New Webmasters > Accessibility > What Are The Alternatives to Captcha?

What Are The Alternatives to Captcha?

By corbyboy January 21, 2009 Post a comment
A Classic Captcha

A Classic Captcha

It is probably not unreasonable to say that everybody who has ever used the Internet has come across a Captcha before, even if they did not know that is what it is called. Just to get everybody up to speed, a Captcha is an image of a word or random text that you have to type into a box to verify that you are a human.

Captchas on the web are a pain for visitors. As hackers and crackers become more sophisticated, Captchas need to become more difficult to break. If you regularly see Captchas that you cannot solve then you are not alone. It is not just people with physical or visual impairments that struggle with Captchas, what about people with javascript or images disabled? Or what about people using mobile phones?

So we know what the problems are with Captchas, but what are the alternatives?

Image Recognition

Kitten Auth - Asking you to Recognise Images

Kitten Auth – Asking you to Recognise Images

Instead of having an image of some text that you type into a box, you will see a selection of pictures or photographs. You will be instructed to “click on the pig” or “choose the red flower.” So long as you follow this instruction correctly, the system will verify you as a human.

For

  • Harder for a computer bot to recognise a picture than a string of text

Against

  • Still requires the use of images, so a problem for visually impaired users
  • Usually requires javascript to be enabled
  • Only a certain number of images can be used, so eventually they will start to be repeated

Sound Recognition

This is often provided as an alternative to regular text Captchas. A user listens to a word or a string of letters that are spoken and types them into the box for verification.

For

  • Using it as an alternative for text Captchas doesn’t impede visually impaired users

Against

  • Very difficult to implement technically
  • Still open to attack by bots that can recognise sound
  • If used by itself will discriminate against deaf users

Multiple Choice Question

You add a short sentence with a missing word to your form and give your users a few options to choose from to fill in the gap.

For example you could use “I have a ______ car.” The options could be “red”, “house”, “monkey” and “spoon.” Only a human would be guaranteed of getting the answer right.

For

  • No requirements for javascript, sound or images

Against

  • If a bot randomly guessed an answer, ther is still a 25% chance it will guess correctly.
  • There is a limit to how many questions you will be able to use. A bot could be programmed with all the correct answers.
  • It may prove to be a problem for users who do not speak you native language

Hidden Form Elements

This solution sounds technical but it is actually quite simple to implement. Many bots scan the source code of your page for form elements. They give all these elements a value depending on what the field name is. For example if you have a field name called “email,” it is not difficult for the bot to guess what type of data is required in that field.

If you introduce a dummy form field into your form and hide it with a style sheet, the bot will not know it is an invisible field and will insert a value into it. You will find it easier to trick the bot into filling in this field by calling it something like “Name” or “URL.” You can hide a form field by using the style attribute display:none;

On processing the form, any submissions that have a value for the hidden field can be regarded as submissions by a bot and investigated or discarded.

For

  • Technically, it is very easy to implement
  • No reliance of javascript or images, but does require stylesheets to be enabled

Against

  • As soon as a spammer becomes aware of your system, the bot can be modified to avoid filling in the field

Filtering Content

Akismet Can Remove Spam From Your User Generated Content

Akismet Can Cleanup Your User Generated Content

In my opinion, the future of preventing spam is about analysing what is being posted. Spammers are using the form on your website in order to post their content and links on your website. The most common areas are blog comments, wikis and forums. Therefore it is useful to think about filtering these posts themselves rather than validating the form that was submitted.

Akismet is a system designed to do just this. It is produced by the people who created Wordpress and it analyses the content of what is posted to determine if it is likely to be spam. The system has analysed billions of messages and is highly effective. You do not need to store anything on your own server because Akismet handles eveything remotely.

Akismet is very popular on Wordpress blogs but can be integrated to analyse any user submitted content. It won’t stop bots from submitting registration forms, but you can still block any content that they might submit.

For

  • No need for installation or storage of messages
  • Very, very accurate

Against

  • Relies on an external service, so it is beyond your control
  • Not free for commercial purposes

In Summary

Google's Difficult Captchas

Google’s Difficult Captchas

Despite the many problems associated with their use, Captchas are very prevalent on the web. This article is intended to make you think twice before you blindly drop in a Captcha. How many potential visitors (or even customers) are you going to lose by putting such a barrier in their way? You need to decide if the trade off is worth alienating a large group of potential visitors, or is a more intelligent solution available?

Share this page with others
  • Digg
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • Furl
  • Reddit
  • blogmarks
  • Propeller

Most Commented Posts

Print This Post

Discussion

2 comments for “What Are The Alternatives to Captcha?”

  1. This is a very good article. Well done.

    I am very much against all forms of CAPTCHA for all the reasons you’ve highlighted above and more. They are anti-user, and they don’t really provide any real security, unless your idea of security means that all humans can be trusted whereas all machines/scripts can’t.

    Posted by mmj | February 1, 2009, 8:31 am

  2. This is a problem I’ve struggled with for some time and haven’t really found the ultimate solution.

    The best solution so far has been to request the browser to sign the request with a key-pair sent from the server. A browser can be “asked” to identify itself with an ajax request to obtain the server’s public key, and a one-time token can allow for it’s signature of the action – whatever it is: creating an account, posting a message, uploading files, clicking through all the pages of the site really fast (in script-like fashion), etc…

    Posted by Weston | January 14, 2010, 4:49 am

Post a comment

More Recent Articles

How to Manage Email Accounts for Multiple Websites
October 22, 2009
Why Ebay Never Ceases To Amaze
September 30, 2009
How Good Are Search Engine 404 Error Pages?
September 22, 2009
Make Money All Over The World With Geographic Targeting
September 9, 2009
Finally! A Web Server Backup Solution You Can Actually Use
June 20, 2009
Webmaster Essentials: Why Backing Up Is Important
June 15, 2009
Do We Still Care About Bandwidth And Server Load?
April 12, 2009
The Power Of Ranking For Spelling Errors
April 3, 2009
How About An Ironic Screenshot?
March 31, 2009
Server Redirects – Using The Correct Status Code
March 24, 2009