I hate CAPTCHAs (you know, those squiggly bits of impossible to read text you have to fill out before you can do anything on some websites). I think all of us can relate to the experience of trying to register for a service or comment on a blog only to be stopped cold by an impossible CAPTCHA. Maybe you got it on the second or third try, but chances are you’ve also had occasions when you’ve bailed and decided it just wasn’t worth the effort. Today I want to convince you to never add a CAPTCHA to your site.
Let’s start by looking at why CAPTCHAs were invented. The acronym stands for Completely Automated Public Turing test to tell Computers and Humans Apart. Quite a mouthful, eh? The idea is to have something that a computer can create but only a human can read. Whether or not humans can read CAPTCHAs is debatable, but that’s the idea anyway. Lots of sites use these things to attempt to stop automated requests. For example, you’ve got to fill out a CAPTCHA to get a Gmail account, send a message with a link on Facebook or even just email directions on Mapquest. CAPTCHAs are most often used to stop abuse around systems where there is a high incentive for automated systems to be used, like spamming everyone on Facebook. There are also a lot of people using CAPTCHAs where an alternative solution would suffice.
My biggest beef with CAPTCHAs is that they are so freaking annoying for users. They add an incredible amount of friction to the process — friction that you probably can’t afford. Sure, some CAPTCHA’s are better than others, but none are great. I understand you want to protect your site from spam and abuse, but are you ready to lose potential users over it? The trade off just isn’t worth it, especially if you are a startup!
One of the things I’ve noticed is that many people use CAPTCHAs when a simple non-intrusive spam-stopper would suffice. For example, say you have a blog and notice you are starting to get a large amount of spam comments. You decide to add a CAPTCHA to fix the problem. The thing is, you’re not big enough to be a victim of a targeted attack, you’re just getting generic spam bots. You don’t need a CAPTCHA.
It’s far easier to stop generic spam bots than a targeted attack. There are a lot of different techniques you can employ, but a simple option is to add an extra field with a tempting name like “email” to your form that is then hidden using CSS. Humans can’t see the field and as a result will never fill it out. Any request that comes in with the field completed can easily be eliminated as spam. The beauty of this is you have a pretty effective spam-stopper without ruining the user experience or adding any friction to the process. A simple technique like this is probably enough to stop the majority of spam bots.
But what if you really are big enough to be at the receiving end of a targeted attack? What if you’re Facebook or Google? They might not be fun, but aren’t CAPTCHAs a necessary evil? I don’t think so. CATCHAs still aren’t going to protect you. The bad news is that most CAPTCHA systems have already been cracked using OCR software making it trivial for your system to be compromised. For the rest, hackers have been known to set up porn sites that require you to enter a CAPTCHA in exchange for access to the adult content. What are you going to do to prevent that? Not to mention, there’s a booming business in India right now for breaking CAPTCHAs. The going rate is $2 per 1,000. Can you compete with that? If someone wants into your site, I’m sorry, but your annoying little CAPTCHA isn’t going to stop them.
Some people have taken more creative approaches to the CAPTCHA problem. Joe Stump tweeted the other day about one solution he discovered. You’ll see a lot of these around the web, often added by people who hate CAPTCHAs but haven’t stopped to think through the details. I remember seeing one approach that Hot or Not used that asked users to pick the 3 most attractive people out of 9 pictures. While these sort of solutions are more fun for users than a traditional CATPCHA, they are usually still pretty worthless at providing any real security. For example, with Hot or Not, the odds of a computer correctly guessing the 3 attractive people are 1 in 84. While those aren’t great odds for a human, they’re not bad for a computer — especially if you have a botnet at your disposal! Other approaches like the ones that ask you to do simple math or ask simple questions like “what is known as man’s best friend?” are vulnerable too. In most cases, all you’d need to do to crack the CAPTCHA is throw the question at Google and analyze the responses that come back. These systems are often also vulnerable by having a limited list of questions to ask so it doesn’t take long for a hacker to build up a dictionary of correct answers to feed to the bot.
reCAPTCHA from Google is another anti-bot alternative. They proudly talk about all the good they are doing by using the technology to help digitize books. But even reCAPTCHA can be broken with 23% accuracy and it’s just as frustrating for users as the other alternatives.
So where does that leave us? CAPTCHAs are annoying, you probably don’t need one and even if you did it could still be broken pretty easily.
The most balanced approach is to add some basic security to stop generic bots and then stop worrying and get rid of the CATPCHA altogether! Instead, watch out for suspicious IP’s and monitor for nefarious behavior (like spam links being sent to multiple users, large # of requests from one IP, etc).
We live in a world where spammers are a real problem and must be addressed, but CAPTCHAs are not the answer. You simply can not afford the friction. By using a CAPTCHA you are making the internet a whole lot less fun for all of us.
while software can already beat most if not all of them… all the human-entered de captcha services (some as low as $1 per 1,000 captcha solves) out i gotta agree with ya… never, ever…. use any type of image based captcha service.. hehe
I think google's reCaptcha is much less annoying than the alternatives, because it has real, existing words, whereas traditional captcha has a mixture of case sensitive alphanumeric characters. This is bad because if you can't read a character, knowing the actual existing english word helps.
Nice article Josh!
I totally agree that captchas are outdated. To solve the problems you outlined, NuCaptcha launched just Wednesday with a TechCrunch article. They are are a video captcha company that is easier to read and can recognize patterns of fraud. If fraudulent activity is spotted, the video loops are slowed so that it will take longer to solve. These video captchas can be tweaked to make the intervention of human labor too expensive for spammers. Possibly this is just the scratch your itch was looking for.
Disclosure: I've advised with http://NuCaptcha.com in the past.
Completely agree. Having CAPTCHA on a small-readership site is…frankly…a little pretentious. I get around 1000 spam comments a day on my site. Zero CAPTCHA. Never will have a CAPTCHA. If it comes down to it I'll delete spam messages individually (or with a handy DELETE FROM XYZ WHERE AUTHOR LIKE '%viagra%') rather than bother my few readers and commenters with this crud.
CAPTCHA costs you more in reader frustration than it gains you in spam protection. Fail.
I just switched to Mollom.com
If the comment looks enough like spam, the user gets a captcha (with audio if easier for them). If it doesn’t look like spam, it goes straight through.
I agree with your conclusion, but disagree with some of your assertions. I have recently had cause to do some research on the subject.
While it is true that most (but not all) captchas can be broken with automatic software, often it was done as research or a demonstration of the technology. So captchas are not always "trivial" to beat. The software might exist but good luck to anyone who wants to get their hands on it. Often even the source code and algorithms are unavailable for study.
There are a couple of pretty good captcha-busting programs out there, and using them many of today's captchas can be busted, and some are flexible enough that you can tune them for future captchas that will be dreamed up. Pardon me if I don't list their names or locations here.
) And as someone else brought up, there are captcha-busting services that will manually enter captcha values for your program for as little as $0.001 each.
Your basic point remains: if you really want security, captcha is not the way to go. There are other methods that you should probably consider.
I agree — CAPTCHA does not make much sense most of the time.
There are plenty of other ways to defer bots.
I don't use CAPTCHA on http://www.postjobfree.com at all.
And you know what — the hardest part was to deal with spam generated by humans, not by bots.
Fortunately we were able to automate spam moderation too (no CAPTCHA as usual): http://postjobfree.blogspot.com/2009/06/postjobfr…
that math equation is actually quite easy… easier than entering captchas
I hate CAPTCHAs too! I don't know how well they work, but have you seen slider CAPTCHAs? They sure are painless. http://theymakeapps.com/users/add http://wpmu.org/slide-to-comment-the-newest-and-s…
CAPTCHAs are always more secure when they first come out, but that doesn't mean they won't be broken in the future. To me it doesn't seem like the video adds much to the security of things. Can't a hacker just grab each of the frames from the video and run that through standard OCR software? In fact, it might be worse because now the hacker has multiple frames to use instead of just one.
bravo. thank you for doing your part to keep the internet fun.
thanks for sharing that link. it's good to know what else is out there.
i wonder if a simple bot-stopper might not be adequate for you, but i guess this is at least better than throwing up the captcha for everyone.
Thanks Lonny. I really appreciate your perspective and I wouldn't be surprised if you are right. And yes, "trivial" probably wasn't the best word to use. Let's go with "possible" instead. To be honest I haven't really looked much at the CAPTCHA cracking software that is out there so I'll take your word on this.
smart. i like it.
no kidding
My prediction is that this will be great for a while… but since it's being rolled out on WordPress there's a pretty big incentive for hackers to figure out how to get around it. I've not looked at the code, but it seems like it would be pretty easy to hack around. The best solutions are the simple ones that don't require any human interaction and are custom to a given site to stop hackers from being able to write a bot that works across multiple sites.
The CSS-hidden "email" field isn't a great solution — I use something like that, but periodically it gets tripped by people who use form-filler plugins or browser features.
The automated form-filler doesn't have any idea it's a bot test, and of course it fills it in… and the (perfectly valid) user is rejected for reasons they can't figure out.
The trick I figured out (at work here: http://emusictheory.com/contact.muse) is to clear the "bot" field via JavaScript as part of submitting the form. This empties out whatever any automated form-filler has plugged in, but doesn't do anything for bots (which aren't generally executing JavaScript, in my experience).
I also have some basic logic on the server-side that checks for URLs in name fields, etc. — things that they tend to do but are easy to catch.
The odds are actually 1 out of 504 – you choose the first out of 9 times 1 out of 8 times 1 out of 7
that would be true if the order you picked the girls in mattered, but in this case it doesn't. it's a straightforward 9 choose 3.
great point. i hadn't considered the form-filler plugins, but your javascript solution sounds like it's working pretty well. thanks for sharing that.
Forget CAPTCHAs, they're so "last decade". Harness the power of Web 2.0 and the collective mind…
Use Mollom. That's what I use on my website, and I haven't had a single spam sneak through. That's with anonymous commenting enabled, and no moderation!
im not alone! glad i've found your site. this article is so cool! thank you for convincing me not to use captcha on my site anymore.
Thanks for sharing your view.
>There are a lot of different techniques you can employ, but a simple option is to add an extra field with a tempting name like “email” to your form that is then hidden using CSS.
Great idea!
In one of my sites (galop.gr) we have many bots registering so i tried the hidden email field trick. It does work most of the time (when it works i have an email sent to me so i know when it works) but still there are 1 or 2 bots every day that manage to register! Can i do anything else to eliminate spam-bots completely?
i don't know, but let's figure it out. i'm happy to throw out ideas if you're willing to test some different stuff.
first of all, what css are you using for hiding the field? i'm thinking you might want to use something a little trickier than just display:none… like setting a negative position, barely visible opacity, etc.
yes! even one convert makes this whole post worth it. congrats!
Thanks for
your sharing, it’s very useful
The sound rig you deficiency to discern upon spiritless opiate [url =http://www.sof-info.com]buy tramadol[/url].
Does anyone know how often Captchas appear across the web on a daily basis? At the last do you know of a way to figure it out?
I think your hidden field suggestion is not a good option – think of people with screen readers or with cognitive disabilities. The method you propose is discriminatory.
I don't have a perfect solution either, though I believe putting that option forward could mislead many developers into breaking laws in their jurisdiction. Many countries use the W3C WCAG check points as a measure of discrimination in regards to web site accessibility.
Then why not add a link that asks "using a screenreader?" that offers them an audio captcha instead? I'm sorry, I'm not going to ruin the experience for 99.9% of my audience for the sake of 0.1%.
I think reCaptcha is a cool idea at least. I do not like the 3 hot girls idea…now there are 3 girls I want to meet, but Im stuck with a bunch of engineers at work. : )
When I got to the math test I laughed out loud. Thanks for that! I am just beginning to develop websites for disabled
people and this is very valuable information. I am going to tweet and facebook this. Thanks again.
Great. Thanks!
the best one i've seen, was a simple one.. they show you a musical instrument, and you choose it from a simple drop down list of instruments !
the president of the underachiever;s club hates catcha more than focus not where you want it rejections.
The only WordPress plugin that can block 100% of comment spam with zero false positives is Spam Free WordPress. Akismet cannot make that claim.
Spam Free WordPress does not use CAPTCHA for some of the same reasons you mentioned in this post.
http://www.spamfreewordpress.com/
Well, I'm lucky with this. I have a form in my website to allow users to sign up in a game, and they can post a few words about
why they want to play. This form started to be filled with spam, until I decided to filter out the applications with an URL in them.
They don't need to post an URL at all to enter the game, so if I get an URL in the comment, I just drop it automatically (of course the page has a warning to users).
But a fact: CAPTCHAs do reduce spam. But something else should be better.. globally identified ID:s connected to real humans?
I didn't mind CAPTCHAs until they started giving out non-existent words to type. It's hard enough to differentiate between certain letters but if I have no idea what the word is supposed to be, I can't even make an educated guess about what letter it may be.
I completely agree about this annoying merhtod of “verification” – worse still are those dumb website designers who choose to blank your form should you get the captcha wrong – even once! Think I’m kidding? Read more: http://bit.ly/hVB2bP
That reminds me of the new US Government OpenID program.
Which gives every citizen an account they can login to.
Its a great idea, and I think every government should follow once the US rolls it out.
It annoys users more to be forced to login (even with OpenID) to comment on low traffic sites. Instead of whining about unfriendly CAPTCHAs, why not reduce the number of login boxes?
Great point. I've written and talked about that issue as well: http://www.onlineaspect.com/2007/05/18/how_to_bui…
Human spammers are a real problem, i get loads
Hi Josh – A well written article
My opinion on the subject: Horses for Courses. I think Captchas have a place (Yes, they irritate me too, but I still use them), as do the alternatives. IP blocking is part of the process, but for site owners lacking the knowledge, and more importantly the time, to manually block every IP used to generate spam is not an option. Large corporations can afford full time web managers to provide these services, small business entrepreneurs cannot.
Another method that has worked for me is requiring an authenticated login – WordPress.com, Facebook and Twitter (open ID not available for wordpress.com). This has stopped 99% of spam comments on the blog – if someone doesn't want to login and identify themselves that way – too bad, I don't want their comments. At least the ones received are related to the content, and usually make sense.
Decide on what your objectives are with your website or blog – are you wanting a website, a blog or a FORUM, and design your anti spam measures around your objectives. How much time to you want to spend moderating comments? Do you even need to have a commenting system or will a contact form be sufficient? Then decide on how to manage spam…
Great post,
Hate captcha,
and recaptia try to let you digitalize books for free, they know one word and ask u to fill in the other, u see that one of them is squigly, this is the word they know, answer this one right, for the otherone write fuck,
now wait to see digilized books that have the word fuck all over the place
I tell people all the time that all these captcha things were broken a long time ago. For some reason they don't listen and add some form of captch to their site anyway. I do like the hidden field suggestion that is definitely something to think about. The thing that bugs me the most about them is a lot of them are almost impossible to figure out what letters they are. I had one the other day at a social bookmarking site, and there was no way a real person could have figured out what it said. Anyway great article.
You only list examples of HORRIBLE, poorly designed/implemented captchas and say "see how bad they are".
Yeah, pretty bad article in my opinion. I haven't seen a single real alternative. I've been reading on CAPTCHA and possible alternatives for hours, because I agree they are annoying as hell. But the fact is: there is no equal solution to exterminate spammers Hence the reason Google and Facebook use it. I will most likely stick to reCAPTCHA or something like that.
Thank you. The most annoying eye straining piece of garbage i have ever had to deal with.
From the view of the user, captchas are indiscussable. Spam is the problem of the owner of the homepage, and not mine as a user of this homepage! So why should I be abused to solve a problem of the owner of the homepage? Indiscussable.
I've seen plenty of examples where the words from reCaptcha were completely unreadable, or non-english. Books aren't always in one language only, so when a book has foreign words or even double-bytes characters, the percentage of people that can decrypt it drops drastically.
I like the article, I particularly found it funny where you listed the software that showed images of people and had to choose who's hot or not LOL! Anyhow I also wanted to tell you all about how real time data verification can be used as an alternative.
XVerify makes sure the user data you capture (email address, phone number, physical address) are actual real data prior to allowing the user to click your continue button. If the data is fake and just spam it does not allow the user to continue through the registration and shows them an error message.
If you are interested in learning more feel free to visit Xverify.com and schedule a demonstration.
amazing post, loved it, will use one of the techniques. I don't like captcha or recaptcha since lately recaptcha uses some algorithm that it is very hard to read the letters.
i love the idea of a hidden field.
Hi,
I just wrote an article on my blog after reading this. You can view it here, if interested.
Mollom works most of the time but you'll still get some false positives (legit users getting the captcha's thrown at them). Like if your email is actually somethingpharmacy@something but whatever. it's free.
I'd recommend keypic.com as a free anti-spam method. no more captchas, that's enough!
akismet is such a bad spam tool that it even blocks real people.
All Captcha's are annoying!