Posts tagged ‘pet peeves’

Why you should never use a CAPTCHA

I hate CAPTCHAs (you know, those squiggly bits of impossible to read text you have to fill out before you can do anything on some websites). I think all of us can relate to the experience of trying to register for a service or comment on a blog only to be stopped cold by an impossible CAPTCHA. Maybe you got it on the second or third try, but chances are you’ve also had occasions when you’ve bailed and decided it just wasn’t worth the effort.  Today I want to convince you to never add a CAPTCHA to your site.

Let’s start by looking at why CAPTCHAs were invented. The acronym stands for Completely Automated Public Turing test to tell Computers and Humans Apart. Quite a mouthful, eh? The idea is to have something that a computer can create but only a human can read. Whether or not humans can read CAPTCHAs is debatable, but that’s the idea anyway.  Lots of sites use these things to attempt to stop automated requests. For example, you’ve got to fill out a CAPTCHA to get a Gmail account, send a message with a link on Facebook or even just email directions on Mapquest. CAPTCHAs are most often used to stop abuse around systems where there is a high incentive for automated systems to be used, like spamming everyone on Facebook. There are also a lot of people using CAPTCHAs where an alternative solution would suffice.

My biggest beef with CAPTCHAs is that they are so freaking annoying for users. They add an incredible amount of friction to the process — friction that you probably can’t afford. Sure, some CAPTCHA’s are better than others, but none are great. I understand you want to protect your site from spam and abuse, but are you ready to lose potential users over it?  The trade off just isn’t worth it, especially if you are a startup!

One of the things I’ve noticed is that many people use CAPTCHAs when a simple non-intrusive spam-stopper would suffice. For example, say you have a blog and notice you are starting to get a large amount of spam comments. You decide to add a CAPTCHA to fix the problem. The thing is, you’re not big enough to be a victim of a targeted attack, you’re just getting generic spam bots. You don’t need a CAPTCHA.

It’s far easier to stop generic spam bots than a targeted attack. There are a lot of different techniques you can employ, but a simple option is to add an extra field with a tempting name like “email” to your form that is then hidden using CSS. Humans can’t see the field and as a result will never fill it out. Any request that comes in with the field completed can easily be eliminated as spam. The beauty of this is you have a pretty effective spam-stopper without ruining the user experience or adding any friction to the process. A simple technique like this is probably enough to stop the majority of spam bots.

But what if you really are big enough to be at the receiving end of a targeted attack? What if you’re Facebook or Google? They might not be fun, but aren’t CAPTCHAs a necessary evil?  I don’t think so. CATCHAs still aren’t going to protect you. The bad news is that most CAPTCHA systems have already been cracked using OCR software making it trivial for your system to be compromised. For the rest, hackers have been known to set up porn sites that require you to enter a CAPTCHA in exchange for access to the adult content. What are you going to do to prevent that? Not to mention, there’s a booming business in India right now for breaking CAPTCHAs. The going rate is $2 per 1,000. Can you compete with that? If someone wants into your site, I’m sorry, but your annoying little CAPTCHA isn’t going to stop them.

Some people have taken more creative approaches to the CAPTCHA problem.  Joe Stump tweeted the other day about one solution he discovered. You’ll see a lot of these around the web, often added by people who hate CAPTCHAs but haven’t stopped to think through the details. I remember seeing one approach that Hot or Not used that asked users to pick the 3 most attractive people out of 9 pictures. While these sort of solutions are more fun for users than a traditional CATPCHA, they are usually still pretty worthless at providing any real security. For example, with Hot or Not, the odds of a computer correctly guessing the 3 attractive people are 1 in 84. While those aren’t great odds for a human, they’re not bad for a computer — especially if you have a botnet at your disposal! Other approaches like the ones that ask you to do simple math or ask simple questions like “what is known as man’s best friend?” are vulnerable too. In most cases, all you’d need to do to crack the CAPTCHA is throw the question at Google and analyze the responses that come back.  These systems are often also vulnerable by having a limited list of questions to ask so it doesn’t take long for a hacker to build up a dictionary of correct answers to feed to the bot.

reCAPTCHA from Google is another anti-bot alternative.  They proudly talk about all the good they are doing by using the technology to help digitize books. But even reCAPTCHA can be broken with 23% accuracy and it’s just as frustrating for users as the other alternatives.

So where does that leave us?  CAPTCHAs are annoying, you probably don’t need one and even if you did it could still be broken pretty easily.

A balanced approach would be to add some basic security to stop generic bots but get rid of the CATPCHA altogether. Instead, watch out for suspicious IP’s and monitor for nefarious behavior (like spam links being sent to multiple users, large # of requests from one IP, etc).

There are services like Ellipsis Human Presence that offer non-intrusive human behavior analytical modeling to attempt to identify non-human site traffic. They use other heuristics like how you navigate the site or how you move your mouse to detect whether you act human or not. I’m sure their detection system can be circumvented with enough effort, but they significantly increase the cost for bad actors without pissing off your actual guests.

We live in a world where spammers are a real problem and must be addressed, but CAPTCHAs are not the answer. You simply can not afford the friction. By using a CAPTCHA you are making the internet a whole lot less fun for all of us.


Looking for a job? Don’t be this guy.

I just received this email:


Please see my attached resume.
I’m very intelligent and creative. I have a very eclectic arsenals of skills for the solution of problems.
I’ve worked in numerous startups, including several of my own.


The sad thing is, I get an email like that just about every day. I thought I would share my response in hopes that it will help someone from making the same mistakes.

We’re not hiring right now, but here are a few free tips:

  • “I’m very intelligent and creative.” doesn’t come off as confident, it comes off as cocky
  • If you had spent 2 minutes looking at our site you would have known that my email address is not careers, not jobs… just josh.
  • No mention about what excites you about EventVue? Keep in mind I get several resumes in my inbox EVERY DAY. It’s not hard to get my attention. Comment on my blog. Send me an engaging question. @me on twitter. I’ll respond. Just don’t send me something that has been copied and pasted to a dozen different companies.
  • “FW: about me” is your subject line? I’d work on that one a bit.
  • We’re a startup trying to build cutting edge stuff. The fact that you sent me an email from a Hotmail account communicates that you aren’t much of an early adopter. That’s too bad, because I bet you’re a smart guy.

I understand that startups are different.  Your career center probably didn’t tell you this stuff.  That’s why I am.

Update. Reed responded:

Don’t worry I’m very creative and intelligent. It’s not a boast. It’s who I am.

If you read my resume then you know that I’m also an internationally known composer.
I can write top level music in any style you can think of, including the most modern remix and such.
I attached a song from one of my Cds. All my Cds have been in or near the 10 ten the country on jazz radio.

I  have not only hotmail but gmail and facebook and twitter and others.

Anyway, I’ll keep your advice in mind.

I’ll check out your blog.

Not sure that helped, but at least now I know he’s a good composer.  The music was pretty.


Let’s start a new trend

This mailbox is not monitored and you will not receive a response.

Every email I receive these days seems to contain that sentence in one form or other. A bit rude, isn’t it? Wait, it gets better…

To ensure delivery, please add us to your address book.

Let me get this straight — you want me to add you to my address book, but you won’t even read my emails? Instead you’re going to make me take a 20 minute scavenger hunt around your website to find out how to get in touch with you?


I’d rather just hit reply.

Here’s an idea: Why not start listening to your customers instead of insisting on having a one-way conversation all the time?

It’s easy:

  • Set up a filter to delete all the “Out of Office” emails and the delayed delivery notices.
  • Forward the bounced emails to your email management script to remove them from your mailing list.
  • Actually start reading and responding to what your users/customers have to say.

Let’s start a new trend and stop using that annoying “no-reply” email address. Come on — we can be more creative than that!


When you know just enough to be dangerous

I’ve always been amazed by the number of books that promise to teach you how to program in just a few days or weeks. I recently stumbled across a book at Amazon entitled: Sams Teach Yourself PHP in 10 Minutes. 10 minutes!!!

Why do we think it is possible to learn JAVA in the same time it takes to make a pot of coffee?

It has taken me years to learn how to program and I am still learning new things every day. Imagine if we applied this same thinking to other skills. I’ve never seen a book on how to learn to play the piano in 10 minutes. That’s because everyone knows that learning to play the piano takes countless hours and years of practice. No one should expect to become an expert overnight.

Why are people in such a rush?

Let’s stop spreading this lie that you can learn everything you need to know about programming just by reading a $20 book. You can’t. Sure, you might be able to gain a superficial familiarity, but not the deep understanding that is required to build a real application. Books like this are a great way to explore your interests. Just realize that by the time you finish the last page, you probably know just enough to be dangerous.