What do you think of the current campaign to kill off CAPTCHA? Here are my thoughts:

The not so obvious answer to that question is a very definite NO. Without CAPTCHA there would be no more web because the spambots would destroy it.

The reason why anyone would be considering the killing off of CAPTCHA is that they are confusing the idea of attempting to distinguish real people from spambots with one or two particular types of CAPTCHA. What they probably mean when they are referring to CAPTCHA is those obnoxious hard to read images that many sites have been using for several years now as their way of attempting to use a Completely Automated Public Turing test to tell Computers and Humans Apart. Now that particular type of CAPTCHA is close to if not already past its use by date. CAPTCHAs like that are now so common that at least some spambots are able to do a better job of interpreting the content of the image than real people are.

The time for using such obtrusive CAPTCHAs is past as in order to make those images unreadable to spambots they make them unreadable to too big a group of real people as well. If that were the only type of CAPTCHA that exists then yes it would be time to kill CAPTCHA and let the web die with it.

Fortunately that is not the only type of CAPTCHA and a few dozen of the millions of alternative CAPTCHAs are gradually replacing those annoying in your face obtrusive ones that block many real people from access. By using a different sort of CAPTCHA that is easier for real people to use and which currently fools the spambots sites are able to stay online and useful to those real people instead of being swamped by spambots and having to shut down.

One issue that all CAPTCHAs have is accessibility and that no matter which one you use you are going to discriminate against a small number of real people in order to block most of the spambots. Until a perfect CAPTCHA that can distinguish 100% accurately between responses from real people and responses from computers there will always be some that get put in the wrong group. In fact as computers get more powerful this task will become harder rather than easier and a perfect CAPTCHA will be less and less likely.

Any CAPTCHA that you choose is going to be a tradeoff between the amount of spam that floods the site and the number of people that the CAPTCHA incorrectly blocks. Unfortunately the choice is between blocking a small group of people from accessing the site and taking the site down completely. Removing all CAPTCHAs so as to allow everyone easy access usually means that the site will be so flooded with spam as to be unuseable by anyone. Until such time as your site is discovered by the spambots there is no reason to implement a CAPTCHA.


Now there are several basic ways in which we can attempt to distinguish between real people and computers. Those horrible image CAPTCHAs are of the visual type where the distinction is made based on the difference between people and computers to distinguish the content of something visual. Since these CAPTCHAs rely on the real person being able to see and the computer not having powerful enough OCR it discriminates against anyone who can't see or who for whatever reason cannot see images in their browser. To get around this some sites also incorporate a corresponding audio CAPTCHA that tells those who can't see the image what the image contains - hopefully in a way that the computers can't use to solve the CAPTCHA. One alternate visual CAPTCHA that some sites have switched to using is one where a number of images are displayed and the person is asked to click on the image that contains a particular object. Now this is an easier CAPTCHA for people who can see to solve while being far harder currently for computers to solve. Unfortunately this type of CAPTCHA has no audio equivalent and so it potentially discriminates even more against people who can't see the images. Unless sites implementing that type of CAPTCHA also implement some other type of CAPTCHA for those real people who cannot use the visual CAPTCHA then that group of real people are blocked from access even more effectively than the computers are.

A completely different type of CAPTCHA that some sites now implement is where the person has to fill in the answer to a question. A really common one uses simple arithmatic where a calculation is displayed and the person is asked to supply the answer. Foe example "What is 1 + two?". This type of CAPTCHA will work even for those who can't see because the CAPTCHA uses plain text that their web reader can read. This type of CAPTCHA relies on people being able to interpret the meaning of the question and to then be able to provide the answer. Computers are currently not as good at that interpretation and so CAPTCHAs like this currently work. As this type of CAPTCHA becomes more common the spambots will be updated to make it easier for them to work out the answer to the question as well and then this type of CAPTCHA will die out. Another variant of this which would be slightly harder for the computers to solve would be to ask more general questions such as "What colour is the sky?". Unfortunately there is another group of real people who are as unable to solve these types of CAPTCHA and so you are still blocking some real people as well as the computers.

The best types of CAPTCHA are those where the real people will almost always be completely unaware that the CAPTCHA is even there. When the forum on my JavaScript tutorial site started receiving hundreds of spambot signups every day I implemented a JavaScript CAPTCHA on the signup page. This type of CAPTCHA basically discriminates against anyone who does not have JavaScript enabled by blocking them from being able to sign up. Since spambots rarely try to run the JavaScript on the web page they form the largest part of the group that are blocked due to not having run the JavaScript. In this particular case since the site is actually about JavaScript it is reasonable to expect that anyone using the site should have JavaScript enabled. I would not use this type of CAPTCHA on a site on some other topic as there I would not want to block those who have disabled JavaScript. An even better unobtrusive CAPTCHA that I am considering implementing distinguishes based on the amount of time that it takes to fill out the form. Computers are much faster than real people and so the amount of time between their first loading the page containing the form and the form being submitted back to the server will generally be much less than that for a real person who will need to type content into at least some form fields even if their browser fills out others for them automatically. At the very least they will need to take the time to read the form and check that their browser has autofilled all the fields with correct information before they submit. Unless the spambot has a deliberate delay built in so that it waits a while before submitting the form, the computer submitted form should arrive back at the server much sooner than one filled out by a real person. This time difference can be used as an unobtrusive CAPTCHA. Any forms that take more than a selected amount of time can be automatically accepted as having been filled out by a real person. Those returned more quickly can be rejected. This particular unobtrusive CAPTCHA has the additional benefit that were it gets it wrong and rejects a form submitted by a real person it doesn't need to be the end of their ability to submit the form. The rejected form can be redisplayed perhaps now incorporating some other type of CAPTCHA that is more obtrusive. The end result would be that only those people who fill out the form so quickly that they are suspected of being a bot will need to deal with any of the other types of CAPTCHA mentioned above. Those with the types of disability that mean they get grouped with the computers for those types of CAPTCHA are the groups least likely to fill out the form too quickly and so this combination of different types of CAPTCHAs keeps those real people misidentified as computers to a minimum.

By combining a time CAPTCHA with a JavaScript one you could set things up so that only those who both have JavaScript disabled and who can fill out and submit the form as fast as a computer can will be misidentified as computers. The two groups of people who would be misidentified by either of these CAPTCHAs would be very small and no one else would need to know that the form incorporated not one but two unobtrusive CAPTCHAs.

Using CAPTCHA will become more and more important in the future as more sites are attacked by spambots and those bots become smarter at solving the more commonly used CAPTCHAs. The types of CAPTCHA that people use will change and hopefully become less obtrusive as further ideas on how to distinguish between people and computers are developed. It is time for those horrible image CAPTCHAs to die but only by replacing them with some other form of CAPTCHA that is at least as effective at blocking computers while hopefully minimising the number of real people who get blocked as well.