Why CAPTCHA Sucks and What to do About it

February 9th, 2009

CAPTCHA

CAPTCHA, as you probably know is used to check that a form was submitted by a human, not an evil-plotting computer. It generally takes the form of typing in some barely-legible characters shown in an image. And it sucks.

Why it sucks

Obviously they’re hard to read – that’s kinda the point – I get them ‘wrong’ regularly and I’ve got 20/20 vision. To me, they’re a pain in the arse – but to anyone suffering from visual impairments, they’re a total brick wall. Sure, some come with audio alternatives, but these have been found to be even less successful.

There are some seemingly more accessible alternatives cropping up, like ’2 + 5 =’, spot the odd one out, or other basic logic problems, but are these really any better? OK we’re no longer alienating our visually impaired audience but what about those with learning difficulties or cognitive disabilities? Even if that is a small group being affected, it’s all of us that have to put up with it. Whatever happened to the first rule of usability: Don’t Make Me Think!

The simple fact is that these irritations drive people away from your site, and ultimately cost you money! I’ve abandoned registrations and purchases before because of impossible CAPTCHAs and I’m sure I’m not alone.

What to do about it

Well for starters let’s minimise where they’re used. Not every form needs one! Before you implement a CAPTCHA system think about whether it would really be a problem if it was a computer filling in the form – how much would it really matter if a bot signed up to your mailing list?

It’s important to think about why you don’t want bots to submit your form and if there are other ways to go about it. For example:

  • Trying to prevent DOS attacks? Then limit CAPTCHA to when the server is above a certain load level
  • Want to avoid comment spam? – Askimet or Spam Karma can filter out most of it for you
  • Don’t want a screen-scraper pillaging your data? At least let visitors have the first few – most likely legitimate – requests without CAPTCHA, and then hit them with it if they keep on accessing data rapidly.

Not again!

One of the things that annoys me the most is when the same site makes me prove I’m still as human as I was a minute earlier! The worst cases being forms validated server side which return an error saying I missed a field or something and then insist I fill in the CAPTCHA again – I just did it! Why do I need to do it again?

Likewise, if I completed a CAPTCHA on registration, then why should I have to do one every time I post a comment? At least leave me alone until I do something bot-like!

And that’s the important thing to remember here – there are other bot-like characteristics apart from not being able to read text from an image. With this in mind perhaps we can avoid CAPTCHA altogether…

Let’s think about how else we can identify bots without having to resort to CAPTCHA:

  • Do fields hidden off-screen still get filled in
  • Is the form filled in in seconds?
  • Do they not have JavaScript enabled?
  • Does Askimet mark it as spam
  • Did their submission contain an unusual amount of URLs?

Now, I don’t think the first two points can be entirely relied upon because automated form-fillers, such as RoboForm or Google Toolbar‘s Autofill feature, will still fill in hidden forms and mean a registration form can be completed in seconds. Screen-readers would also fall into the trap of reading these out and thus they would get filled in. As such, I wouldn’t suggest relying entirely on these criteria to identify spammers, but perhaps each point could be assigned a weighting, and a high enough score could trigger a CAPTCHA request. This way, most of your users will be treated to a nice, simple and accessible form, with CAPTCHA reserved for the odd few whose behaviour is flagged as suspicious.

22 Responses to “Why CAPTCHA Sucks and What to do About it”

  1. Asrar says:

    I hate captchas, especially when they use zeros and ones.. because I can never tell if are zeros or the letter “o”, or if it’s a 1 or a lowercase “L”..

  2. jo wilburn says:

    I can’ t send e-mail without completing the captcha test for each one,To much work. What is the solution…

  3. [...] basically everyone knows that captchas are a real, real bad idea. If you’re wondering why.. here’s why in [...]

  4. barney says:

    Captcha is evil, and a conspiracy created by the Illuminati/

  5. Anyon says:

    I don’t like Captcha, especially when it fails after the 5th time I type it in. I even use the refresh image button to make sure I have the right image up. I get fed up when after 5 times it still says it’s wrong. I am going to boycott sites that use Captcha at inappropriate times, or if I have to use it more than 2 times a visit. (And even that is still to much for my taste.)

  6. Jose says:

    I despise CAPTCHA. Yahoo uses it and all that tells me is that Yahoo discriminates against dyslexics. Clearly they hate me. So I use a different provider now. yahoo was on the way down anyway.

  7. Jono says:

    recaptcha is just as terrible as any other captcha, if not worse since they go so far to say “stop spam read books” then expect ppl to translate words (i use the term lightly) such as ‘lobo’ ‘fibights’ and ‘sidfForms’ – all of which appear to be scribbled on by a 2 year old with a crayon. So they have said to hell with thier very slogan and merely endeavored to make life harder.

    Im guessing ppl who adore and thump captcha’s like the end of the world are doing well and dont really need any online business. Makes you wonder why have a website at all if they dont want e-customers? /shrug

  8. I agree actually Jono. Since I first wrote this post recapcha seem to have run out of words and now present you with upside-down illegible hieroglyphics. Best avoided!

  9. john says:

    Captcha got even worst because now they have included foreign punctuation marks and lines through the words. The fact this has occurred along mostly likely indicates captcha fails along with your advice on a 5 layer spam filter also probably indicates that website developers do a very poor job of blocking spam.
    Not that I guess it’s really fair to blame you because it’s not simply web forms but the entire internet which has become inundated with spam. The average search on bing/google produces ehow,ezine,maholol,yahoo answers, wiki, top10sites, et cetra. 90 percent of searches result in spam sites that provide almost no useful information. The internet now reminds me of a typical street in the Bronx lined with pawn shops, cash checking centers and trash.

  10. el Presidente says:

    Well, as is the case with almost everything human, the reason of the annoyance you experience, in particular with reCAPTCHA (the one with the two word verification), is … what else, MONEY.
    When you type the two words, ONLY ONE is used for verification, and the other is a service you unknowingly and unwillingly provide FOR FREE, because what you are really doing is helping them to electronically type scanned words of real life books in the process of being made into e-books! The words that the scanning technology can’t recognize and save as typeface automatically, they put into the CAPTCHA for you to oblige!
    Since you typed correctly the other word (usually a non-existing one), they “take your word” for the other to be correct as well, and store it to their data base.
    So,FOOL THEM!
    Write the non existing word correctly, and instead of the other word (or numeral, or math-type, or non-English type), insert whatever you like: 40 letters long gibberish, offending words, the good old “CAPTCHAsucks!”, or, if you’re in a hurry, just a plain dot (or any single letter) will do. Just make sure that the two words are separated by a space, (and don’t use any other spaces in your gibberish)
    Try it!

  11. Chris Ivey says:

    I agree that CAPTCHAs are overused. Some people are getting smart about handling registration and comment spam, (I like the Disqus solution), but in some cases you absolutely need a reverse Turing test.

    I developed a prototype system based on the semantic associations humans intuit between objects, and eventually we evolved a product, now in beta called “VouchSafe”. I would be interested in your reaction and comments.

  12. amar says:

    I wish they would come up with an easier to comprehend verification. Captcha sometimes feels like SAT once again.

  13. Max says:

    I have 3 very busy sites for comments and none use any form of capture. We get zero spam bot posts and very few garbage posts as the content is heavily filtered. There is only one downside, you cant post at my sites without javascript and cookies enabled. There are no friendly messages except for valid email, if your post does not pass filtering we make you think it has. The idea behind our filtering is that genuine posters get it right fist time and those with alcohol on their breath make mistakes.
    The internet is awash with keyboard warriors angry people and dumb kids. Applying filters that are tailored to your sites content are essential to keeping the important visitors happy.
    Any site that hits me with a Captcha I cant read gets itself on the no go list. I don’t waste a minute of my time trying to identify distorted characters that are made worse by me having to wear reading glasses.

  14. Glenroy says:

    i don’t understand how site owners haven’t realized yet that Captcha is a turn off.
    I’ve given up trying to communicate with sites that use it.
    Most of the time I can,t read the damn thing!

  15. Owen says:

    Whoever invented Captcha should be shot

  16. David says:

    I think CAPTCHA is the most ignorant waste of time that ever hit the internet. Not to mention how immature, annoying and obnoxious it is. I hate having my time wasted like that.

  17. David says:

    PS I agree with Owen. Who ever invented CAPTCHA should be shot for being stupid.

  18. su says:

    I used to just loathe and despise captcha. But now I want to go on an active crusade against them. I was trying to leave a compliment for a firm and found I could not get past the captcha. This one was worse than any I had ever seen, so I started taking screen shots of the variations. They are now using *foreign language characters* that I even can’t FIND on my keyboard, blurry photos of house numbers, and EVEN using typographic ligatures (where two letters like “fl” are combined into one character). Using ligatures, meant to increase readability, as captcha is an Abomination in the Eyes of God.

  19. dubhaigh says:

    Just tried el presidente’s suggestion about the second word not been part of verification. It works. Now captcha is fun. Typing gibberish that will find its way into an ebook.

  20. Dave says:

    Your comment “One of the things that annoys me the most is when the same site makes me prove I’m still as human as I was a minute earlier! ”

    I HATE when You Tube does this. I get that I have commented a few times on a video. But if I put the CAPTCHA in once then accept that I am a HUMAN and let me make more comments without doing CAPTCHA over and over.

    But then again. You Tube sucks anyway.

  21. Mr Heavy says:

    Great sentiments.

    Hope you don’t mind my mentioning this but I have slight cataract – not enough to prevent driving (and I’m an exceptional pistol shot) and I’m an illustrator by profession. I find most captcha completely unreadable… I do mean _completely_. I’ve actually had to yake some images into Photoshop and tweak them to be able to fill in some forms. This is insane.

    Unfortunately I also find the colour scheme on this page means I can’t read it without zooming the text to about 500%.
    Yeah, I know it looks cool and it’s probably not helping that I’m using a Mac that’s colour-calibrated rather than set up for “snappy” visuals.
    Just a little more contrast – bring the text up a couple of values would probably fix it

    Sorry about that. For the record I also find Final Cut Pro tabs to be almost unreadable.

    back on topic I’ve just tried to use a free sms service to contact someone with one of these new-fangled pocket telephone apparatus things.
    £$%^& captcha fails every time, and apparently my number isn’t “valid.” tried their contact page. Guess what? Thassright, I can’t send in my errorReport because the £$%^&* captcha fails on the submit post form.

    I tried this in Firefox, Safari and Chromium, purged the ramdisk cache, rebooted everything. killed the firewalls – Zilchnet.

    Death to spammers!
    and now CAPTCH administrators.

    BTW the above URL with its crap typography and clip-art logo isn’t mine but nearly all the featured artwork _is_.

    –H

Add a comment