CAPTCHA

CAPTCHA, as you probably know is used to check that a form was submitted by a human, not an evil-plotting computer. It generally takes the form of typing in some barely-legible characters shown in an image. And it sucks.

Why it sucks

Obviously they’re hard to read – that’s kinda the point – I get them ‘wrong’ regularly and I’ve got 20/20 vision. To me, they’re a pain in the arse – but to anyone suffering from visual impairments, they’re a total brick wall. Sure, some come with audio alternatives, but these have been found to be even less successful.

There are some seemingly more accessible alternatives cropping up, like ‘2 + 5 =’, spot the odd one out, or other basic logic problems, but are these really any better? OK we’re no longer alienating our visually impaired audience but what about those with learning difficulties or cognitive disabilities? Even if that is a small group being affected, it’s all of us that have to put up with it. Whatever happened to the first rule of usability: Don’t Make Me Think!

The simple fact is that these irritations drive people away from your site, and ultimately cost you money! I’ve abandoned registrations and purchases before because of impossible CAPTCHAs and I’m sure I’m not alone.

What to do about it

Well for starters let’s minimise where they’re used. Not every form needs one! Before you implement a CAPTCHA system think about whether it would really be a problem if it was a computer filling in the form – how much would it really matter if a bot signed up to your mailing list?

It’s important to think about why you don’t want bots to submit your form and if there are other ways to go about it. For example?

• Trying to prevent DOS attacks? Then limit CAPTCHA to when the server is above a certain load level
• Want to avoid comment spam? – Askimet or Spam Karma can filter out most of it for you!
• Don’t want a screen-scraper pillaging your data? At least let them have the first few, most likely legal, requests without CAPTCHA then hit them with it if they keep on accessing data rapidly.

Not again!

One of the things that annoys me the most is when the same site makes me prove I’m still as human as I was a minute earlier! The worst cases being forms validated server side which return an error saying I missed a field or something and then insist I fill in the CAPTCHA again – I just did it! Why do I need to do it again?

Likewise, if I completed a CAPTCHA on registration, then why should I have to do one every time I post a comment? At least leave me alone until I do something bot-like!

And that’s the important thing to remember here – there are other bot-like characteristics apart from not being able to read text from an image. With this in mind perhaps we can avoid CAPTCHA altogether…

György Fekete has come up with a 5 Layer Spam Filter that uses some cunning techniques to identify bots without having to resort to CAPTCHA:

• Do fields hidden off-screen still get filled in
• Is the form filled in in seconds?
• Do they not have JavaScript enabled?
• Does Askimet mark it as spam

Now, I don’t think the first two points can be entirely relied upon because automated form-fillers, such as RoboForm or Google Toolbar’s Autofill feature, will still fill in hidden forms and mean a registration form can be completed in seconds. Screen-readers would also fall into the trap of reading these out and thus they would get filled in. As such, I wouldn’t suggest relying entirely on these criteria to identify spammers, but perhaps each point could be assigned a weighting, and a high enough score could trigger a CAPTCHA request. This way, most of your users will be treated to a nice, simple and accessible form, with CAPTCHA reserved for the odd few whose behaviour is flagged as suspicious.

So maybe there is a need for CAPTCHA at time, in those situations where you really do need to use CAPTCHA, at least bring something positive out of it and use reCAPTCHA which helps digitize books where OCR can’t. Then I might just let you off…