Why You Should Stop Using CAPTCHAs

By / Nov 16, 2010 / Tips
shares

There are few amongst us who won’t have, at some point or another, filled in a CAPTCHA code. CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and Humans Apart” and they are most commonly used to stop automated submissions of web forms, such as registration or contact forms.

CAPTCHAs are widespread, but are they actually damaging the usability of your website? I would argue that there are better alternatives to CAPTCHAs and that you should break the habit of using them on your sites.

Once upon a time, there was a CAPTCHA code…

CAPTCHA frustration

Let me tell you a short story by way of introduction. Yesterday, I was trying to register on a website. The website in question employed one of the worst CAPTCHA codes that I had ever seen. It looked like a child had written something with an ink-starved pen and then left the piece of paper out in the rain. In a way, it was quite artistic, but unfortunately it was also totally illegible.

I had a go at deciphering it, made my submission, and I wasn’t surprised to be thrown back with an “incorrect code entered” message. “Oh well”, I thought, “the next CAPTCHA they give me can’t be as bad as that one was.”
It wasn’t. It was worse.

This one resembled the stains left on my carpet when my cat has engaged in a midnight feast on an unsuspecting rodent. Not only was it also illegible, but I also couldn’t give it any credit for being artistic this time. I really wanted to register on this site though, so I screwed up my face, got my eyes as close to the screen as possible before my focus started to distort, and tapped the letters and numbers into my keyboard.

“Incorrect code entered. Please try again.”

Now, as someone who works in the web design industry, I have a fairly decent attention span on the Internet; probably more so than most of Joe Public. But by this time, I was getting frustrated. I didn’t have time for this.

So I left the site open and opened a new tab, just to curiously check to see if I’d missed an alternative service provider in the same sector. As it happens, I had.

A few clicks later, and no CAPTCHA code to be seen, I was registered on the alternative site, and my business was winging its way into the hands of this other website’s proprietor.

Are CAPTCHA codes damaging your clients’ websites?

My experience yesterday got me thinking. Most will agree that CAPTCHA codes are annoying, but in most cases, we accept them as an unavoidable step in the battle against bots and spam. But what if it was shown that CAPTCHA codes are not only damaging the usability of your website, but also hampering the ability of your site to create leads, generate sales or otherwise function and interact with your audience?

The reality is that for the vast majority of the sites that we build as web designers and developers, we don’t really have to worry about targeted attacks on our contact and registration forms. Using a CAPTCHA code on most sites is like using a Humvee to crack an egg. If you’re developing a high-profile site or security critical web app, then sure, perhaps a CAPTCHA is going to provide you the most protection. But even then, you should be weighing up the risks and usability trade-off and asking yourself if there is a more user-friendly alternative. Oh, and by the way, there is a business in breaking CAPTCHA codes, so even if you use one, you’re not necessarily safe from a concerted effort to break it.

And if all you have to worry about is protecting a form from generic spam bots, then there is definitely no excuse; you don’t need a CAPTCHA; there are more user-friendly alternatives.

Think about it; you’ve developed a beautifully thought-out website with clear user-funnels, calls to action, with everything gently pushing your visitors towards registering, purchasing, enquiring or otherwise completing a goal, and then you stick a dirty great squiggle at the end that your users have to decode before completing the task. It’s a bit like spending weeks gently building up to asking someone out on a date and then vomiting down your shirt when you pop the big question.

The good news is that there are plenty of alternatives to CAPTCHAs. Really, you don’t need them anymore! A quick search on the Internet will turn up plenty, but here are a few I’ve picked out:

Simple Maths Questions

Maths

This one is quite popular, and definitely less intrusive than a traditional CAPTCHA. For instance, your form may ask the user “what’s 3+2″ and will then validate it server-side.

Use Javascript

javascript

One of my favorite methods is to do the whole verification process transparently client-side, whereby on form submission, a Javascript function is called to perform some simple arithmetic and push the result into a hidden field which is then verified server-side. This is a good one to use if you know that your user-base is going to have Javascript installed. Indeed it’s arguable that it’s worth using even at the expense of the small number of people who have Javascript disabled. For example, what’s more damaging? Using a CAPTCHA or using Javascript? The answer to that is down to you though.

Use Pictures

You could present a set of pictures and, for example, ask the user to select the rabbit and the cat. If this technique suits your brand, then why not try it? Perhaps not advisable to use on an Undertaker’s site or in any other “non-quirky” situation though!

Completion of a simple task

currybet.net

I saw the CAPTCHA used on Martin Belam’s blog the other day and not only does it do the job, it also made me chuckle. Asking a visitor to complete a simple task like this takes almost no extra time or thought; unlike a traditional CAPTCHA.

Use a service like Akismet

Akismet

Akismet is an excellent spam-filtering service for blog comments: use this and you’ll hardly have to worry about spam on your blogs ever again.

Put up with it

gmail

Depending on the situation, it may be worth you asking yourself; “should I just put up with a bit of spam”. If the output of your website is an email, then modern spam protection on services such as Gmail are so good that you should really consider just ripping out the CAPTCHA altogether. If it helps your sales or enquiries, then perhaps a bit of spam is a price worth paying?

CAPTCHA still gotcha?

recaptcha

Not convinced? No problem, that’s OK. But if you’re going to use a CAPTCHA, at least use a good one. reCAPTCHA is considered one of the better ones.

Wrapping things up

That pretty much sums up my thoughts on the subject of CAPTCHA codes and if you take away just one thing from this article, let it be that you always consider the usability of your websites first and foremost. If you don’t, it could cost you or your client their next sale.

I’ll leave you with one last CAPTCHA idea, courtesy of xkcd

xkcd

About the Author

Oskar Smith is a digital creative, and runs web design company Esvelte, based in the north of England. Oskar has been working the web industry for over 8 years and when not in front of a computer you'll find him behind a guitar or on top of a windsurf board. He also writes a blog and you can follow him on twitter.

91 Comments

  1. Web Technology News
    November 22, 2010

    Cat Captcha!

    I did this a while ago but forgotten where it is now. I have a bunch of pictures of cats and dogs, they are put into an array, randomised positions, trimmed to a certain length then shown on the comment area. You just have to click the pictures of the cats. Of course if that code got public the spammers would just have the bitcode for each image to identify it.

    Personally if you’re a coder spent that extra 30 minutes making your own UNIQUE solution. Spam bots go for easy targets and will attack sites that use commonly known Captchas. Math questions won’t last long, they’ll be hacked in no time. It’s just another challenge for the spammers, and probably a fun one too because they need to get into javascript processing and image reading.

    Using a remote service is probably a good idea if you don’t have the time/skills to do your own – and they’re also pretty reliable.

    Reply
  2. Sascha
    November 22, 2010

    As already pointed out the alternatives given here are themselves CAPTCHAs – maybe you should change the title of this article then as well…

    Reply
  3. Magnus Ohlin
    November 22, 2010

    Excellent post, many good new ideas for solving this problem that captchas is.

    Reply
  4. Erico Lisboa
    November 22, 2010

    love the article.

    cheers!
    E.

    Reply
  5. Antonio
    November 23, 2010

    A medium skilled hacker can develop some math expression engine for these challenges. I prefer pictures :)

    Reply
    • Angelee
      November 30, 2010

      I totally agree! I should’ve posted my comment here…. :)

      Reply
    • Ashley Sheridan
      January 17, 2013

      Pictures are a no-no, ask anyone who’s blind. Unless you put decent alt text on the images, but then it’s easy for a bot to pick up and you accomplish nothing.

      Personally, I favour the math question but with a twist. On my site, instead of numbers I’m using mnemonical phrases, so “a bakers dozen” represents 13, “number of legs on 2 dogs” is 8, etc. The main disadvantage is the language barrier, as people outside of the UK are unlikely to know things like a bakers dozen, but that’s my level of acceptability.

      Reply
  6. Roger
    November 23, 2010

    Great article Oskar! Thanks for suggesting the alternatives.

    Reply
  7. Markus@enkelmedia.se
    November 23, 2010

    Great post!

    What about using a timestamp in a hidden field. If the page is poster to “fast”, lets say in less den one sec – that sound most likely be spam robots.

    Is this a good approach?

    Reply
  8. JER0EN R0LAND
    November 24, 2010

    put this in Windows hosts file” and it Should Stop Using CAPTCHAs., easy missing code.
    127.0.0.1 recaptcha.net
    127.0.0.1 http://www.recaptcha.net
    127.0.0.1 api.recaptcha.net
    127.0.0.1 http://www.api.recaptcha.net
    127.0.0.1 api-secure.recaptcha.net
    127.0.0.1 http://www.api-secure.recaptcha.net

    Reply
  9. webdesignerslog
    November 25, 2010

    Nice Post … I’m agreed with Oskar … bad CAPTCHA is really a headache…

    Reply
  10. Thomas
    November 26, 2010

    Loved this article. CAPTCHAs have been a thorn in my side ever since I first saw them. The list of alternatives was great, and I think that by far the best of the bunch was the image selection. Of course this still causes problems for blind people, but those audio captcha things are worse than the visual ones!

    Reply
  11. Maxime De Greve
    November 27, 2010

    ZURB wrote also an article about this some time ago, their article was based at results bij SEOMOZ. Have a look here: http://www.zurb.com/article/285/its-official-captchas-are-bad-for-busines

    Reply
    • Oskar Smith
      November 29, 2010

      Aha, nice find. Check Maxime’s link out people: some stats to back up the article!

      Reply
  12. Carson
    November 30, 2010

    Is Recaptcha REALLY considered one of the better ones? I despise it, its words are always among the least legible CAPTCHA codes I see.

    Reply
  13. Young Deezy
    November 30, 2010

    Great article, good solutions unless the maths questions. Robots answer them. According to me, pictures are the best. Of course no choosing color question, because of color blind people!

    Reply
  14. Angelee
    November 30, 2010

    I haven’t seen a site which uses pictures yet. It must be real fun to choose the best and appropriate photo plus it can be a good place to show creative graphics. I have the same opinion here, sometimes we’re just not too patient to fill-out long forms ending with unreadable codes.

    Reply
  15. Ryan Carson
    December 21, 2010

    There’s a good reason as to why you wouldn’t use pictures. Web Accessibility!

    Rate limiting is certainly one way to slow down the spammers. You can and probably should use a script to block them when detected via htaccess.

    Reply
  16. Eric
    December 30, 2010

    The beauty of the math question is that it isn’t overused yet. Spammers would look to break distorted words, or hack into the captcha database of the site, but if you ask a math question, it won’t be stored in the database, it isn’t common yet so hackers aren’t going to waste their time (yet), and it’s simple enough for anyone to answer (and if they can’t answer it, do you really want them commenting on your blog/contacting you through a form/registering on your site?).

    Of course, give it a few more years and it’ll be worthless. So the best option is to keep changing it. Use a math question, then ask the visitor to spell out a word that you give them, then ask a question (and give the answer right next to the captcha box if you want), then ask them to re-enter 1 part of their registration info (re-enter the last 4 digits of your phone number, etc, etc). All of those would be easy for a spammer to get through, but if you keep rotating them, you don’t really have to worry about it. Just an idea…

    Reply
  17. Mark Entingh
    January 4, 2011

    I developed a sort of revolutionary CAPTCHA engine that is unlike any other. It displays 3 images, then asks you to click on a specific part of one of the images. “Click on the nose of the woman to continue”. It uses javascript to grab x & y coords where you clicked, sends the x & y to the server, and the server checks an image with shapes of color on it to see if the x & y coord is touching the right color.

    As a developer, all I have to do is build a database of photos paired with images that have shapes of color scattered on the image, where each color represents an object on the photo. I can use people, toys, places, even holidays (pumpkins & ghosts & santa).

    You can see it being used on the log in form for http://www.rennder.com

    Reply
  18. Steve Garufi
    January 6, 2011

    The question piece is the best. Mine: “What is the most common color of grass?” It works so well! :)

    Reply
  19. GIK Web Design
    August 31, 2011

    I started reading this article and thought if I take CAPTCHAs off my sites it will just lead me to a world sorting through spam (I get enough now with the CAPTCHA on). However I do like the alternatives particularly the pick a picture one. Its takes away the biggest problem with a simple CAPTCHAs actually making sense of the image.

    Reply
  20. Carl
    December 1, 2011

    I just Stumbled this page and I’m glad I did. I have a little blog that uses CAPTCHAs that even annoy me, and I’m wondering why I don’t get many comments. It’s amazing what you can miss when you can’t see the wood for the trees.

    And look here, as I type this comment, no awful code to decipher, just a nice Submit Comment button. Great article, many thanks.

    Reply
    • Web Cooperative
      January 4, 2012

      Agree with Carl. CAPTCHAs are one of the most irritating features of websites and I tend to avoid sites that use them. I’ve never had reason to implement them on sites I’ve created either. There are always more subtle and user friendly ways to avoid them as Oskar points out in the main post.

      Reply
  21. Warren
    February 20, 2012

    Although it seems this is, at the moment, a losing battle, I want to thank you for this article! Of course I am here as a result of captcha induced rage :D

    Reply
  22. Fizz Web Design
    October 6, 2012

    Captchas can be a lot of excess code churning away in the background for what is essentially a simple task, if you’re looking to just avoid the spam advertising then i like steve garufi’s idea – it forces a thought process to complete the task but remains lightweight & simple.

    Reply
  23. BLuFeNiX
    October 19, 2012

    Never, ever, ever, put the authentication method on the client side. If you use javascript to handle your captcha, all you are doing is letting the spambot change a couple variables and get right in, but making your users suffer.

    Reply
  24. Tim
    November 20, 2013

    I know this is an old post – but why can’t you just use the following challenge:

    “What is this?” (question to the viewer) next to a picture of an apple.

    Then check for the word apple/Apple etc and only submit if it is correct…

    This is probably a naive solution, but can BOTs interpret pictures and get roud this?

    Reply

Leave a Reply