A Better CAPTCHA: Are We There Yet?

Photo: Anna Fischer

Photo: Anna Fischer

CAPTCHAs (Completely Automated Public Turing Test To Tell Computers and Humans Apart) are a nightmare for any usability expert but if we want to reduce spam, we do need them or something else in place.

While there are numerous CAPTCHA alternatives (or less known CAPTCHA varieties), you could argue that none of them are good enough for masses use on the Web.

Some of the CAPTCHA alternatives that exist can be used as a CAPTCHA replacement under some circumstances but they won’t solve the problem in general. And the problem is a pretty real one – CAPTCHAs hurt user experience and conversions.

The Perfect Anti-Spam Solution

We’ve all seen ads of various anti-spam products that claim they are the ultimate anti-spam solution.

However, you don’t need to be a genius to read past the marketing lingo to figure out that a particular solution is either easy to circumvent (hence unreliable), or requires too much effort (i.e. is not user-friendly), or generates too many false positives/negatives.

A user asked in an old thread at StackExchange about CAPTCHA alternatives and listed the following requirements any such alternatives should meet:

  1. It must be accessible.

  2. It must be non-disruptive and transparent to the end user.

  3. It cannot detract or distract from the primary purpose of the page.

  4. It must be automated or require very little moderation on a large scale.

  5. It cannot be a 3rd-party service.

While I think most of us could live with the last requirement (i.e. a 3-rd party service, provided it’s reliable and user-friendly), basically the requirements listed by the user are the features of a good enough anti-spam solution.

In addition to them I would add just 2 more:

  1. It shouldn’t put a huge strain on the server/browser.

  2. It must have a low percentage of false positives and false negatives.

While these 7 requirements don’t sound too much, it turns out they are still an impossible dream, as there is no present anti-spam technology that outperforms CAPTCHAs.

So let’s discuss the main CAPTCHA varieties and alternatives, so you can see for yourself that unfortunately, all things equal, (text) CAPTCHAs are the lesser evil.

CAPTCHA Varieties and Other Anti-Spam Alternatives

reCAPTCHA

When we say CAPTCHA, we basically think of this:

reCAPTCHA

This type of CAPTCHA is called reCAPTCHA and it is now part of Google. reCAPTCHA displays ‘letter code’ that usually won’t form a word (to prevent dictionary attacks) which the user is asked to enter.

This letter code is visually distorted to deter OCR bots. Of course, the harder it is for the bots to read, the harder it is for users, too.

reCAPTCHA Pros:

reCAPTCHA comes with two options that improve usability: the option to request a new set of letters, if the present set is illegible and the option to play audio where the letters are spelled.

reCAPTCHA Cons:

Often, no matter how many times you refresh, all you get is a new set of equally illegible letters. This is the irritation of reCAPTCHA we all know. “Is that an squished ‘L’ or a squished ’1′?

A second recurring issue is that the audio fallback option might not be of much help to many users.

For instance, if the user’s hearing is impaired, or if he or she simply doesn’t understand the names of the letters spelled, as might be the case with international users. Perhaps they can read your English content (perhaps with the help of Google Translate) but the sounds ‘el.. too..five…jay…bee….em‘ means nothing to them.

Even the mere requirement of a working sound card can be a problem for users with older equipment, and/or libraries PCs and internet cafes.

reCAPTCHA is the most common type but it’s not the only one. In many cases, some of the lesser used varieties could be a better choice.

Here are some CAPTCHA varieties and their pros and cons.

Pure Audio CAPTCHAs

As the name itself implies, audio CAPTCHAs use sound rather than text to filter bots. reCAPTCHA itself has an audio option, so if you want to try the concept, you don’t have to look further.

As for the cons, we’ve already discussed them in the previous section – a barrier to hearing-impaired and/or international users.

All in all, audio CAPTCHAs are generally no better than the garden variety reCAPTCHA.

Image CAPTCHAs

Image CAPTCHAs are more of an alternative to standard text CAPTCHAs than audio CAPTCHAs. With image CAPTCHAs, you show an image instead of text, and ask the user a question about what he or she sees in the picture.

Click the flower

Pros of image CAPTCHAs:

It makes a game out of the CAPTCHA process.

Cons of image CAPTCHAs:

There are several issues with this approach.

Firstly, you need a large pool of constantly changing images to display. If you have, say, only 100 images, it’s not difficult for a human to review and train a simple bot what to enter.

Secondly, these images must be unambiguous and easy to understand. They must be simple objects – an apple, a cat, a car, etc. – that are obvious to everybody. If you put something fancy, you never know how your users will decode the image and how many times they will have to resubmit the CAPTCHA.

Thirdly, the language barrier presents as a problem again. To a native speaker, a simple object might be easy to write but there are international users who don’t necessarily know even basic English words.

Video CAPTCHAs

Video CAPTCHAs are one more CAPTCHA variety. They are the least popular because it is the hardest to provide a reasonable amount of videos, these require storage, and again – not everybody can watch and understand them.

Simple Math/Question CAPTCHAs

Math question

I would suspect that, after text reCAPTCHAs, this is the second most popular type of CAPTCHA.

The principle is this: you enter a simple math problem or a question, like “2+2=?” or “Which is the shortest month of the year?” and the user has to enter the answer.

Since math is universal, there is no language barrier to international users but this isn’t so with the question CAPTCHAs. This is why, if you want to opt for a question-based option, you’d better go with math questions only.

3D CAPTCHAs

Basically, 3D CAPTCHAs are even more irritating than reCAPTCHA itself but if you want to experiment if your users will like them more, you can do it. 3D CAPTCHAs don’t look that plain but they are even harder to read. You can try them for a change, but my feeling is your users won’t find them any more appealing.

CAPTCHA Alternatives

In addition to CAPTCHA varieties, there are numerous non-CAPTCHA based alternatives. I don’t want to sound biased but most of these alternatives don’t come even close to the efficiency of CAPTCHA. Read about these alternatives and judge for yourself if we’ll be stuck with CAPTCHA for years or not.

Checkboxes

Checkbox: Tick this if you are not a bot.

Checkboxes next to a field, such as “Check this, if you are human/not a robot.” are one of the best CAPTCHA alternatives. Checkboxes are generated using client-based JavaScript and in theory they are invisible for a bot. They are not as irritating as CAPTCHAs but they are easily missed by users.

Checkboxes are not 100% bot-proof and not all users have JavaScript enabled, but if you absolutely hate CAPTCHAs, you might give checkboxes a try.

On top of that, if this approach ever gains serious marketshare, it will be trivial to write a bot to exploit it.

Honeypots

Honeypots use the opposite approach, essentially asking the bots to identify themselves.

A form will contain a field that is not visible to humans, only to bots. These bots are programmed to be fast and simple. When they see a field to be filled, they do it, thus exposing themselves.

Of all CAPTCHA alternatives, honeypots look the most promising. They are usually implemented via CSS, so no client-side gambling.

However, they do have disadvantages.

Firstly, you need to add a warning for users with screen readers NOT to fill in the field. Secondly, hidden text can be looked upon with suspicion by search engine, making it potentially bad for SEO.

Rule-based Filtering

Most likely you are already using rule-based filtering but you don’t even know it. A good example is Akismet. You set the rules that make a comment/post SPAM and when a post/spam meets the criteria, it’s marked.

Akismet spam filtering service

Rule-based filtering could give good results, especially if you combine it with manual administration. Most often the rules are created to search for given keywords. If they are present in a post, the post is marked as spam.

IP Whitelists and Blacklists

IP whitelists and blacklists are rarely useful because they are easily spoofed and there is a high level of false positives and negatives. With IP whitelists and blacklists you create lists of allowed (“white”) IPs and banned (i.e. “black”) IPs.

You are correct if you are thinking that a blacklisted IP could be easily bypassed with the help of proxy, or simply by posting from a different location. In fact, a simple browser extension can bypass this defence.

What is more, often a legitimate user can get blacklisted because his or her IP has been used in the past by spammers. This alone makes white/blacklists a particularly clumsy solution.

In reality, this approach most likely creates more problems than it solves, but if you have nothing else at your disposal, as a last resort you might try it.

Phone/Email Confirmation

It’s possible to include one more type of user verification – have him or her confirm via email or over the phone that he or she is not a bot. Phone verification could be useful in ecommerce – you can call the user and make sure this is a live person and only after that you dispatch the goods but in many other cases it’s simply an overkill.

Other Services

One of the requirements for a good anti-spam solution was that it doesn’t use 3rd party services but since I believe this isn’t a deal breaker, let’s include it as well. After all, reCAPTCHA itself is a third party service because the symbols entered are verified at their servers, not at yours.

You can reduce spam if you allow only users registered with sites, such as OpenID, Disqus, Facebook, or G+ to post. However, a bot can also have an account with these services and pose as human.

Privacy issues are an obvious concern with this approach.

Given the public nature of the Net, and the fact that once you post something, it stays there forever, not everybody is comfortable posting under their name at all times.

Privileges Based on User Rating

Privileges based on user rating are an alternative for forums and communities. Here are some suggestions:

Automatic Approval for Posts from Trusted Users

Posts and comments from new users are checked before they are posted live, while posts and comments from trusted users are published automatically (and randomly checked later, just in case).

Moderation/Flag Privileges for Trusted Users

User privileges could go even further. For instance, you can authorize very trusted users to moderate or at least flag posts/comments. However, this could be very biased because if a user doesn’t agree with a post, he or she can easily flag it even if it is not spam.

Number of Posts Before A User Can Post Links

The principle is simple: you can post a link, if you have at least 10, 20, 50, 100, or any number of posts, and/or you’ve been a member for a month, three months, or any period of time. This stops bots but isn’t convenient for ordinary users. Of course, this approach can be abused as well (i.e. post the required number of clean posts and then start spamming) but you need lots of effort for this.

Combination of Two or More Approaches

The perfect anti-spam solution would do all the work, but unfortunately such a solution is not to be seen soon — perhaps ever.

You can combine two or more approaches, though.

For instance, you can use Akismet or reCAPTCHA for the rough filtering of spam and then have a human admin moderate anything that Akismet or reCAPTCHA missed. For a large site admin moderation is somewhat painful simply due to the sheer volume of posts and comments.

Unfortunately no matter how advanced technology becomes, 100% automation is not a good option because it leads to a relatively high level of false positives and false negatives.

For now, there is no way to exclude humans from the anti-spam process, so even if you get a solution that seems perfect, you will always need to check its choices.

Are we there yet?

As you see, it’s not that there are no alternatives to reCAPTCHA. There are almost a dozen CAPTCHA and non-CAPTCHA based approaches. Unfortunately, they all have serious drawbacks that make them unusable in most cases.

Currently we can’t do (much) better than CAPTCHA, but we can design better CAPTCHAs — and this does make a difference.

For starters, one huge improvement you can make is to always save the data the user has input in the form.

Is there anything more cruel than watching all the data you diligently entered in the form, evaporate into the ether simply because you thought a squiggly ‘h’ was a squiggly ‘n’?

One more step you can take is to finetune the complexity of the CAPTCHA. Many CAPTCHA systems allow you to tune the level of character distortion. Try different levels of difficulty and see at what level of difficulty you achieve the best spam to usability ratio.

Obviously, the easier the CAPTCHA, the higher the spam level and vice versa. You might be tempted to use the most difficult CAPTCHA but this is the worst for usability.

We need to find the equilibrium point. You are probably never going to be 100% spam free – this is utopia – you are going for acceptable levels, so just test at what level of difficulty spam levels are more or less acceptable and don’t go beyond it.

Free book: Jump Start HTML5 Basics

Grab a free copy of one our latest ebooks! Packed with hints and tips on HTML5's most powerful new features.

  • sharethink

    I made a comment earlier that got deleted, (perhaps because I included a link in it). However, I think it still bears discussion. One of the approaches to Turing tests that you did not discuss was that of using semantic associations. I built a solution that tries to balance security against usability by leveraging the semantic associations that humans intuit between objects. We’ve had a lot of success with that.

    The solution uses an AI to continuously generate new human-solvable challenges by assembling collections of objects, and then either requiring users to combine two objects, or to isolate an object that doesn’t belong in a group.

    The result is a challenge that’s very usable, and very secure. As far as I know, this is the only approach that actually uses an artificial intelligence to try to separate humans from bots. It’s a challenging and interesting area of research – if you’re interested in the problem of Turing tests.

    • Alex Walker

      That sounds very interesting @sharethink:disqus. We didn’t deliberately block the comment, but the link may have tripped the spam filter. I’ll have a look in the admin — I’d be interested to see your take on the subject.

      It’s a tough problem to solve, so I’d always happy to spotlight a worthwhile new appoach.

      • sharethink

        Some researchers at Texas A&M University wrote a paper on an almost identical approach shortly after we launched the proof of principal. They invited me to prepare a follow-up white paper, and I can provide links to both documents if you’re interested.

    • http://www.karlbrownvoiceover.com/ Karl Brown

      Part of the problem with making accessible CAPTCHAs is that you also
      need to consider people with cognitive or learning difficulties. While
      “2+2=?” seems easy, if the user isn’t good at maths or doesn’t recognise
      the symbols, they’re not going to get it. Similarly with @sharethink:disqus’s solution, if someone doesn’t understand the association between terms they’re going to really struggle. This will be even greater if they have literal interpretations of language because they may not know that a turn of phrase has been used.

      Looking at the solutions above the honeytrap seems the most useable for the widest group because it doesn’t involve reading, problem solving or similar, but it does cause issues for people using screen readers who might assume it needs to be clicked. It’s a tricky one, hopefully a solution will be found before too long.

      • sharethink

        This is correct. I’ve learned that there isn’t one universal solution for every application. Honey traps are great – provided you’re not trying to protect a high-traffic site that would be specifically targeted by hackers. They can work really well to protect blogs and community forums.

        We’ve found that one of the most effective places to apply our solution is on corporate cloud apps and webmail accounts where they’ve had issues with brute-force attacks, or fraudulent transactions, and don’t want to have to resort to locking accounts or blocking IP ranges. These tend to be applications where you can assume a high level of cognitive functionality.

        Of course, to be fair, you would want to assume that on many discussion forums as well. ;)

      • http://www.coolfields.co.uk/ Graham Armfield

        I’ve used simple maths sums on a few sites now. They do stop spam but I acknowledge that some people may not understand what’s required. One thing to note if you do intend to use maths problems is that some screen readers do not voice mathematical symbols when on their default settings. So your sum 2 + 2 = may just get voiced as “2 2″. One solution to that would be to spell out the sum in words – 2 plus 2 equals.

        To allow maximum availability to everyone (including those with impairments) it’s probably necessary to supply two different sorts of CAPTCHA and allow the users to choose the one they want to use. This would allow sites to meet the ‘mutli modal’ requirement in WCAG2.0 guidelines. ReCAPTCHA and others try to do this, but the audio is so hard to understand.

    • adaivanoff

      Just a quick question: are these semantic associations language- and culture-independent? In other words, if somebody from the States looks at a group of objects will he or she make the same associations as somebody from East/West Europe, Africa, Asia, Latin America, or Australia, for example? I mean for some cultures a tiger might be associated with one thing, while in others it might be associated with something completely different. Even with image captchas it is a problem that the same image can be interpreted in multiple ways but only one answer is correct.

      • sharethink

        That’s an excellent question. And the short answer is “no”.

        We’ve built that into our localization, by creating separate object repositories by region. We feel that this is actually advantageous, since it tends to frustrate the use of cheap overseas labor as mechanical Turks or CAPTCHA farms when targeting specific commercial sites.

  • gazugafan

    The “checkbox” approach you mentioned doesn’t really need to include a checkbox at all. Instead of generating a checkbox on the client-side, just generate a hidden form field. This solves the “users could miss the checkbox” problem. Of course, every other problem with this approach is still just as valid.

    • adaivanoff

      Not sure if I get it correctly but if the form field is hidden to the user, how could he or she fill it? This is the essence of the checkbox technique – the opposite with the field that is hidden from humans is the honeypot.

      • gazugafan

        It would be filled in with something automatically via javascript–ideally something that changes and that the server can verify. In both the checkbox and hidden form field implementations, the only thing you’re really doing is seeing if the user is running javascript. Many bots don’t, which means the checkbox or hidden form field wouldn’t be generated.

        • Tim Van Buren

          Actually, with a hidden field, you test to make sure it is blank. Bots will try to fill it in. If it is filled with anything, you have a bot and you reject the form, or make them do a test. Hide it via css, not by using a hidden field.

          • gazugafan

            That’s the honeypot approach… in that case, you wouldn’t generate the field on the client-side via javascript. If you did that, you wouldn’t expect bots to fill it in, because bots don’t usually run javascript.

            Think of it this way… for the checkbox approach, why make the user actually have to check the box? You’re generating the checkbox via javascript so that bots don’t see it, right? So, why not just check the box automatically via javascript as well? Making the user check it doesn’t really do anything. In fact, why not take that one step further and make it a hidden form field instead of a checkbox?

            In all of those cases, all you’re doing is checking to see if the user is running
            javascript. Bots usually don’t run javascript, so they’ll never see the checkbox or hidden form field. If the form comes back without your client-side generated field, then it was submitted by someone not running javascript (most likely a bot).

          • Tim Van Buren

            You are right…sorry. I didn’t read the thread clearly.
            Seems like your logic is sound, regarding checking the box for the user.

  • http://www.muhammedak.com/ Muhammed A K

    I don’t know whether some one using my technique or not, normally I am happy with my own captcha. I said captcha? yes but no, no captcha.. I always used to use jquery ajax, when user scroll even 1px (hope my site usually have enough height) I will send an ajax request and create a unique input hidden field in my form, and i will check the newly created unique input is available in that form before proceeding further action, ie. mail or something.. Normally i am happy with this solutions :)

    • Alex Walker

      That’s an interesting approach, @Muhammad. I guess it does reply on JavaScript working properly though.

      • http://www.muhammedak.com/ Muhammed A K

        :)

    • adaivanoff

      I’m curious to know if the percentage of fakes (either positives or negatives) is low enough to make trying it worthwhile. Can you provide any numbers?

      • http://www.muhammedak.com/ Muhammed A K

        Normal contact page with email,name,phone, msg I was got lot of spams like more than 10 perday. after I implement this technique I never got spams from those contact pages. some times this is because my site is not a big one, I think spammers wont give time for spending my little websites escaping tricks :) :) I wont believe my captcha is a strong one :) but if i get benefits from that, I really love to continue with that.

  • Alex Walker

    Fair point. My mistake in editing there. Thanks Matthew.

  • Liam LB

    What about PlayThru by http://areyouahuman.com/ ? My experience (both from a user and developer) of word based CAPTCHAs is they are rather poor, both in terms of accessibility, and usability for even the most competent – it would help if reCaptcha stuck to words from your native language, and Google stopped using it to read house numbers and the likes.

    PlayThru offers an easy-to-use alternative, based upon shape recognition and mouse/touch movement rather than character recognition, producing much the same results, without the false negatives from people getting it wrong.

    • adaivanoff

      It again requires the user to perform an action – I checked their site and the illustration they give is “Drag the Fiesta to Chicago”. The image shows a car and a couple of sities are there (one of which is Chicago) but this also requires knowledge of English, which is a barrier for international users.

  • adaivanoff

    I don’t think so. I am not sure if the this is by default or not but I’ve personally seen millions of reCAPTCHAs that use just a random sequence of letters to form an entity that is not a word in English (or maybe other major languages as well). You could use dictionary words, if you want, but you are not limited to this.

  • sharethink

    The problem with UI-based human interactive proofs and honeypots, is that they while they may prevent spam on a comment forum, they won’t protect sites that are specifically target by hackers, (who will simply script around them). With regard to simple questions and math problems, security researcher Joel Van Horn wrote an interesting article on his blog about using Wolfram Alpha as part of a scripted bypass.

    I couldn’t post the link, but you can Google “Using Wolfram Alpha to Hack CAPTCHA”.

  • adaivanoff

    I’d call this overkill – drawing a shape in a box beats even the most scrambled text captcha in terms of user unfriendliness. Again, one more alternative that makes reCAPTCHA look like a usability darling. :)

  • Tim Van Buren

    I wrote about CAPTCHAs and two uncommon versions of spam prevention on my blog at http://techwizguy.blogspot.com/2011/07/solve-medias-captchas-wont-solve.html.

    Basically, there are two types of spam vectors you are trying to defeat: Bots, and paid CAPTCHA solvers. I have found two good ways of defeating them that have worked well for my applications.

    The Sortables CAPTCHA I wrote about probably doesn’t pass the accessibility test, but it keeps the spammers out. The encoding defense is transparent to the user in general, but I am not sure if screen readers interpret Javascript.

    Also, it seems to me that providing a task that is inaccessible to foreign language speakers is a good idea, since that includes 99.99% of the spammers, and 0% of an English language based website’s users. I would imagine that presenting a language based test might work for a lot of non-English websites as well.

    • adaivanoff

      Excluding international users might be an option for some sites – i.e. an English language blog where the content is only in English and you do need to know the language to post comments but in many other cases this won’t work. For instance, an ecommerce site – you don’t need to be fluent in a language to register or to place an order. If you enable CAPTCHA or anything else that is hard or impossible to solve without at least some knowledge you are directly losing sales.

  • http://www.buildyourownwebstore.com/ Jacco Blankenspoor

    I thought the same as you, that is was for digitizing books (even though that must have been some strange books lately :-). But it turns out they are using it for more than just books, this is what Google has to say about it:

    “reCAPTCHA offers more than just spam protection. Every time our CAPTCHAs are solved, that human effort helps digitize text, annotate images, and build machine learning datasets. This in turn helps preserve books, improve maps, and solve hard AI problems.”

  • http://www.buildyourownwebstore.com/ Jacco Blankenspoor

    The Magento community forum is notorious for having like the worst captcha ever. I gave up several times just because I couldn’t get through it, and tons of people with me. And they have this system for years… ;-( Just imagine how much valuable knowledge is lost here.

    • Tim Van Buren

      The spammers seem to have no trouble with the Magento forums CAPTCHA. Have you been there lately? Ugh.

      • http://www.buildyourownwebstore.com/ Jacco Blankenspoor

        No, I haven’t. Seems I’ve been beaten by spammers ;-)

  • http://www.mithunjj.com/ Mithun John Jacob

    The world does not need any Captcha. It’s time to bade goodbye.

    I wrote SASLA with all the following points in mind(that are coincidentally mentioned in this article):

    It must be accessible.

    It must be non-disruptive and transparent to the end user.

    It cannot detract or distract from the primary purpose of the page.

    It must be automated or require very little moderation on a large scale.

    It cannot be a 3rd-party service.

    SASLA can be found at http://mithunjj.com/sasla/

    • adaivanoff

      Could you please tell us more about how it works?

      • http://www.mithunjj.com/ Mithun John Jacob

        Hello Ada Ivanoff,

        It works on the concept of Honeypots, that you’ve mentioned in this article.

        My main motivation behind the creation was that I wanted a simple easy to implement anti-spam solution that doesn’t require an action from user’s part and that will prevent 99% of spam.

        I would be grateful if you mention SASLA in honeypot’s section of your article so that veiwers can select my solution if they want.