CAPTCHA: Inaccessible to Everyone

Gian Wild

What’s a CAPTCHA?

CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart.

On the webpage, a CAPTCHA is a security measure designed to keep out robots by asking the user to key in characters displayed in a box.

Yes, that’s the one: where you have to decipher some squiggly words and enter them in a field before you can submit an online form.And often do it three or four times before you’re successful.

For example:

CAPTCHAs

For more information on definitions, see the comprehensive Wikipedia article on CAPTCHAs.

As far as the real world goes, there are some real doozies out there, like the moving CAPTCHA we found recently in an audit (we’re rebuilding the site so it won’t be there long!)

John Foliot found some inexpressibly confusing CAPTCHAs, an article which is worth a read – please note there is a lot of movement in the article (and no it doesn’t fail the flickering accessibility requirements even if it looks like it)!

Why are there so many CAPTCHAs?

Really, the world would be a much easier place without CAPTCHAs. They are confusing and difficult and we are all time-poor. And surely people want us to use their web site / submit their form / sign up to their newsletter?

The reason that there are so many CAPTCHAs is that there is so much spam in the world. They are perceived as an effective way to prevent robots from, for example, posting comment spam on blogs.

Another common use is to prevent robots with more criminal intent from logging into online bank accounts and the like.

The CAPTCHA is, in reality, a reverse Turing test – performed by a machine to make sure the person filling out the form is, well, a person.

This is also why they are often difficult to interpret. If they were easy to read, then machines could read them, and that would defeat the point.

What about accessibility?

Not only are CAPTCHAs difficult for anyone to use, they are notoriously inaccessible to people with some types of disabilities.

In fulfilling their designated brief of keeping out machines, they keep out people using assistive technologies such as screen readers, thereby closing the door on millions of blind people. So, if you’re blind, use a screen reader and want to log into your CAPTCHA-protected bank account, well … bad luck. Isn’t there a law against that? There ought to be.

There is even a specific section in the Web Content Accessibility Guidelines, Version 2.0 about CAPTCHA, in which their inaccessibility is acknowledged, but the WCAG Working Group feel they can’t be too hard-line about it:

CAPTCHAs are a controversial topic in the accessibility community. As is described in the paper Inaccessibility of CAPTCHA, CAPTCHAs intrinsically push the edges of human abilities in an attempt to defeat automated processes. Every type of CAPTCHA will be unsolvable by users with certain disabilities. However, they are widely used, and the Web Content Accessibility Guidelines Working Group believes that if CAPTCHAs were forbidden outright, Web sites would choose not to conform to WCAG rather than abandon CAPTCHA. This would create barriers for a great many more users with disabilities. For this reason the Working Group has chosen to structure the requirement about CAPTCHA in a way that meets the needs of most people with disabilities, yet is also considered adoptable by sites. Requiring two different forms of CAPTCHA on a given site ensures that most people with disabilities will find a form they can use.

Because some users with disabilities will still not be able to access sites that meet the minimum requirements, the Working Group provides recommendations for additional steps. Organizations motivated to conform to WCAG should be aware of the importance of this topic and should go as far beyond the minimum requirements of the guidelines as possible. Additional recommended steps include:

  1. Providing more than two modalities of CAPTCHAs
  2. Providing access to a human customer service representative who can bypass CAPTCHA
  3. Not requiring CAPTCHAs for authorized users”

http://www.w3.org/TR/UNDERSTANDING-WCAG20/text-equiv-all.html

The emphasis in the above quote is mine. When they talk about “two different forms of CAPTCHA”, they mean one that requires sight to complete plus one that relies on audio and should therefore be accessible to people with impaired vision. They then acknowledge that still won’t make it accessible to everyone.

In reality, the ones that rely on vision are so difficult to use for fully sighted people, while the audio versions use sounds so distorted that no-one can make them out.

So basically they are inaccessible, but the Working Group decided that if people had to choose between CAPTCHAs and WCAG2 they would choose CAPTCHAs, so they allowed for it anyway.

I believe there are some effective unique and most importantly, accessible, alternatives to CAPTCHA, but I’ll talk about that in a later article.

What about reCAPTCHA – it’s accessible isn’t it?

In a word, no.

recaptcha

I’m always asked about reCAPTCHA, or what about Accessible CAPTCHA? I have tested numerous CAPTCHAs and I have never come across an accessible CAPTCHA. Feel free to prove me wrong.

But I am also yet to find a CAPTCHA that complies to WCAG2 either.

There is a fundamental disconnect in intent that means it is highly unlikely that a universally accessible CAPTCHA, or even a set of different CAPTCHAs will ever be devised.

CAPTCHAs are, by definition, exclusive: they are are there to keep baddies out. Their way of testing “badness” does not allow for the legitimate use of machines. So they will tend to be inaccessible.

To understand how this becomes a negative spiral, you only have to look at the Google Account Sign Up process. In order to make it “accessible”, Google provide an audio version. A group of hackers was able to prove that it could pass the audio test robotically (read more about it in the article Google recaptcha brought to its knees).

Did Google concede the CAPTCHA was a failure and should be replaced by something more accessible? Not a bit of it. Instead, they made the audio more distorted so that a machione couldn’t possibly interpret it correctly – and nor could any human. Seriously. Try the Google CAPTCHA yourself.

One of the hackers pinpointed out the problem:

While the changes stymied the Stiltwalker attack, Adam said his own experience using the new audio tests leaves him unconvinced that they are a true improvement over the old system.

“I could only get about one of three right,” he said. “Their Turing test isn’t all that effective if it thinks I’m a robot.”

Couldn’t have said it better myself.

In my next article, I’ll explore how to replace CAPTCHAs with accessible options, while maintaining security and preventing spam.

Free book: Jump Start HTML5 Basics

Grab a free copy of one our latest ebooks! Packed with hints and tips on HTML5's most powerful new features.

  • http://www.webdevcontest.com Web Dev Contest

    I’m still fairly young and spend all day on the computer working with websites and sometimes it still takes me 3-4x to get a CAPTCHA correct…I can’t imagine what it’s like for people who have trouble reading simple text to begin with.

  • Zlati Pehlivanov

    Wow, you’re so right. I wasn’t so bad before, but now even with perfect vision, i can’t understand what’s written, i tried the audio, and it’s completely not understandable, it’s like white noise, I saw before one of my favorites anti-robots captchas , was giving me arithmetical tasks, pretty simple and understandable. I’m curious about your opinion on it.

    • http://www.gianwild.com.au Gian

      Yes – that’s actually one of the recommendations I’ll be making in my next article!

  • Jeff Seager

    An equally important issue is usability. The CAPTCHA solution introduces a barrier not only for bots, but for humans, and that is ultimately unacceptable. We should be making the user experience better. And don’t even get me started on all the varied complexity requirements for passwords.

    On the site I maintain in my 9 to 5 job, we use a solution called the “honeypot captcha” that has been simply great from Day One. We got the idea here, way back in 2007:
    http://haacked.com/archive/2007/09/10/honeypot-captcha.aspx

    We’re using ColdFusion to validate instead of ASP.NET, but the concept is exactly the same.

    • http://www.gianwild.com.au Gian

      Another suggestion I’ll be making in my next article!

  • http://timwahrendorff.de Tim

    I am keeping my blog spam free for two years by now with a timecheck only. If sender needs less than 5 seconds between loading the site and commenting on it, I believe this must be a machine. No human can read, scroll and write a comment that fast.

    For other things like “register to the site” I use the honeypot approach like Jeff Seager. I implement input fields with names like “email” and “password”, give them a label ‘Only fill this if you are a robot’ and hide them with css (top:-3000px; left:-3000px;). Spambots will fill them out, but Blind People with screenreaders won’t as long as they don’t feel like a robot or ignore the label.

    Meanwhile: The 90′s called and want their Captchas back!

    • Stomme poes

      I’ve tripped those timers before. Usually I wrote some long-*ss post and when I went to post it, either something timed out or I realised I needed to reload the page with more Javascript (since I block) or whatever. I copy what I wrote, reload the page and paste it in. Sometimes that triggers it, though 5 seconds still isn’t easy to accidentally hit.

  • http://webaim.org/ Jared Smith

    A very good article. We have many suggestions for blocking bots without impacting accessibility at http://webaim.org/blog/spam_free_accessible_forms/

    Of note, is that CAPTCHA *is* WCAG 2.0 compliant, so long as there is both a visual and audio version (such as reCAPTCHA). The guidelines specifically exempt CAPTCHA in these cases.

    • http://www.gianwild.com.au Gian

      Hi Jared

      Yes, it is true that it is WCAG2 compliant, but I don’t believe it’s actually accessible in the real world!

  • http://www.deadnode.org/ James Sutherland

    I’m glad not to be alone here: I’ve been finding text CAPTCHAs increasingly difficult – as well as used excessively; one hosting company, GoGrid, has a CAPTCHA on both the password reset request page *and* on the resulting password changing page!

    Conversely, running an online forum, I found a substantial number of spambots successfully registering and posting junk; the CAPTCHA didn’t seem to bother the spambots at all, but implementing a trivial question about the site itself stopped them dead in their tracks for months. (A fixed question, too, not even anything fancy rotating between a set of possibilities!)

    • Stomme poes

      They could’ve been using Mechanical-Turk-like setups to get their bots past teh CAPTCHAs. It’s increasingly popular.

  • http://ozh.org/ Ozh

    The biggest problem isn’t accessibility. It’s the fact that it annoys the hell out of millions of legit human users. I rarely solve a reCaptcha on first try, and prior to trying I always refresh the captcha at least 5 or 7 times to get something not too unreadable.

    • http://www.onsman.com Ricky Onsman

      That’s a narrow-minded comment. You’re saying something “annoying” is more important than not getting access at all? Oh, I see, it’s because it affects YOU. Can’t have that. If only you could experience the web with a disability. I think you’d find it a bit more than annoying.

    • KLMGraphics

      You sir are an ignorant self-centered jack ass.

    • Stomme poes

      Well, I would say for those who use CAPTCHA on their customers, your comment is true: the disabled are a minority and will continue to be even when the Gray Wave of the Baby Boom fully fruits, while CAPTCHA will hit *all* users.

      A company’s incentive not to use CAPTCHA will be preventing form/shopping cart abandonment first and accessibility-for-all last.

      I guess this is one good thing about the badness of CAPTCHA: it annoys so many ‘abled’s that finally they’re in the same boat as disableds… kinda like mobile almost did.

      You (Ozh) actually bother trying a few more times. I give it one try, then leave.

      • Jeff Seager

        I see the fact that it annoys millions of people as an accessibility problem, too. It’s a barrier. So are passwords. Whether it’s a commercial site or an informational site, barriers are a bad thing. If there’s a profoundly good reason to erect a barrier, we’d do better to use something that works like a screen or a filter, without any effect on the people we WANT to use our sites (this is the concept behind the honeypot captcha, which Gian will be explaining in his next article).

        CAPTCHA-type “solutions” punish everyone for the sins of a few. Aren’t we smarter than that? And if we aren’t smart enough yet, don’t we want to be?

      • Stomme poes

        @Jeff (since I can’t seem to reply)

        99% of websites very obviously do not care about barriers they erect against users. If they did, we’d have a mostly accessible web. We don’t. The only accessibility issues you ever see addressed at all are the ones that hit lots of people, including the builders themselves.

        So no, we’re not smarter than that. Wish we were, but were not. :(

  • http://rolling-webdesign.com Theo

    Great article, can’t wait to read part two (replace CAPTCHAs …).

  • http://www.sanjuancollege.edu Gary Williams

    As a web-tech at the local college, I understand the inaccessibility problems associated with captchas and refuse to use them. The spam filter I created catches probably 99% of form ‘bots by checking for a hidden textarea. ‘Bots can see it, but normally humans can’t. If it has been filled, more than likely it’s a ‘bot. Has been very successful so far for 5 years!

  • KLMGraphics

    I refuse to use CAPTCHA on my websites and do all I can to talk my clients out of it. After all the reason for them is to make it more convenient for us, so we do not have to deal with the task of monitoring our websites. I personally think the inconvenience to me is much easier to deal with than someone who cannot use them to connect with me or make a purchase.

    When we talk about the fundamental disconnect we should be bouncing this right back at the WCAG on this one. There is nothing about using CAPTCHA that should be walked around when we talk about accessibility! Every time I see a site that uses this I scorn the people behind the site and sign them off as lazy inconsiderate jerks that only want it to be convenient for them. Google should be punished for their piss poor attempt at the audio part of this. This is the most pathetic thing I have ever seen come out of this team of so called smart people!

  • Joy

    I just listened to the Google audio captcha and I can’t even work out how many digits there are supposed to be, let alone what they are.

    The honeypot solution has always worked for me.

  • Stomme poes

    Some light-heartedness: http://www.myapokalips.com/show/23

    [comic of two robots, one showing off its new tattoo to another. We see a CAPTCHA with the word 'retard' on its arm. The other robot says 'Aw, that's a sick tattoo!' and the other replies 'Yeah bro, it means "strength"...']

  • Lee

    Joy said this: “The honeypot solution has always worked for me.”
    On the signup page of honeypot, they use a captcha to log people in.

    • http://www.onsman.com Ricky Onsman

      Lee, I think you’re referring to projecthoneypot.org. They seem to have removed the CAPTCHA (hey, maybe they saw your comment), but in any case you don’t have to be aligned with them to use a honeypot field in your form. It’s just any field that is not visible to humans, but robots will attempt to fill it in. When you verify the form, set the form to reject the submission if there’s any content in the honeypot field, as only a robot could have filled it in. That’s not to diminish projecthoneypot.org’s very honorable aims.

      • http://www.ten-321.com/ Curtiss Grymala

        As much as I like the idea of a honeypot field, I’m not sure it’s really all that more accessible than a CAPTCHA. In order to use it, you have to make sure that machines will be able to discover the field; in doing that, you’re more than likely also making it so that screenreaders (which are also machines) will discover the field.

        How do you provide instructions that a person using a screenreader would be able to understand (“Don’t put anything in this field”) that a spambot wouldn’t be able to figure out pretty easily?

        Am I wrong? Is there a better way to implement the honeypot without inadvertently identifying users of screenreaders as robots?

      • http://www.onsman.com Ricky Onsman

        @Curtiss, you’re absolutely right, that’s a big issue. Even if you could put a message seen only by screen readers, it seems to me a bot could work out which fields are displayed to a user. BUT, the bot that could do that requires a lot of development and is likely to be out there trying to access bank accounts rather than put spam on a blog. I, too, am very keen to see Gian’s suggested solutions, which may or may not include deployment of a honeypot field.

      • Lee

        Ricky,
        Yep, that’s what I thought Joy was referring to. Loging into the honeypot still requires a captcha.

        I agree with the premise of this article but the reality is that there is no solution that will work in every situation.
        One thing I’d like to see is happen with Captchas is to see an expanded pool of options that allow people to select their own method of proving they’re a human: It basically comes down to recognizing patterns. Since patterns are available in all forms, there should be something for everyone’s particular preference.

        For example, I saw one the other day where I had to group the objects by their logical (apples vs orange test).
        Just today I saw one where I had to slide a bar to one side in order to activate the form.

      • Lee

        To continue, I think some of this human detection would be a nice addition to PHP. I don’t see PHP creating the entire functionality but offering built-in functions that facilitate an easier process of detecting human interactions.

        If not PHP, perhaps the Google people could expand the Captcha project to include multiple channels for human detection.

  • http://intechcenter.com George

    I’ll be looking forward to that follow-up article, but just to shoot out a question. What do you think about communities which are invitation-only (to prevent spammers) or community initiatives like OpenComment.org? Could they be the future of this?

    • http://www.gianwild.com.au Gian

      If the site lends itself to invitation only, then sure. But I’m hoping that we can find a better way to stop spam!

  • Christian

    Here’s one where I’m pretty sure I typed in just what I was supposed to: http://developer.cmzmedia.com/?p=305

    • http://www.onsman.com Ricky Onsman

      Did you try putting a space between “movement” and “5″? In cases where two words (or numbers or strings) need to be entered, often you only have to get the first one right. In that case, entering “movement” alone would work, but entering “movement5″ would not. Can’t tell from the cropped image whether the instructions clarify that.

      • Christian

        The image doesn’t show a space between “movement” and “5.” Or if it does it’s an extremely narrow one that is maybe one pixel wider than the typical space between two letters in the same word. And if that’s the case it’s one more example of the problems of Captchas.

  • http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_9849-Making-CAPTCHA-Friendlier-with-PHP-Image-Manipulation.html Ray Paseur

    Some of my thoughts on CAPTCHA are in the article at Experts Exchange. Very glad to see you taking this on!

  • http://www.mattearly.com Matt Early

    I think it was Paul Boag that said something along the lines of, don’t let spammers be the users problem, but let the spammers be the websites problem. Meaning, don’t stick up silly CAPTCHA to just stop the spamming, because it annoys the heck out of everyone. Matt x

    • http://www.gianwild.com.au Gian

      Couldn’t agree more!

  • http://Www.ramyasethu.tumblr.com Ramya

    Waiting for the next article: when I propose accessible alternatives to captcha, what I usually hear is it is not secure enough. So, looking forward to the sequel! Thanks!

  • http://www.anysurfer.be Bart Simons

    Since a few days Google has added an option to skip the visual/audio captcha and to proceed with a phone verification. This is eitehr via sms or they call you to dictate the code. I tried it and it works, even in Dutch. Only downside is that you need to give them your phone number.

    • http://www.onsman.com Ricky Onsman

      At least that gives a person who cannot complete a CAPTCHA some way of getting access, but it still puts the onus on the user to prove they are not “bad guys”, when the onus should be on site owners and developers to keep the bad guys out.

  • Andrew Downie

    Most of what I would say has been said already. I am grossly disappointed that WCAG provides a loophole for something that clearly fails the Perceivable principle. Regarding edit fields that should remain empty, I would be extremely cautious about hiding them. Screen readers can present information that isn’t visible, sometimes appropriately and sometimes not. There’s also the risk of messing up things for people using keyboard navigation. Wording on the label/title attribute can be chosen to avoid machines being alerted to the purpose of the field.
    What really frustrates me is that, as mentioned by others, there are simple and effective alternatives.
    I was struck by the irony of Google’s announcement of Google Drive a while back, with the boast about its accessibility. Well, except that I couldn’t create an account.
    Finally, it is unfortunate that Alan Turing’s name is associated with a system that limits rather than promotes personal freedom.
    Andrew

  • Pete

    Captchas are an absolute bane of the internet. Home-made “What’s 1+3-2?” questions are simple, and reasonably easy for people to work out. I guess some spammers can find and attack them, but for most sites, they work well. I absolutely avoid Google’s attempt at a captcha. Your also inadvertently providing them with information about yourself when you fill them in, and they’re downright sneaky.

    • http://www.accessiq.org Sarah Pulis

      The inaccessibility of CAPTCHAs article cited in Gian’s article mentions that logic puzzles may still cause difficulties for people with cognitive impairment. So although they may work well for most sites, they wont work well for all people. My mantra is the most accessible CAPTCHA for everyone is no CAPTCHA at all.

  • Emanuele

    Just use Keypic instead captchas