Web Posts:

Why CAPTCHA Sucks and What to do About it

Monday, February 9th, 2009

CAPTCHA

CAPTCHA, as you probably know is used to check that a form was submitted by a human, not an evil-plotting computer. It generally takes the form of typing in some barely-legible characters shown in an image. And it sucks.

Why it sucks

Obviously they’re hard to read – that’s kinda the point – I get them ‘wrong’ regularly and I’ve got 20/20 vision. To me, they’re a pain in the arse – but to anyone suffering from visual impairments, they’re a total brick wall. Sure, some come with audio alternatives, but these have been found to be even less successful.

There are some seemingly more accessible alternatives cropping up, like ’2 + 5 =’, spot the odd one out, or other basic logic problems, but are these really any better? OK we’re no longer alienating our visually impaired audience but what about those with learning difficulties or cognitive disabilities? Even if that is a small group being affected, it’s all of us that have to put up with it. Whatever happened to the first rule of usability: Don’t Make Me Think!

The simple fact is that these irritations drive people away from your site, and ultimately cost you money! I’ve abandoned registrations and purchases before because of impossible CAPTCHAs and I’m sure I’m not alone.

What to do about it

Well for starters let’s minimise where they’re used. Not every form needs one! Before you implement a CAPTCHA system think about whether it would really be a problem if it was a computer filling in the form – how much would it really matter if a bot signed up to your mailing list?

It’s important to think about why you don’t want bots to submit your form and if there are other ways to go about it. For example:

Trying to prevent DOS attacks? Then limit CAPTCHA to when the server is above a certain load level
Want to avoid comment spam? – Askimet or Spam Karma can filter out most of it for you
Don’t want a screen-scraper pillaging your data? At least let visitors have the first few – most likely legitimate – requests without CAPTCHA, and then hit them with it if they keep on accessing data rapidly.

Not again!

One of the things that annoys me the most is when the same site makes me prove I’m still as human as I was a minute earlier! The worst cases being forms validated server side which return an error saying I missed a field or something and then insist I fill in the CAPTCHA again – I just did it! Why do I need to do it again?

Likewise, if I completed a CAPTCHA on registration, then why should I have to do one every time I post a comment? At least leave me alone until I do something bot-like!

And that’s the important thing to remember here – there are other bot-like characteristics apart from not being able to read text from an image. With this in mind perhaps we can avoid CAPTCHA altogether…

Let’s think about how else we can identify bots without having to resort to CAPTCHA:

Do fields hidden off-screen still get filled in
Is the form filled in in seconds?
Do they not have JavaScript enabled?
Does Askimet mark it as spam
Did their submission contain an unusual amount of URLs?

Now, I don’t think the first two points can be entirely relied upon because automated form-fillers, such as RoboForm or Google Toolbar‘s Autofill feature, will still fill in hidden forms and mean a registration form can be completed in seconds. Screen-readers would also fall into the trap of reading these out and thus they would get filled in. As such, I wouldn’t suggest relying entirely on these criteria to identify spammers, but perhaps each point could be assigned a weighting, and a high enough score could trigger a CAPTCHA request. This way, most of your users will be treated to a nice, simple and accessible form, with CAPTCHA reserved for the odd few whose behaviour is flagged as suspicious.

Posted in Web | 12 Comments »

When the Internet was all fields…

Monday, January 26th, 2009

I’ve just finished reading Donald Norman’s The Design of Everyday Things, a fascinating study of user-centered design from 1988, and was particularly amused by the following prognosis of what was to become the web:

“So, what do you think of hypertext? Imagine trying to write something using it. The extra freedom also poses extra requirements. If hypertext really becomes available, especially in fancy versions now being talked about – where words, sounds, video, computer graphics, simulations and more are all available at the touch of the screen – well, it is hard to imagine anyone capable of preparing the material. It will take teams of people. I predict that there will be much experimentation, and much failure…“

He wasn’t far off at all – there has been much experimentation, there has been much failure and there’s been a fair bit of fanciness. What’s really remarkable though, is where he wasn’t quote right – it doesn’t take a team of people (though a range of specialists will always be an advantage) – there are plenty of great web applications out there created by single developers.

Still, baring in mind this prediction was made about the time Bill Gates was supposedly telling us we wouldn’t need more than 640k of RAM – it’s not bad at all.

Posted in Web | No Comments »

How can I sign in when I don’t know who I am…?

Friday, January 16th, 2009

In a recent article, Jared Spool explained�How Changing a Button Increased a Site’s Annual Revenues by $300 Million. The button in question, was changing a ‘Register’ link on an eCommerce site, to a ‘Continue’ one, allowing users to purchase without registering.

I have to say I’m amazed it makes such a difference, but then I’m someone who would always – given the chance – register, in order to speed up future purchases.

One other surprising issue brought to light, was the amount of duplicate registrations form people with various email addresses – 45% of all users had multiple accounts. Now a part of me wonders if a degree of these might be deliberate to abuse a first-time-buyer offer. I’ll shamefully put my hand up to abusing Amazon’s refer-a-friend discount in my early teens and must have had at least a dozen accounts just for that purpose.

However, if they are simply down to people not keeping track of which email address they’ve used, perhaps this adds support to the argument of using usernames rather than email addresses for logins. I’ve always designed logins to use email addresses on the assumption that everyone knows and can remember their email address, and if they haven’t registered then it will always be available, whereas your preferred username may be long gone. I always thought this was one less thing to remember but perhaps not.

Now I think about it, I do have a preferred username that I use almost everywhere, but have changed my primary email address a few times over the years. So might registering with a username – and providing a ‘forgotten username’ send-to-email link – be better? Though of course you still have to check each mail account you can think of til you find it…

I’d be interested in hearing people’s thoughts on usernames vs email address as login IDs. The only thing we can probably all agree on is that they’re better than numeric auto-generated IDs which remarkably some sites still use!

Pete

Posted in User Experience, Web | 3 Comments »

Pete Williams

I make web sites and apps to the latest web standards focusing on achieving the optimal user experience

Web Posts:

Why CAPTCHA Sucks and What to do About it

CAPTCHA

Why it sucks

What to do about it

Not again!

When the Internet was all fields…

Search

Recent Posts

Categories

Links