CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) are the squiggly letters or words used when you complete a web form. They are used by systems to ensure you are a human rather than a bot. Whilst the tests are effective at thwarting spam, their success will never be a long term solution.
The majority of CAPTCHAs ask you to visually recognise and identify a series of symbols. It is hard enough for people with perfect sight, but it can be impossible for those with impaired vision. Some systems do provide an audio alternative, but this simply gives hackers two methods of attack.
2. It’s not a Turing test
Humans can normally spot a machine masquerading as a person – the standard definition of the Turing test. However, CAPTCHAs depend on a machine differentiating between a human and another machine. That’s a far more difficult proposition especially since Optical Character Recognition software gets better every day.
3. All CAPTCHAs can be cracked
Computers will become faster and software will become more sophisticated. It is inevitable that all CAPTCHAs will eventually be cracked.
CAPTCHA-cracking is already a lucrative hobby for many hackers. However, human effort can be just as effective: why spend thousands on complex software when the task can be outsourced to hundreds of workers in India?
4. CAPTCHAs are getting more difficult
The simple solution to cracked CAPTCHAs is to make the test more difficult. How many times have you failed a CAPTCHA test? Some have become ridiculously hard and many of the alternatives are worse, e.g.
- the totally indecipherable cats or other animals on letters (yes, rapidshare.com, I’m referring to you!)
- draggable objects that do not work without a mouse and can still be spoofed
- simple questions that are even easier to hack than CAPTCHAs, e.g. “what is the total of 1 plus three?”
- or Google’s new image rotation CAPTCHA which requires client-side coding and hackers probably have a 1 in 10 chance of randomly rotating to the correct angle.
5. CAPTCHAs measure ability
The fundamental problem with CAPTCHAs is that they measure ability: your effectiveness at interpreting a fairly unreadable set of letters. However, computers are already effective at synthesising some human abilities and will improve.
Perhaps it is better to detect human behaviour? When most people complete an online form, they scroll down the page, click boxes, add text, pause, highlight segments, delete and retype sections. Random page interaction could be a better indicator of human activity?
Despite all the problems, CAPTCHAs are often used as the first line of defence in even the most basic web forms. They should be the last.
Craig is a freelance UK web consultant who built his first page for IE2.0 in 1995. Since that time he's been advocating standards, accessibility, and best-practice HTML5 techniques. He's created enterprise specifications, websites and online applications for companies and organisations including the UK Parliament, the European Parliament, the Department of Energy & Climate Change, Microsoft, and more. He's written more than 1,000 articles for SitePoint and you can find him @craigbuckler.