the article or in the comments that does more than just test if the user is a computer or a human and step into trying to teach computers more.

    I feel like you should have done more research before you decided to write a whole article on the issue.

  • Kimin Nesi

    You do realize that RECAPTCHA’s aren’t there just to do a “are you human” test right? They also help translate the world of print to typed words. Each word you see on there was a word from a book that the translator software could not figure out because of an ink smudge or really old book copy or whatever other reason and with each word you type you help make another book digital. I don’t exactly remember the numbers but there have been MANY books digitalized thanks to RECAPTCHA. All those books you read on google books use RECAPTCHA data. Sadly I don’t see any other ideas in the article or in the comments that does more than just test if the user is a computer or a human and step into trying to teach computers more.

    I usually love the articles on this website but I feel like you should have done more research before you decided to write a whole article on the issue.

  • http://www.lyntourism.co.uk Malcolm New

    I agree with Web designer hosting. There is no excuse for these unreadable captchas. I have used the idea but never asked people to read what is unreadable.

  • http://captchamonster.com/ Captcha Monster

    The truth is that a majority of CAPTCHA images are no barrier to spammers. They only prevent visually impaired people from commenting blogs or signing up with websites. However, there’re solutions for them such as Captcha Monster, Rumola or Webvisum which are browser extensions solving CAPTCHAs automatically.

  • Miguel Costa

    Hello guys, I stoped using the normal captchas after finding the visual captcha:
    http://www.binpress.com/app/visualcaptcha/467

  • Dominic

    Kimin Nesi,before you criticise an article for not mentioning that recaptchas act as proofreaders for scanned books, perhaps you should read the article for yourself? Had you read it you would have seen that the article did mention this.

    With regards to Captchas, the easiest solution is not to follow the herd. If you implement your own system, no matter how simple, then unless your site is hugely popular, it will flumox just about any spambot which is searching for specific code patterns that exist in captchas etc.

  • http://areyouahuman.com Reid

    Josh Bash, that was a demo game on our site, not a live implementation. Beyond that, we have a very flexible algorithm that takes in any new bot data and filters it out. While this user did not “break” us, had he, we would be able to quickly react and nullify the issue. Check out our post on how our security works http://areyouahuman.com/how-playthru-stops-the-bots

    That’s a big plus over CAPTCHA. They only way to make it more secure is to make the task harder for you and I.

  • http://higg.in/ David Higgins

    As you discussed, there are alternatives. The title on this post should really be “Is Re-captcha evil?”

    As a long time veteran on Re-captcha solving, I’ve found there is a bit of lee-way in Re-Captcha, in that, if some characters are so obfuscated, that it would be impossible to solve, then *don’t* attempt to type them in.

    There are two letter-groups in Re-Captcha: Scanned, and Generated.

    The generated ones tend to be just ‘noise’ in the captcha, and don’t need to be solved.

    The scanned ones are usually legible enough to be solved. These are usually snippets from books, and I feel a certain satisfaction completing these, because I help digitize books in the process.

    By Lee-Way, I mean completed Re-Captchas don’t have to be perfect. Often times, I would just mash the keyboard, and the Recapthca got solved.

  • http://www.beyondhyper.com Derick

    If you said honey pot method, I’m with you. Any time we ask the user to verify it is them, we are putting the onus on them to make sure we don’t get any spam. I have also heard that Gravity forms has integrated Akismet support to reduce spam. So there are good alternatives to CAPTCHA and the other games. It’s great that reCaptcha is using the efforts to convert books to digital, but it still is a terrible experience for the user.

  • Muf

    Okay maybe you should have gone here before you should have gone here. no, seriously!
    Hardest Captchas ever.
    http://random.irb.hr/signup.php

  • AntoxaGray

    I find it ironic that sites using captchas and still have spam problem.

  • http://livingthecreativelife.blogspot.com/ Jennifer M.

    I love your idea of using photographs with ever-changing questions about them. That would work so much better than our current system of captchas! Just last night I was banging my head against the wall trying to figure out a captcha so I could comment on a blog. Some of them were just showing up as a bent line – not even a number/letter!?!? So weird.

  • http://magdoub.com Mahmoud El-Magdoub

    Great Article :) Yes we should kill it and burn it to the ground

  • http://plastical.com Ryan Vannin

    We solved the problem with a rather different approach. We posted about it http://pla.li/l
    Our solution simply works: we never got a spam message in 2 years…

  • http://cekwa.com Soul

    The better captcha is random names attributs which move.

  • rick

    And what if the visitor doesn’t speak english? Captchas are neutral

  • mexxanit

    This video is about captcha with a new idea. I like it.
    I think sentences could be more specific…

    http://www.youtube.com/watch?v=e4mNDjWa5NA

  • http://www.c64.sk CreaMD

    Ryan Vannin – I use the same idea at c64.sk it also works on copy paste human spammers, which was my intention. There are also other things added like blacklist etc. I have never used captcha on any of my sites I rather spent time thinking about ways of detecting bots from people on my side. It’s never 100% perfect, but I rather leave some work on owner of the site than giving people painful experience with the site.

  • Bas

    I stopped using catcha’s. The solution is quite simple: just add one field to your form which is hidden by your stylesheet. Users can’t see it and spam-bots just fill every field. So if you receive data in that field, you know it’s a spambot. Then just redirect the spambot to the thank-you page. ;)

  • Paddy

    Very interesting article. I love the “questions/answer” solution, came accross it once or twice but not that often (questions such as simple maths operations, “1 + 1×2 = ?”, found this quite nice a solution).

    I like the solution of @moisesgarcia though (hidden css field with a common name), think I’ll give it a try next time I need to implement a form.

  • http://marcogomes.com Marco Gomes

    Hi,

    I like your intention of changing the captchas to something easier to solve, but even they are still “captchas”. And captchas are useless.

    Captchas are not a “necessary evil”, they are just evil, plain and simple evil. Take image captchas for example, they are completely criptic for blind people, and I have a couple close friends that are blind and use the web very well, except in captcha websites :P

    Researches show that captchas are not even doing their job, they don’t block all bots or spammers, so, why keep using them?

    Captchas are the excuse of lazy programmers to delegate to users what is their own job. Keep the system secure is developer’s job, so, don’t delegate that to the user.

    Here a portuguese text about the subject: http://acessodigital.net/art_captcha-heroi-ou-vilao.html

  • Emanuele

    One of the best solutions i ever try is keypic, that substitute the captcha with advertise.

  • http://accessibleweb.eu Richard

    As has been pointed out – accessibility is a big issue here, firstly ensuring that anything visual is duplicated in a text form, secondly making sure of keyboard accessibility (difficult for drag and drop solutions and games) and thirdly needing to be simple enough to complete.

    Liked Jeff Farmer’s comment about i before e except after c – it is a stupid rule in English though – it was drummed into at primary school but I don’t ever remember them saying about exceptions or more complex versions of the rule. For example the rule can’t apply to “weight”, “fancier”, or “weir” which sounds exactly like the beginning of “wierd”

  • http://www.urticaria.com/app/chronic_urticaria.asp urticaria

    CAPTCHA is abbreviated as “Completely Automated Public Turing test to tell Computers and Humans Apart”. CAPTCHA is basically a program that can tell whether its user is a human or a computer. They are colorful images with distorted text at the bottom of Web registration forms in many web application development websites. CAPTCHA are used by many websites to avoid abuse from “bots,” or automated programs or Scripts generally written to generate spam. These distorted images can be read only by humans and not computer generated programs, and hence bots cannot navigate sites protected by CAPTCHA. Some kinds of bots are harmful when attacked a web site.

  • Emanuele

    Sorry i have not provided the link http://keypic.com

  • http://katemats.com Kate Matsudaira

    I love the creative ideas you laid out in this post for avoiding the headaches of captchas. Your take is so fresh and interesting – thanks for the great article!

    - Kate

  • http://www.masterrooter.com boise plumber

    Captchas can provide good protection even thought they are a royal pain in the you know what, also they help Google with their categorical of the digital books. So overall I think it’s worth keeping.

  • http://www.katiekirkland.com Katie

    My website uses one that is a simple math problem (ie 7 + 4 = ?). I’ve also seen one that lets you slide a button like on a smart phone.

  • http://Ificould Just

    spam sory

  • http://Ificould Just

    spam spaw spam spaw

  • http://Ificould.com Just

    spam spaw spam spaw
    Nw its sayin duplicate content detected really

  • http://Ificould.com Just

    I think am spammin nw
    sory curiosity jus couldn’t resist
    anyway am not a bot

  • http://Ificould.com Just

    spam spaw spam spaw okay dis is the last one
    hw cme someone posted the same comment 4 tymz

Subscribe
Membership
About the Author