Why You Should Stop Using CAPTCHAs

By / Nov 16, 2010 / Tips
shares

There are few amongst us who won’t have, at some point or another, filled in a CAPTCHA code. CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and Humans Apart” and they are most commonly used to stop automated submissions of web forms, such as registration or contact forms.

CAPTCHAs are widespread, but are they actually damaging the usability of your website? I would argue that there are better alternatives to CAPTCHAs and that you should break the habit of using them on your sites.

Once upon a time, there was a CAPTCHA code…

CAPTCHA frustration

Let me tell you a short story by way of introduction. Yesterday, I was trying to register on a website. The website in question employed one of the worst CAPTCHA codes that I had ever seen. It looked like a child had written something with an ink-starved pen and then left the piece of paper out in the rain. In a way, it was quite artistic, but unfortunately it was also totally illegible.

I had a go at deciphering it, made my submission, and I wasn’t surprised to be thrown back with an “incorrect code entered” message. “Oh well”, I thought, “the next CAPTCHA they give me can’t be as bad as that one was.”
It wasn’t. It was worse.

This one resembled the stains left on my carpet when my cat has engaged in a midnight feast on an unsuspecting rodent. Not only was it also illegible, but I also couldn’t give it any credit for being artistic this time. I really wanted to register on this site though, so I screwed up my face, got my eyes as close to the screen as possible before my focus started to distort, and tapped the letters and numbers into my keyboard.

“Incorrect code entered. Please try again.”

Now, as someone who works in the web design industry, I have a fairly decent attention span on the Internet; probably more so than most of Joe Public. But by this time, I was getting frustrated. I didn’t have time for this.

So I left the site open and opened a new tab, just to curiously check to see if I’d missed an alternative service provider in the same sector. As it happens, I had.

A few clicks later, and no CAPTCHA code to be seen, I was registered on the alternative site, and my business was winging its way into the hands of this other website’s proprietor.

Are CAPTCHA codes damaging your clients’ websites?

My experience yesterday got me thinking. Most will agree that CAPTCHA codes are annoying, but in most cases, we accept them as an unavoidable step in the battle against bots and spam. But what if it was shown that CAPTCHA codes are not only damaging the usability of your website, but also hampering the ability of your site to create leads, generate sales or otherwise function and interact with your audience?

The reality is that for the vast majority of the sites that we build as web designers and developers, we don’t really have to worry about targeted attacks on our contact and registration forms. Using a CAPTCHA code on most sites is like using a Humvee to crack an egg. If you’re developing a high-profile site or security critical web app, then sure, perhaps a CAPTCHA is going to provide you the most protection. But even then, you should be weighing up the risks and usability trade-off and asking yourself if there is a more user-friendly alternative. Oh, and by the way, there is a business in breaking CAPTCHA codes, so even if you use one, you’re not necessarily safe from a concerted effort to break it.

And if all you have to worry about is protecting a form from generic spam bots, then there is definitely no excuse; you don’t need a CAPTCHA; there are more user-friendly alternatives.

Think about it; you’ve developed a beautifully thought-out website with clear user-funnels, calls to action, with everything gently pushing your visitors towards registering, purchasing, enquiring or otherwise completing a goal, and then you stick a dirty great squiggle at the end that your users have to decode before completing the task. It’s a bit like spending weeks gently building up to asking someone out on a date and then vomiting down your shirt when you pop the big question.

The good news is that there are plenty of alternatives to CAPTCHAs. Really, you don’t need them anymore! A quick search on the Internet will turn up plenty, but here are a few I’ve picked out:

Simple Maths Questions

Maths

This one is quite popular, and definitely less intrusive than a traditional CAPTCHA. For instance, your form may ask the user “what’s 3+2″ and will then validate it server-side.

Use Javascript

javascript

One of my favorite methods is to do the whole verification process transparently client-side, whereby on form submission, a Javascript function is called to perform some simple arithmetic and push the result into a hidden field which is then verified server-side. This is a good one to use if you know that your user-base is going to have Javascript installed. Indeed it’s arguable that it’s worth using even at the expense of the small number of people who have Javascript disabled. For example, what’s more damaging? Using a CAPTCHA or using Javascript? The answer to that is down to you though.

Use Pictures

You could present a set of pictures and, for example, ask the user to select the rabbit and the cat. If this technique suits your brand, then why not try it? Perhaps not advisable to use on an Undertaker’s site or in any other “non-quirky” situation though!

Completion of a simple task

currybet.net

I saw the CAPTCHA used on Martin Belam’s blog the other day and not only does it do the job, it also made me chuckle. Asking a visitor to complete a simple task like this takes almost no extra time or thought; unlike a traditional CAPTCHA.

Use a service like Akismet

Akismet

Akismet is an excellent spam-filtering service for blog comments: use this and you’ll hardly have to worry about spam on your blogs ever again.

Put up with it

gmail

Depending on the situation, it may be worth you asking yourself; “should I just put up with a bit of spam”. If the output of your website is an email, then modern spam protection on services such as Gmail are so good that you should really consider just ripping out the CAPTCHA altogether. If it helps your sales or enquiries, then perhaps a bit of spam is a price worth paying?

CAPTCHA still gotcha?

recaptcha

Not convinced? No problem, that’s OK. But if you’re going to use a CAPTCHA, at least use a good one. reCAPTCHA is considered one of the better ones.

Wrapping things up

That pretty much sums up my thoughts on the subject of CAPTCHA codes and if you take away just one thing from this article, let it be that you always consider the usability of your websites first and foremost. If you don’t, it could cost you or your client their next sale.

I’ll leave you with one last CAPTCHA idea, courtesy of xkcd

xkcd

About the Author

Oskar Smith is a digital creative, and runs web design company Esvelte, based in the north of England. Oskar has been working the web industry for over 8 years and when not in front of a computer you'll find him behind a guitar or on top of a windsurf board. He also writes a blog and you can follow him on twitter.

91 Comments

  1. iPhone Development Company
    November 16, 2010

    With people having too many options and too less time Captchas can be really frustrating and instead a “tick to prove you are not a spammer” option is a better option.

    Reply
  2. Chris – web designer
    November 16, 2010

    I’m finding the maths question to be an easy alternative. I would hate to think anyone would need to use a calculator!

    Reply
  3. Ravi Juneja
    November 16, 2010

    i think we should use Simple Maths Questions

    Reply
  4. Khalid
    November 16, 2010

    “I had a go at deciphering it, made my submission, and I wasn’t surprised to be thrown back with an “incorrect code entered” message. “Oh well”, I thought, “the next CAPTCHA they give me can’t be as bad as that one was.”
    It wasn’t. It was worse.”

    You had also the option to refresh the CAPTCHA, so you don’t need to submit a wrong answer when you cannot figure out which words are used.

    Reply
    • Mike
      November 16, 2010

      Not all CAPTCHAs have a refresh button built in.

      Reply
  5. sarbartha
    November 16, 2010

    2 Years back I used to use captcha. Then I turned it off, because of complex commenting for visitors. Your comment form is simple. Not, so junkie.
    Commenting system for blog like Intensedebate, disccus are good to be used..

    Reply
  6. Rick
    November 16, 2010

    A simple math equation defeats the purpose completely. You might as well use nothing at all. Ditto for the JS option. Crawlers can evaluate javascript.

    The idea isn’t to make people type something extra for the sake of it. It’s to make people perform a task that computers are bad at. Hence the annoying, distorted text.

    It’s a necessary evil, so I just use reCaptcha.

    Reply
    • Oskar Smith
      November 16, 2010

      Yes the question of whether spambots can read javascript is an interesting one and I’ve read lots of differing arguments on this. No doubt that a bot could be specifically scripted to break a JS protected form on a particular site. But if one was to write custom JS CAPTCHAs for small sites, I doubt the “generic” spambots would crack them.

      But yes, on a higher profile site, I’m sure it wouldn’t take long for a bot to get scripted to break a JS protected form. You wouldn’t find Google, Facebook et al relying on them, that’s for sure.

      The small sites I’ve used JS on have been fine though; no spam whatsoever.

      No doubt now I’ve written this article someone will script a bot to break all my forms and prove me wrong. Lol! ;-)

      Reply
      • Fritz
        November 16, 2010

        It’s not a question of whether bots can read/run javascript. They don’t *have to* at all, so whether they can is moot. Using Javascript as your only form of validation is worthless.

        From what I’ve observed, it’s typically a Human that (at some point) scouts and evaluates your site. Once they find out that you use JS for validation, they can just share the URL and list of fields with their buddies and then all the bots do is a bunch of HTTP Posts — which has nothing to do at all with JS.

        You absolutely must do some form of server-side validation or you might as well not do validation at all. The only reason to do client-side validation is for a smooth UI experience. Not data integrity.

        Reply
        • Oskar Smith
          November 17, 2010

          I think we’re both making the same point actually, in that if you’ve built your own JS CAPTCHA then it will take a human to come along and program the bot to break it. Which, if you’re a low profile site, isn’t going to happen very often (considering how many websites there are in the world).

          It may happen though and if you were using a widely used CAPTCHA plugin for, say, WordPress, the chances of someone bothering to code a bot to break it would increase.

          And yes, in all cases server side validation would need to occur, regardless of what CAPTCHA you’re using to verify data integrity, agreed.

          Reply
          • Fritz
            November 17, 2010

            Actually, I don’t think we’re making the same point at all. ;)

            Your point seems to me to be JS Captcha is good enough for small sites. My point is JS-based validation is worthless for any and all sites.

            Bots don’t do JS. They don’t have to. Once a successful attack vector has been established, it goes to the botnet which then just floods the URL with the appropriate HTTP POST fields.

            And don’t fool yourself into thinking that being a small site is some sort of protection. I’ve had bots hit sites I’ve setup within days, even before being listed anywhere.

            The best security mentality to have is one of zero allowances. If you have a site, it will be evaluated at some point by a hacker. Then again, I get paid to be paranoid so my clients don’t have to worry about this stuff. lol

            I totally agree, though, about your point on the usability of some of these captcha methods ruining the user experience of some sites.

            Whether to use captcha or not shouldn’t be a quick decision, but should be part of an overall site security plan.

            All that said, I tend to use reCaptcha when necessary. ;)

  7. Amitash
    November 16, 2010

    Thats a good simile you used to compare captcha codes with cats and rodents.
    Just like Chris, the web designer said, Math would be a very good alternative.

    Reply
  8. Ferdy
    November 16, 2010

    In my own pet project, a wildlife photo community, I have made the CAPTCHA part of the design. Instead of asking a math question which has nothing to do with wildlife I show them an image of an animal, and they choose which one it is from a short list of answers.

    By the way, if you’re using captchas on a signup form, you may want to consider using oauth to let users use their Facebook or Twitter account. That way you outsource the problem.

    Reply
    • Oskar Smith
      November 16, 2010

      Love the idea of creating a custom designed image based CAPTCHA so it’s in keeping with the whole site theme and brand, nice.

      And yes, the idea of the outsourcing a signup/register process to Twitter or Facebook for anti-spam reasons would have been worth a mention in the article actually. Lots of other usability advantages to outsourcing signup/login via oAuth too.

      Reply
  9. Neurostaza
    November 16, 2010

    I think the best idea is to make your own human-test, because even a good (re)Captcha used million times will have a solution already written by spammers.

    Reply
  10. Peter
    November 16, 2010

    I thought the first 3 paragraphs described your experience with reCAPTCHA … I encounter reCAPTCHA regularly and am rarely able to use the first couple of suggestions.

    But here’s one in case you don’t really want to be contacted :
    http://www.geee.net/contact.htm

    Reply
  11. Drew
    November 16, 2010

    Recaptcha and nothing else.

    I find the prospect of altruistic activity in digitising old books two words at a time appealing.

    I’ve never received any negative comments as a result of usage and in implementations of mailhide recaptcha it has completely killed off spam.

    I would doubt that anyone who has received spam would begrudge efforts to stop it.

    Some of the simplistic ones are rather pointless as spammers OCR technology will easily defeat the more simplistic images.
    What we have to remember, is that if you can think up a method of preventing spam then
    1. It’s already been considered by spam gangs and
    2. They probably have a workaround.
    For example. I run a social network which uses (for cost reasons) an out of the box application – one of the better ones. The captcha on there uses simple images of numbers and we get 30-50 spam signups a day and by the feel of them, they’re automated.

    Recaptcha is the only one I’ve found that actually works.

    Reply
  12. Bert Hofmänner
    November 16, 2010

    I do hate Captchas. Because of that we made a lot of tests of forms without Captchas. First it is important, that you use tokens. This way everyone will need to get the token (=see the form) before being able to submit content. Second you can measure the time-difference between loading the form and submitting it. If it takes less than five seconds, it’s not human… Those two protection mechanism worked for some time, but not anymore. Our latest technology is to generate an image with PHP with a token and display it on the page of the form. As bots usualy don’t load images, that works pretty well…

    Reply
  13. Roman Horokhovatskyy
    November 16, 2010

    Very interesting article. I think that will die definitely in about two years. Quote for the alternatives

    Reply
  14. Max Soe
    November 16, 2010

    Most spam bots fill all the fields in a form. You can create a dummy field in your form, hide it from users using CSS eg
    position: fixed;
    top: -1000px;

    Theoretically a human will never see this field so they will not fill it in. Spam bots on the other hand, will fill them in.

    Server side, figure out if the field is filled. If it is, it’s a bot. If it’s empty, a human filled your form.

    Reply
  15. Jeni
    November 16, 2010

    I often leave it to the client to decide if they want any spam protection, and when to implement it after explaining the pros and cons of captchas. Often I set up forms with no protection, then put in a captcha if they start getting bombarded with spam.

    I’ve found that math captchas, even though are more user friendly, are pretty much worthless. I end up using image ones, but ones that are pretty easy for humans to read, and that usually does it. I think that many times people go way too overboard making their captchas unnecessarily hard to read.

    Reply
  16. Justin Carroll
    November 16, 2010

    I dig your writing style. The vomit down the front of the shirt was my personal fav. Good stuff and great points.

    Reply
  17. Elsewine
    November 16, 2010

    Brilliant!
    Thank you so much for making me laugh-off my stress and frustration after being forced to use a captcha form.
    And if I ever need it, I will certainly look into the other options.

    Reply
  18. Mitchell Hall
    November 16, 2010

    Thank You for this excellent article. I personally detest CAPTHAs and refuse to put them on any of my sites. I’m thrilled to see so many excellent alternatives. I definitely plan to use some of these.

    One thing that really bothers me about CAPTCHAs is that some of them are case-sensitive and others are not and in most cases it’s not specified. This just adds another question in the mind of our users and we all know that if our users have to think about how our site works then we’re doing something wrong.

    Reply
  19. Beantown Design
    November 16, 2010

    You should have put a captcha on the comment form for this post, that would have been classic ;)

    Reply
    • Henry Jones
      November 16, 2010

      Ahhh, should have thought of that. That would have been great! :)

      Reply
  20. Blake
    November 16, 2010

    There’s no question that CAPTCHAs are interfering with the user’s experience.

    I couldn’t have said it better myself:

    “It’s a bit like spending weeks gently building up to asking someone out on a date and then vomiting down your shirt when you pop the big question.”

    Reply
  21. Pragmatic Design
    November 16, 2010

    We advise our clients against the use of CAPTCHAs for the very reasons outlined by this article, preferring the simple maths question instead.

    Good article. Thank you.

    Reply
  22. Matt Berridge
    November 16, 2010

    In my opinion, you shouldn’t use anything client-side at all. You are giving the user a less user-friendly and more frustrating experience when spam is not the users problem, it is yours. You are making it theirs by putting in these devices.

    Reply
    • Oskar Smith
      November 17, 2010

      “Spam is not the users problem, it is yours. You are making it theirs by putting in these devices.”

      Perfectly put. I think my article should just get edited and replaced with this; would be much more succinct!

      Reply
  23. Marcel
    November 16, 2010

    I like a simple question. reCaptcha is my least favorite, it’s too big and red and spoils a decent form layout.

    Reply
  24. Chase Adams
    November 16, 2010

    Great read!

    I’ve always hated CAPTCHAs. This post was totally worth reading just for the “Were you sad when Littlefoot’s mom died in “Land Before Time”?” question.

    Reply
  25. Ben
    November 16, 2010

    Captchas are very annoying, but I’m not convinced that the maths problem, or the CSS hidden field alternatives would be as robust.

    Anyway, all the alternatives are also annoying: I’ve seen Facebook ask to verify photos of your friends – and thought that was really irritating! Though admittedly easier than some Captchas, but it did take a long time as I had to identify about 5 people.

    As you have said designers need to consider the trade-off of usability vs Spam, and I agree usability should nearly always win: Spam is annoying to you, but Captchas are annoying to your users.

    Perhaps more creative solutions are needed: a database of trivial pursuit style questions for example, or by asking the user to identify a famous pieces of music, answer riddles or solve a jig-saw puzzle ;)

    Reply
  26. Batfan
    November 16, 2010

    The title of the article should be ‘Why You Should Stop Using Bad CAPTCHAs’. I personally think that there’s nothing wrong with CAPTCHAs but, I definitely agree with the reCAPTCHA mention. That is the only one I will use.

    Reply
    • Oskar Smith
      November 17, 2010

      Indeed, and as someone else pointed out, the alternatives to CAPTCHAs that I mention are themselves… CAPTCHAs…! Semantics, semantics. ;-)

      (Where I say CAPTCHA, I of course mean the squiggly writing ones. A bit like when someone says “pass me the hoover,” they actually mean “pass me the vacuum cleaner!”)

      Reply
  27. Designers X
    November 16, 2010

    I think simple Maths questions are best!

    Reply
  28. Paul
    November 16, 2010

    I Hate Capchas to, they really often make me angry…

    Reply
  29. Joost van Berckel
    November 16, 2010

    Interesting article. I will consider to use alternative ways in stead of plain captcha.

    You can also achieve spam protection by putting one or two hidden input fields (hidden by CSS) on the website that has to remain blank.

    Robots will fill every field, also the hidden ones. So this can be marked as spam :)

    Reply
  30. Carl
    November 16, 2010

    I totally agree, trying to submit a form can be problematic and if you look at stats on forms with traditional captcha systems on them you can see significant abandon rates and thus we adopted the maths version combined with server side checking, JavaScript and Cookie checking for our clients.

    We have see significant decrease in abandon rates since deploying.

    If you need a copy for your site, you can download it for free here at
    http://www.ogmanewmedia.co.uk/tools/captcha/captcha.asp

    Reply
  31. James W
    November 16, 2010

    Captchas always make me think of this comic I found ages ago… http://uxjw.me/_/captcha.jpg Either recaptcha is getting very difficult to read lately, or I’m slowly turning into a machine.

    Reply
  32. murraybiscuit
    November 16, 2010

    any form of captcha is anti-usability, but visual captchas are a convention by now. having something different and quirky which requires me to think is even more time consuming imo. i’m starting to get spambots hit my maths questions, so that’s not going to last for long…

    Reply
  33. Graphic Designer Sydney
    November 16, 2010

    Agree, agree. The Maths solution is great!

    Reply
  34. rdentry
    November 16, 2010

    I think you make a very good point about user interaction, but nowadays you need to secure your forms this way. There are simply too many automated spam attacks. Form and Comment validation is essential for any mid/high traffic site. As far as CAPTCHA is concerned, your substitutions are CAPTCHA, and probably not developed to have a vast amount of random photos, tasks, math equations, etc… Some spam can tell if the answer is the same (scary).

    Many CMS developed sites offer modules that will let you pick which CAPTCHA type you want to use (image, math, reCAPTCHA). That works pretty well with me. Plus, you can come up with some pretty good designs around that little line of text or that seemingly child written ink-starved pen illustration.

    Reply
  35. Gary Williams
    November 16, 2010

    The solution I use on our college website, and it works great, is to create a textarea and hide it using CSS. I have found spambots love to put things into this “hidden” textarea, but most people can’t see it so they leave it alone ;) Sneaky sneaky! We don’t have to bother our legitimate users with any extra steps at all :)

    Reply
  36. Keri Morgret
    November 16, 2010

    The article itself is great — but what tops it off is the descriptions. I’ve seen too many midnight cat feasts regurgitated in CAPTCHAs lately.

    Reply
  37. Jason
    November 16, 2010

    I agree I hate captchas they are a royal pain in the **s. I like the picture idea and the akismet thing. http:/lucrativelistsecrets2.info

    Reply
  38. erewhon
    November 16, 2010

    Thanks for the interesting post. It certainly got me thinking, however, I disagree. To paraphrase Ben Franklin:
    He who sacrifices freedom from spam for usability deserves neither :)

    Sorry, but I put this in the same league as Nielsen on abolishing password masking – both bad ideas. (That said, making mobile password entry more reliable by briefly unmasking one character at a time is ok, especially on touchscreen devices.)

    I sympathise with your problems on the site you mention, but to be honest, I’ve never come across a captcha-guarded process I couldn’t convince, even if it took two, or very rarely, three tries.

    I’m all for improving usability, but how usable is having to wade through dozens of comment spams, fake trackbacks and the like, to find the real posts? Or isn’t a simple safeguard better than manually screening every post on a page?

    ReCAPTCHA seems to have got the balance right, including adding an audio alternative for sight-impaired users and a refresh button for the odd totally illegible word. I also like the idea of improving a useful resource – Google books. The perhaps overly altruistic effort is countered by the result.

    As to the design, yes, red may not fit in with a site’s colour scheme, but the design fulfils other usability principles – familiarity and consistency.

    There’s no denying the result of using CAPTCHAs – if done properly, they work. I will be trying the hidden field idea at some point, though. They needn’t be overused, either, if other measures are in place – email confirmation of registration, etc.

    Reply
    • Oskar Smith
      November 17, 2010

      Indeed I think it’s all a balancing act, and it’s down to individual cases on what type of CAPTCHA to use.

      One thing I would pick up on that you mentioned: “I’m all for improving usability, but how usable is having to wade through dozens of comment spams, fake trackbacks and the like, to find the real posts?”

      The usability you mention is on your side of the equation, not the users. In response to this I’d direct you to Matt Berridge’s comment above where he says “spam is not the users problem, it is yours. You are making it theirs by putting in these devices.”

      It really comes down to what impact these two sides of the story have on your finances though. For example, does it cost more to employ someone to wade through spam, or does it cost more in lost sales and decreased user satisfaction / brand experience by using a squiggly CAPTCHA? Or is there a happy medium by using a user-friendly-but-not-totally-secure CAPTCHA alternative?

      Now where’s my crystal ball… ;-)

      Reply
      • erewhon
        November 18, 2010

        OK, I agree, if one has the resources, manual spam filtering is more user-friendly, and spam is ultimately the responsibility of the site owner. However, if spam slips in for whatever reason, it’s the user that suffers.

        Dmitry’s very cool suggestion below is a great alternative, where you have to move a slider as a Turing test. What a great idea – a sneaky improvement would be to randomly select a region for the slider to be moved to, rather than just having to shift it to the end.

        I’ll be trying that out too :)

        Reply
  39. Web Design Hull
    November 17, 2010

    I personally hate CAPTCHAs although I agree ReCAPTCHA isn’t as bad as many others. When I’m visiting sites I like to use the simple maths question solution, but if this isn’t secure enough I like the idea of the hidden text area for the bots to fill in… thanks for the article.

    Reply
  40. Prince
    November 17, 2010

    I also prefer simple mathematical questions for anti spam. Illegible CAPTCHAS is a waste of time.

    Reply
  41. Prince
    November 17, 2010

    I also prefer simple math question for anti spam. Illegible Captcha code is a waste of time.

    Reply
  42. Dmitry Serbin
    November 17, 2010

    i found this trick is really simple and does its job.
    http://www.greatjoomla.com/extensions/plugins/core-design-captcha-plugin.html

    Reply
  43. devmau5
    November 17, 2010

    I would like to reiterate what Rick said, that being math problems will NOT prevent bots/crawlers from exploiting your forms. Putting a tick to prove you are human box will have NO effect either.

    As already stated CAPTCHA is a necessary evil but reCAPTCHA is the preffered weapon of choice.

    I highly recommend not replacing your CAPTCHAs without first fully understanding how exploits work.

    As an example just think for a minute why Google uses CAPTCHA to this day, if you get the login credentials wrong three times. They have billions of dollars at their disposal and are one of the most innovative tech companies on the planet. If they had an alternative I am sure they would be one of the first to be using it.

    I agree with the opinion that CAPTCHA is a usability problem but please remember that at least for the moment it is a necessary one.

    Reply
    • Oskar Smith
      November 17, 2010

      I would agree with you that you should be fully informed about the security of your before web app or other system by removing CAPTCHA codes, but as I said in the article, “using a CAPTCHA code on most sites is like using a Humvee to crack an egg.” but that “If you’re developing a high-profile site or security critical web app, then sure, perhaps a CAPTCHA is going to provide you the most protection.” i.e. if you’re Google or Facebook, er, well you’re going to get all the spam-flak out there hitting you. ;-)

      For example if you’re using a CAPTCHA code on your website contact form you are doing yourself a great injustice; there is absolutely no reason for it (assuming you’re at least XSS filtering etc. server side for malicious stuff)

      And again I’d say from my experience, JS protection has cut out all contact form spam on the sites I’ve used it on (5 years and counting…)

      I know this goes against all one’s developers’ instincts though! ;-)

      Great discussion in any case.

      Reply
      • devmau5
        November 17, 2010

        Thanks for the reply Oskar. I agree that it (CAPTCHA) must be fit for purpose. I like the analogy of Humvee egg cracking overkill.

        Reply
  44. Felix
    November 17, 2010

    Turn capchas off and get a good spam filter instead!

    Reply
  45. Color
    November 17, 2010

    Well, spamers will somehow find out new ways how to spam…

    Reply
  46. Taha
    November 17, 2010

    I absolutely agree with you on that as I have also faced some worst CAPTCHAs and every time I type it, it’s get annoying. I think the numbers is quite reasonable solution.

    Reply
  47. Jamie Brightmore
    November 18, 2010

    How about a maths question, but with a random +, -, or x served via PHP and in-turn a image of the +, -, or x served to the front-end ? This way the bot would have no idea if it needs to add, subtract, or multiply the digits in the question.

    Reply
  48. Jeff Kee
    November 18, 2010

    A great alternative I’ve been using to the traditional CAPTCHA which is often hard to read, is the SubmitThroughImage class. It generates an image based on your parametres (# of characters, bg color, font colours, font face based on ttf files on the server). It uses a PHP Session so it works through AJAX calls as well. My AJAX based email forms have been secure since I started using this.

    To make it AJAX compatible you do need to make some modifications, obviously.

    Reply
  49. John Bracey
    November 19, 2010

    Very good article. I’ve been a web developer for over seven years now and in the whole there is no need for the tradtional CAPTCHA. Some of the more simpilified suggestions here are excellent.

    I might be stating the obvious here but I would advise people not to use client side checking only – people can easily turn off Javascript. This is still being done and held as being secure. Always have some validation going on that the server only knows and requires an answer to.

    Reply
  50. Edmund
    November 21, 2010

    Images in conjunction with a short list of possible answers (ie. animal to animal name pairings) seems like a good idea until you realize that the bot has a 1/[number of items] chance of being correct if selecting the first item.

    At StumbleUpon, we took a bit of time to do a bit of analysis on registration flow success rates broken down by each step as well as Spam rates with each iteration. It’s important to do this before making any big decision in increasing or decreasing the strength of your bot-filtering mechanisms. That said, I’ve found a simple captcha (easier than recaptcha) is good for stopping a lot of the little script kiddies.

    What works wonders however is detecting bots on the way in and routing them to a limited ‘bot friendly’ experience to give them the false impression that their bots are successfully penetrating the site. Limit their activity, and you’ll find that most spammers won’t find you valuable enough to keep hitting.

    Reply
  51. Web Technology News
    November 22, 2010

    Cat Captcha!

    I did this a while ago but forgotten where it is now. I have a bunch of pictures of cats and dogs, they are put into an array, randomised positions, trimmed to a certain length then shown on the comment area. You just have to click the pictures of the cats. Of course if that code got public the spammers would just have the bitcode for each image to identify it.

    Personally if you’re a coder spent that extra 30 minutes making your own UNIQUE solution. Spam bots go for easy targets and will attack sites that use commonly known Captchas. Math questions won’t last long, they’ll be hacked in no time. It’s just another challenge for the spammers, and probably a fun one too because they need to get into javascript processing and image reading.

    Using a remote service is probably a good idea if you don’t have the time/skills to do your own – and they’re also pretty reliable.

    Reply
  52. Sascha
    November 22, 2010

    As already pointed out the alternatives given here are themselves CAPTCHAs – maybe you should change the title of this article then as well…

    Reply
  53. Magnus Ohlin
    November 22, 2010

    Excellent post, many good new ideas for solving this problem that captchas is.

    Reply
  54. Erico Lisboa
    November 22, 2010

    love the article.

    cheers!
    E.

    Reply
  55. Antonio
    November 23, 2010

    A medium skilled hacker can develop some math expression engine for these challenges. I prefer pictures :)

    Reply
    • Angelee
      November 30, 2010

      I totally agree! I should’ve posted my comment here…. :)

      Reply
    • Ashley Sheridan
      January 17, 2013

      Pictures are a no-no, ask anyone who’s blind. Unless you put decent alt text on the images, but then it’s easy for a bot to pick up and you accomplish nothing.

      Personally, I favour the math question but with a twist. On my site, instead of numbers I’m using mnemonical phrases, so “a bakers dozen” represents 13, “number of legs on 2 dogs” is 8, etc. The main disadvantage is the language barrier, as people outside of the UK are unlikely to know things like a bakers dozen, but that’s my level of acceptability.

      Reply
  56. Roger
    November 23, 2010

    Great article Oskar! Thanks for suggesting the alternatives.

    Reply
  57. Markus@enkelmedia.se
    November 23, 2010

    Great post!

    What about using a timestamp in a hidden field. If the page is poster to “fast”, lets say in less den one sec – that sound most likely be spam robots.

    Is this a good approach?

    Reply
  58. JER0EN R0LAND
    November 24, 2010

    put this in Windows hosts file” and it Should Stop Using CAPTCHAs., easy missing code.
    127.0.0.1 recaptcha.net
    127.0.0.1 http://www.recaptcha.net
    127.0.0.1 api.recaptcha.net
    127.0.0.1 http://www.api.recaptcha.net
    127.0.0.1 api-secure.recaptcha.net
    127.0.0.1 http://www.api-secure.recaptcha.net

    Reply
  59. webdesignerslog
    November 25, 2010

    Nice Post … I’m agreed with Oskar … bad CAPTCHA is really a headache…

    Reply
  60. Thomas
    November 26, 2010

    Loved this article. CAPTCHAs have been a thorn in my side ever since I first saw them. The list of alternatives was great, and I think that by far the best of the bunch was the image selection. Of course this still causes problems for blind people, but those audio captcha things are worse than the visual ones!

    Reply
  61. Maxime De Greve
    November 27, 2010

    ZURB wrote also an article about this some time ago, their article was based at results bij SEOMOZ. Have a look here: http://www.zurb.com/article/285/its-official-captchas-are-bad-for-busines

    Reply
    • Oskar Smith
      November 29, 2010

      Aha, nice find. Check Maxime’s link out people: some stats to back up the article!

      Reply
  62. Carson
    November 30, 2010

    Is Recaptcha REALLY considered one of the better ones? I despise it, its words are always among the least legible CAPTCHA codes I see.

    Reply
  63. Young Deezy
    November 30, 2010

    Great article, good solutions unless the maths questions. Robots answer them. According to me, pictures are the best. Of course no choosing color question, because of color blind people!

    Reply
  64. Angelee
    November 30, 2010

    I haven’t seen a site which uses pictures yet. It must be real fun to choose the best and appropriate photo plus it can be a good place to show creative graphics. I have the same opinion here, sometimes we’re just not too patient to fill-out long forms ending with unreadable codes.

    Reply
  65. Ryan Carson
    December 21, 2010

    There’s a good reason as to why you wouldn’t use pictures. Web Accessibility!

    Rate limiting is certainly one way to slow down the spammers. You can and probably should use a script to block them when detected via htaccess.

    Reply
  66. Eric
    December 30, 2010

    The beauty of the math question is that it isn’t overused yet. Spammers would look to break distorted words, or hack into the captcha database of the site, but if you ask a math question, it won’t be stored in the database, it isn’t common yet so hackers aren’t going to waste their time (yet), and it’s simple enough for anyone to answer (and if they can’t answer it, do you really want them commenting on your blog/contacting you through a form/registering on your site?).

    Of course, give it a few more years and it’ll be worthless. So the best option is to keep changing it. Use a math question, then ask the visitor to spell out a word that you give them, then ask a question (and give the answer right next to the captcha box if you want), then ask them to re-enter 1 part of their registration info (re-enter the last 4 digits of your phone number, etc, etc). All of those would be easy for a spammer to get through, but if you keep rotating them, you don’t really have to worry about it. Just an idea…

    Reply
  67. Mark Entingh
    January 4, 2011

    I developed a sort of revolutionary CAPTCHA engine that is unlike any other. It displays 3 images, then asks you to click on a specific part of one of the images. “Click on the nose of the woman to continue”. It uses javascript to grab x & y coords where you clicked, sends the x & y to the server, and the server checks an image with shapes of color on it to see if the x & y coord is touching the right color.

    As a developer, all I have to do is build a database of photos paired with images that have shapes of color scattered on the image, where each color represents an object on the photo. I can use people, toys, places, even holidays (pumpkins & ghosts & santa).

    You can see it being used on the log in form for http://www.rennder.com

    Reply
  68. Steve Garufi
    January 6, 2011

    The question piece is the best. Mine: “What is the most common color of grass?” It works so well! :)

    Reply
  69. GIK Web Design
    August 31, 2011

    I started reading this article and thought if I take CAPTCHAs off my sites it will just lead me to a world sorting through spam (I get enough now with the CAPTCHA on). However I do like the alternatives particularly the pick a picture one. Its takes away the biggest problem with a simple CAPTCHAs actually making sense of the image.

    Reply
  70. Carl
    December 1, 2011

    I just Stumbled this page and I’m glad I did. I have a little blog that uses CAPTCHAs that even annoy me, and I’m wondering why I don’t get many comments. It’s amazing what you can miss when you can’t see the wood for the trees.

    And look here, as I type this comment, no awful code to decipher, just a nice Submit Comment button. Great article, many thanks.

    Reply
    • Web Cooperative
      January 4, 2012

      Agree with Carl. CAPTCHAs are one of the most irritating features of websites and I tend to avoid sites that use them. I’ve never had reason to implement them on sites I’ve created either. There are always more subtle and user friendly ways to avoid them as Oskar points out in the main post.

      Reply
  71. Warren
    February 20, 2012

    Although it seems this is, at the moment, a losing battle, I want to thank you for this article! Of course I am here as a result of captcha induced rage :D

    Reply
  72. Fizz Web Design
    October 6, 2012

    Captchas can be a lot of excess code churning away in the background for what is essentially a simple task, if you’re looking to just avoid the spam advertising then i like steve garufi’s idea – it forces a thought process to complete the task but remains lightweight & simple.

    Reply
  73. BLuFeNiX
    October 19, 2012

    Never, ever, ever, put the authentication method on the client side. If you use javascript to handle your captcha, all you are doing is letting the spambot change a couple variables and get right in, but making your users suffer.

    Reply
  74. Tim
    November 20, 2013

    I know this is an old post – but why can’t you just use the following challenge:

    “What is this?” (question to the viewer) next to a picture of an apple.

    Then check for the word apple/Apple etc and only submit if it is correct…

    This is probably a naive solution, but can BOTs interpret pictures and get roud this?

    Reply

Leave a Reply