November 25, 2024

Why You Should Stop Using CAPTCHAs

There are few amongst us who won’t have, at some point or another, filled in a CAPTCHA code. CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and Humans Apart” and they are most commonly used to stop automated submissions of web forms, such as registration or contact forms.

CAPTCHAs are widespread, but are they actually damaging the usability of your website? I would argue that there are better alternatives to CAPTCHAs and that you should break the habit of using them on your sites.

Once upon a time, there was a CAPTCHA code…

CAPTCHA frustration

Let me tell you a short story by way of introduction. Yesterday, I was trying to register on a website. The website in question employed one of the worst CAPTCHA codes that I had ever seen. It looked like a child had written something with an ink-starved pen and then left the piece of paper out in the rain. In a way, it was quite artistic, but unfortunately it was also totally illegible.

I had a go at deciphering it, made my submission, and I wasn’t surprised to be thrown back with an “incorrect code entered” message. “Oh well”, I thought, “the next CAPTCHA they give me can’t be as bad as that one was.”
It wasn’t. It was worse.

This one resembled the stains left on my carpet when my cat has engaged in a midnight feast on an unsuspecting rodent. Not only was it also illegible, but I also couldn’t give it any credit for being artistic this time. I really wanted to register on this site though, so I screwed up my face, got my eyes as close to the screen as possible before my focus started to distort, and tapped the letters and numbers into my keyboard.

“Incorrect code entered. Please try again.”

Now, as someone who works in the web design industry, I have a fairly decent attention span on the Internet; probably more so than most of Joe Public. But by this time, I was getting frustrated. I didn’t have time for this.

So I left the site open and opened a new tab, just to curiously check to see if I’d missed an alternative service provider in the same sector. As it happens, I had.

A few clicks later, and no CAPTCHA code to be seen, I was registered on the alternative site, and my business was winging its way into the hands of this other website’s proprietor.

Are CAPTCHA codes damaging your clients’ websites?

My experience yesterday got me thinking. Most will agree that CAPTCHA codes are annoying, but in most cases, we accept them as an unavoidable step in the battle against bots and spam. But what if it was shown that CAPTCHA codes are not only damaging the usability of your website, but also hampering the ability of your site to create leads, generate sales or otherwise function and interact with your audience?

The reality is that for the vast majority of the sites that we build as web designers and developers, we don’t really have to worry about targeted attacks on our contact and registration forms. Using a CAPTCHA code on most sites is like using a Humvee to crack an egg. If you’re developing a high-profile site or security critical web app, then sure, perhaps a CAPTCHA is going to provide you the most protection. But even then, you should be weighing up the risks and usability trade-off and asking yourself if there is a more user-friendly alternative. Oh, and by the way, there is a business in breaking CAPTCHA codes, so even if you use one, you’re not necessarily safe from a concerted effort to break it.

And if all you have to worry about is protecting a form from generic spam bots, then there is definitely no excuse; you don’t need a CAPTCHA; there are more user-friendly alternatives.

Think about it; you’ve developed a beautifully thought-out website with clear user-funnels, calls to action, with everything gently pushing your visitors towards registering, purchasing, enquiring or otherwise completing a goal, and then you stick a dirty great squiggle at the end that your users have to decode before completing the task. It’s a bit like spending weeks gently building up to asking someone out on a date and then vomiting down your shirt when you pop the big question.

The good news is that there are plenty of alternatives to CAPTCHAs. Really, you don’t need them anymore! A quick search on the Internet will turn up plenty, but here are a few I’ve picked out:

Simple Maths Questions

Maths

This one is quite popular, and definitely less intrusive than a traditional CAPTCHA. For instance, your form may ask the user “what’s 3+2” and will then validate it server-side.

Use Javascript

javascript

One of my favorite methods is to do the whole verification process transparently client-side, whereby on form submission, a Javascript function is called to perform some simple arithmetic and push the result into a hidden field which is then verified server-side. This is a good one to use if you know that your user-base is going to have Javascript installed. Indeed it’s arguable that it’s worth using even at the expense of the small number of people who have Javascript disabled. For example, what’s more damaging? Using a CAPTCHA or using Javascript? The answer to that is down to you though.

Use Pictures

You could present a set of pictures and, for example, ask the user to select the rabbit and the cat. If this technique suits your brand, then why not try it? Perhaps not advisable to use on an Undertaker’s site or in any other “non-quirky” situation though!

Completion of a simple task

currybet.net

I saw the CAPTCHA used on Martin Belam’s blog the other day and not only does it do the job, it also made me chuckle. Asking a visitor to complete a simple task like this takes almost no extra time or thought; unlike a traditional CAPTCHA.

Use a service like Akismet

Akismet

Akismet is an excellent spam-filtering service for blog comments: use this and you’ll hardly have to worry about spam on your blogs ever again.

Put up with it

gmail

Depending on the situation, it may be worth you asking yourself; “should I just put up with a bit of spam”. If the output of your website is an email, then modern spam protection on services such as Gmail are so good that you should really consider just ripping out the CAPTCHA altogether. If it helps your sales or enquiries, then perhaps a bit of spam is a price worth paying?

CAPTCHA still gotcha?

recaptcha

Not convinced? No problem, that’s OK. But if you’re going to use a CAPTCHA, at least use a good one. reCAPTCHA is considered one of the better ones.

Wrapping things up

That pretty much sums up my thoughts on the subject of CAPTCHA codes and if you take away just one thing from this article, let it be that you always consider the usability of your websites first and foremost. If you don’t, it could cost you or your client their next sale.

I’ll leave you with one last CAPTCHA idea, courtesy of xkcd

xkcd

Share

Oskar Smith is a digital creative, and runs web design company Esvelte, based in the north of England. Oskar has been working the web industry for over 8 years and when not in front of a computer you'll find him behind a guitar or on top of a windsurf board. He also writes a blog and you can follow him on twitter.

93 Comments

  1. Khalid Reply

    “I had a go at deciphering it, made my submission, and I wasn’t surprised to be thrown back with an “incorrect code entered” message. “Oh well”, I thought, “the next CAPTCHA they give me can’t be as bad as that one was.”
    It wasn’t. It was worse.”

    You had also the option to refresh the CAPTCHA, so you don’t need to submit a wrong answer when you cannot figure out which words are used.

  2. sarbartha Reply

    2 Years back I used to use captcha. Then I turned it off, because of complex commenting for visitors. Your comment form is simple. Not, so junkie.
    Commenting system for blog like Intensedebate, disccus are good to be used..

  3. Rick Reply

    A simple math equation defeats the purpose completely. You might as well use nothing at all. Ditto for the JS option. Crawlers can evaluate javascript.

    The idea isn’t to make people type something extra for the sake of it. It’s to make people perform a task that computers are bad at. Hence the annoying, distorted text.

    It’s a necessary evil, so I just use reCaptcha.

    1. Oskar Smith Reply

      Yes the question of whether spambots can read javascript is an interesting one and I’ve read lots of differing arguments on this. No doubt that a bot could be specifically scripted to break a JS protected form on a particular site. But if one was to write custom JS CAPTCHAs for small sites, I doubt the “generic” spambots would crack them.

      But yes, on a higher profile site, I’m sure it wouldn’t take long for a bot to get scripted to break a JS protected form. You wouldn’t find Google, Facebook et al relying on them, that’s for sure.

      The small sites I’ve used JS on have been fine though; no spam whatsoever.

      No doubt now I’ve written this article someone will script a bot to break all my forms and prove me wrong. Lol! 😉

      1. Fritz Reply

        It’s not a question of whether bots can read/run javascript. They don’t *have to* at all, so whether they can is moot. Using Javascript as your only form of validation is worthless.

        From what I’ve observed, it’s typically a Human that (at some point) scouts and evaluates your site. Once they find out that you use JS for validation, they can just share the URL and list of fields with their buddies and then all the bots do is a bunch of HTTP Posts — which has nothing to do at all with JS.

        You absolutely must do some form of server-side validation or you might as well not do validation at all. The only reason to do client-side validation is for a smooth UI experience. Not data integrity.

        1. Oskar Smith Reply

          I think we’re both making the same point actually, in that if you’ve built your own JS CAPTCHA then it will take a human to come along and program the bot to break it. Which, if you’re a low profile site, isn’t going to happen very often (considering how many websites there are in the world).

          It may happen though and if you were using a widely used CAPTCHA plugin for, say, WordPress, the chances of someone bothering to code a bot to break it would increase.

          And yes, in all cases server side validation would need to occur, regardless of what CAPTCHA you’re using to verify data integrity, agreed.

          1. Fritz

            Actually, I don’t think we’re making the same point at all. 😉

            Your point seems to me to be JS Captcha is good enough for small sites. My point is JS-based validation is worthless for any and all sites.

            Bots don’t do JS. They don’t have to. Once a successful attack vector has been established, it goes to the botnet which then just floods the URL with the appropriate HTTP POST fields.

            And don’t fool yourself into thinking that being a small site is some sort of protection. I’ve had bots hit sites I’ve setup within days, even before being listed anywhere.

            The best security mentality to have is one of zero allowances. If you have a site, it will be evaluated at some point by a hacker. Then again, I get paid to be paranoid so my clients don’t have to worry about this stuff. lol

            I totally agree, though, about your point on the usability of some of these captcha methods ruining the user experience of some sites.

            Whether to use captcha or not shouldn’t be a quick decision, but should be part of an overall site security plan.

            All that said, I tend to use reCaptcha when necessary. 😉

  4. Amitash Reply

    Thats a good simile you used to compare captcha codes with cats and rodents.
    Just like Chris, the web designer said, Math would be a very good alternative.

  5. Ferdy Reply

    In my own pet project, a wildlife photo community, I have made the CAPTCHA part of the design. Instead of asking a math question which has nothing to do with wildlife I show them an image of an animal, and they choose which one it is from a short list of answers.

    By the way, if you’re using captchas on a signup form, you may want to consider using oauth to let users use their Facebook or Twitter account. That way you outsource the problem.

    1. Oskar Smith Reply

      Love the idea of creating a custom designed image based CAPTCHA so it’s in keeping with the whole site theme and brand, nice.

      And yes, the idea of the outsourcing a signup/register process to Twitter or Facebook for anti-spam reasons would have been worth a mention in the article actually. Lots of other usability advantages to outsourcing signup/login via oAuth too.

  6. Drew Reply

    Recaptcha and nothing else.

    I find the prospect of altruistic activity in digitising old books two words at a time appealing.

    I’ve never received any negative comments as a result of usage and in implementations of mailhide recaptcha it has completely killed off spam.

    I would doubt that anyone who has received spam would begrudge efforts to stop it.

    Some of the simplistic ones are rather pointless as spammers OCR technology will easily defeat the more simplistic images.
    What we have to remember, is that if you can think up a method of preventing spam then
    1. It’s already been considered by spam gangs and
    2. They probably have a workaround.
    For example. I run a social network which uses (for cost reasons) an out of the box application – one of the better ones. The captcha on there uses simple images of numbers and we get 30-50 spam signups a day and by the feel of them, they’re automated.

    Recaptcha is the only one I’ve found that actually works.

  7. Bert Hofmänner Reply

    I do hate Captchas. Because of that we made a lot of tests of forms without Captchas. First it is important, that you use tokens. This way everyone will need to get the token (=see the form) before being able to submit content. Second you can measure the time-difference between loading the form and submitting it. If it takes less than five seconds, it’s not human… Those two protection mechanism worked for some time, but not anymore. Our latest technology is to generate an image with PHP with a token and display it on the page of the form. As bots usualy don’t load images, that works pretty well…

  8. Max Soe Reply

    Most spam bots fill all the fields in a form. You can create a dummy field in your form, hide it from users using CSS eg
    position: fixed;
    top: -1000px;

    Theoretically a human will never see this field so they will not fill it in. Spam bots on the other hand, will fill them in.

    Server side, figure out if the field is filled. If it is, it’s a bot. If it’s empty, a human filled your form.

  9. Jeni Reply

    I often leave it to the client to decide if they want any spam protection, and when to implement it after explaining the pros and cons of captchas. Often I set up forms with no protection, then put in a captcha if they start getting bombarded with spam.

    I’ve found that math captchas, even though are more user friendly, are pretty much worthless. I end up using image ones, but ones that are pretty easy for humans to read, and that usually does it. I think that many times people go way too overboard making their captchas unnecessarily hard to read.

  10. Elsewine Reply

    Brilliant!
    Thank you so much for making me laugh-off my stress and frustration after being forced to use a captcha form.
    And if I ever need it, I will certainly look into the other options.

  11. Mitchell Hall Reply

    Thank You for this excellent article. I personally detest CAPTHAs and refuse to put them on any of my sites. I’m thrilled to see so many excellent alternatives. I definitely plan to use some of these.

    One thing that really bothers me about CAPTCHAs is that some of them are case-sensitive and others are not and in most cases it’s not specified. This just adds another question in the mind of our users and we all know that if our users have to think about how our site works then we’re doing something wrong.

  12. Blake Reply

    There’s no question that CAPTCHAs are interfering with the user’s experience.

    I couldn’t have said it better myself:

    “It’s a bit like spending weeks gently building up to asking someone out on a date and then vomiting down your shirt when you pop the big question.”

  13. Matt Berridge Reply

    In my opinion, you shouldn’t use anything client-side at all. You are giving the user a less user-friendly and more frustrating experience when spam is not the users problem, it is yours. You are making it theirs by putting in these devices.

    1. Oskar Smith Reply

      “Spam is not the users problem, it is yours. You are making it theirs by putting in these devices.”

      Perfectly put. I think my article should just get edited and replaced with this; would be much more succinct!

  14. Chase Adams Reply

    Great read!

    I’ve always hated CAPTCHAs. This post was totally worth reading just for the “Were you sad when Littlefoot’s mom died in “Land Before Time”?” question.

  15. Ben Reply

    Captchas are very annoying, but I’m not convinced that the maths problem, or the CSS hidden field alternatives would be as robust.

    Anyway, all the alternatives are also annoying: I’ve seen Facebook ask to verify photos of your friends – and thought that was really irritating! Though admittedly easier than some Captchas, but it did take a long time as I had to identify about 5 people.

    As you have said designers need to consider the trade-off of usability vs Spam, and I agree usability should nearly always win: Spam is annoying to you, but Captchas are annoying to your users.

    Perhaps more creative solutions are needed: a database of trivial pursuit style questions for example, or by asking the user to identify a famous pieces of music, answer riddles or solve a jig-saw puzzle 😉

  16. Batfan Reply

    The title of the article should be ‘Why You Should Stop Using Bad CAPTCHAs’. I personally think that there’s nothing wrong with CAPTCHAs but, I definitely agree with the reCAPTCHA mention. That is the only one I will use.

    1. Oskar Smith Reply

      Indeed, and as someone else pointed out, the alternatives to CAPTCHAs that I mention are themselves… CAPTCHAs…! Semantics, semantics. 😉

      (Where I say CAPTCHA, I of course mean the squiggly writing ones. A bit like when someone says “pass me the hoover,” they actually mean “pass me the vacuum cleaner!”)

  17. Joost van Berckel Reply

    Interesting article. I will consider to use alternative ways in stead of plain captcha.

    You can also achieve spam protection by putting one or two hidden input fields (hidden by CSS) on the website that has to remain blank.

    Robots will fill every field, also the hidden ones. So this can be marked as spam 🙂

  18. Carl Reply

    I totally agree, trying to submit a form can be problematic and if you look at stats on forms with traditional captcha systems on them you can see significant abandon rates and thus we adopted the maths version combined with server side checking, JavaScript and Cookie checking for our clients.

    We have see significant decrease in abandon rates since deploying.

    If you need a copy for your site, you can download it for free here at
    https://www.ogmanewmedia.co.uk/tools/captcha/captcha.asp

  19. murraybiscuit Reply

    any form of captcha is anti-usability, but visual captchas are a convention by now. having something different and quirky which requires me to think is even more time consuming imo. i’m starting to get spambots hit my maths questions, so that’s not going to last for long…

  20. rdentry Reply

    I think you make a very good point about user interaction, but nowadays you need to secure your forms this way. There are simply too many automated spam attacks. Form and Comment validation is essential for any mid/high traffic site. As far as CAPTCHA is concerned, your substitutions are CAPTCHA, and probably not developed to have a vast amount of random photos, tasks, math equations, etc… Some spam can tell if the answer is the same (scary).

    Many CMS developed sites offer modules that will let you pick which CAPTCHA type you want to use (image, math, reCAPTCHA). That works pretty well with me. Plus, you can come up with some pretty good designs around that little line of text or that seemingly child written ink-starved pen illustration.

  21. Gary Williams Reply

    The solution I use on our college website, and it works great, is to create a textarea and hide it using CSS. I have found spambots love to put things into this “hidden” textarea, but most people can’t see it so they leave it alone 😉 Sneaky sneaky! We don’t have to bother our legitimate users with any extra steps at all 🙂

  22. erewhon Reply

    Thanks for the interesting post. It certainly got me thinking, however, I disagree. To paraphrase Ben Franklin:
    He who sacrifices freedom from spam for usability deserves neither 🙂

    Sorry, but I put this in the same league as Nielsen on abolishing password masking – both bad ideas. (That said, making mobile password entry more reliable by briefly unmasking one character at a time is ok, especially on touchscreen devices.)

    I sympathise with your problems on the site you mention, but to be honest, I’ve never come across a captcha-guarded process I couldn’t convince, even if it took two, or very rarely, three tries.

    I’m all for improving usability, but how usable is having to wade through dozens of comment spams, fake trackbacks and the like, to find the real posts? Or isn’t a simple safeguard better than manually screening every post on a page?

    ReCAPTCHA seems to have got the balance right, including adding an audio alternative for sight-impaired users and a refresh button for the odd totally illegible word. I also like the idea of improving a useful resource – Google books. The perhaps overly altruistic effort is countered by the result.

    As to the design, yes, red may not fit in with a site’s colour scheme, but the design fulfils other usability principles – familiarity and consistency.

    There’s no denying the result of using CAPTCHAs – if done properly, they work. I will be trying the hidden field idea at some point, though. They needn’t be overused, either, if other measures are in place – email confirmation of registration, etc.

    1. Oskar Smith Reply

      Indeed I think it’s all a balancing act, and it’s down to individual cases on what type of CAPTCHA to use.

      One thing I would pick up on that you mentioned: “I’m all for improving usability, but how usable is having to wade through dozens of comment spams, fake trackbacks and the like, to find the real posts?”

      The usability you mention is on your side of the equation, not the users. In response to this I’d direct you to Matt Berridge’s comment above where he says “spam is not the users problem, it is yours. You are making it theirs by putting in these devices.”

      It really comes down to what impact these two sides of the story have on your finances though. For example, does it cost more to employ someone to wade through spam, or does it cost more in lost sales and decreased user satisfaction / brand experience by using a squiggly CAPTCHA? Or is there a happy medium by using a user-friendly-but-not-totally-secure CAPTCHA alternative?

      Now where’s my crystal ball… 😉

      1. erewhon Reply

        OK, I agree, if one has the resources, manual spam filtering is more user-friendly, and spam is ultimately the responsibility of the site owner. However, if spam slips in for whatever reason, it’s the user that suffers.

        Dmitry’s very cool suggestion below is a great alternative, where you have to move a slider as a Turing test. What a great idea – a sneaky improvement would be to randomly select a region for the slider to be moved to, rather than just having to shift it to the end.

        I’ll be trying that out too 🙂

  23. Web Design Hull Reply

    I personally hate CAPTCHAs although I agree ReCAPTCHA isn’t as bad as many others. When I’m visiting sites I like to use the simple maths question solution, but if this isn’t secure enough I like the idea of the hidden text area for the bots to fill in… thanks for the article.

  24. devmau5 Reply

    I would like to reiterate what Rick said, that being math problems will NOT prevent bots/crawlers from exploiting your forms. Putting a tick to prove you are human box will have NO effect either.

    As already stated CAPTCHA is a necessary evil but reCAPTCHA is the preffered weapon of choice.

    I highly recommend not replacing your CAPTCHAs without first fully understanding how exploits work.

    As an example just think for a minute why Google uses CAPTCHA to this day, if you get the login credentials wrong three times. They have billions of dollars at their disposal and are one of the most innovative tech companies on the planet. If they had an alternative I am sure they would be one of the first to be using it.

    I agree with the opinion that CAPTCHA is a usability problem but please remember that at least for the moment it is a necessary one.

    1. Oskar Smith Reply

      I would agree with you that you should be fully informed about the security of your before web app or other system by removing CAPTCHA codes, but as I said in the article, “using a CAPTCHA code on most sites is like using a Humvee to crack an egg.” but that “If you’re developing a high-profile site or security critical web app, then sure, perhaps a CAPTCHA is going to provide you the most protection.” i.e. if you’re Google or Facebook, er, well you’re going to get all the spam-flak out there hitting you. 😉

      For example if you’re using a CAPTCHA code on your website contact form you are doing yourself a great injustice; there is absolutely no reason for it (assuming you’re at least XSS filtering etc. server side for malicious stuff)

      And again I’d say from my experience, JS protection has cut out all contact form spam on the sites I’ve used it on (5 years and counting…)

      I know this goes against all one’s developers’ instincts though! 😉

      Great discussion in any case.

  25. Taha Reply

    I absolutely agree with you on that as I have also faced some worst CAPTCHAs and every time I type it, it’s get annoying. I think the numbers is quite reasonable solution.

  26. Jamie Brightmore Reply

    How about a maths question, but with a random +, -, or x served via PHP and in-turn a image of the +, -, or x served to the front-end ? This way the bot would have no idea if it needs to add, subtract, or multiply the digits in the question.

  27. Jeff Kee Reply

    A great alternative I’ve been using to the traditional CAPTCHA which is often hard to read, is the SubmitThroughImage class. It generates an image based on your parametres (# of characters, bg color, font colours, font face based on ttf files on the server). It uses a PHP Session so it works through AJAX calls as well. My AJAX based email forms have been secure since I started using this.

    To make it AJAX compatible you do need to make some modifications, obviously.

  28. John Bracey Reply

    Very good article. I’ve been a web developer for over seven years now and in the whole there is no need for the tradtional CAPTCHA. Some of the more simpilified suggestions here are excellent.

    I might be stating the obvious here but I would advise people not to use client side checking only – people can easily turn off Javascript. This is still being done and held as being secure. Always have some validation going on that the server only knows and requires an answer to.

  29. Edmund Reply

    Images in conjunction with a short list of possible answers (ie. animal to animal name pairings) seems like a good idea until you realize that the bot has a 1/[number of items] chance of being correct if selecting the first item.

    At StumbleUpon, we took a bit of time to do a bit of analysis on registration flow success rates broken down by each step as well as Spam rates with each iteration. It’s important to do this before making any big decision in increasing or decreasing the strength of your bot-filtering mechanisms. That said, I’ve found a simple captcha (easier than recaptcha) is good for stopping a lot of the little script kiddies.

    What works wonders however is detecting bots on the way in and routing them to a limited ‘bot friendly’ experience to give them the false impression that their bots are successfully penetrating the site. Limit their activity, and you’ll find that most spammers won’t find you valuable enough to keep hitting.

  30. Web Technology News Reply

    Cat Captcha!

    I did this a while ago but forgotten where it is now. I have a bunch of pictures of cats and dogs, they are put into an array, randomised positions, trimmed to a certain length then shown on the comment area. You just have to click the pictures of the cats. Of course if that code got public the spammers would just have the bitcode for each image to identify it.

    Personally if you’re a coder spent that extra 30 minutes making your own UNIQUE solution. Spam bots go for easy targets and will attack sites that use commonly known Captchas. Math questions won’t last long, they’ll be hacked in no time. It’s just another challenge for the spammers, and probably a fun one too because they need to get into javascript processing and image reading.

    Using a remote service is probably a good idea if you don’t have the time/skills to do your own – and they’re also pretty reliable.

    1. Ashley Sheridan Reply

      Pictures are a no-no, ask anyone who’s blind. Unless you put decent alt text on the images, but then it’s easy for a bot to pick up and you accomplish nothing.

      Personally, I favour the math question but with a twist. On my site, instead of numbers I’m using mnemonical phrases, so “a bakers dozen” represents 13, “number of legs on 2 dogs” is 8, etc. The main disadvantage is the language barrier, as people outside of the UK are unlikely to know things like a bakers dozen, but that’s my level of acceptability.

  31. Markus@enkelmedia.se Reply

    Great post!

    What about using a timestamp in a hidden field. If the page is poster to “fast”, lets say in less den one sec – that sound most likely be spam robots.

    Is this a good approach?

  32. Thomas Reply

    Loved this article. CAPTCHAs have been a thorn in my side ever since I first saw them. The list of alternatives was great, and I think that by far the best of the bunch was the image selection. Of course this still causes problems for blind people, but those audio captcha things are worse than the visual ones!

  33. Young Deezy Reply

    Great article, good solutions unless the maths questions. Robots answer them. According to me, pictures are the best. Of course no choosing color question, because of color blind people!

  34. Angelee Reply

    I haven’t seen a site which uses pictures yet. It must be real fun to choose the best and appropriate photo plus it can be a good place to show creative graphics. I have the same opinion here, sometimes we’re just not too patient to fill-out long forms ending with unreadable codes.

  35. Ryan Carson Reply

    There’s a good reason as to why you wouldn’t use pictures. Web Accessibility!

    Rate limiting is certainly one way to slow down the spammers. You can and probably should use a script to block them when detected via htaccess.

  36. Eric Reply

    The beauty of the math question is that it isn’t overused yet. Spammers would look to break distorted words, or hack into the captcha database of the site, but if you ask a math question, it won’t be stored in the database, it isn’t common yet so hackers aren’t going to waste their time (yet), and it’s simple enough for anyone to answer (and if they can’t answer it, do you really want them commenting on your blog/contacting you through a form/registering on your site?).

    Of course, give it a few more years and it’ll be worthless. So the best option is to keep changing it. Use a math question, then ask the visitor to spell out a word that you give them, then ask a question (and give the answer right next to the captcha box if you want), then ask them to re-enter 1 part of their registration info (re-enter the last 4 digits of your phone number, etc, etc). All of those would be easy for a spammer to get through, but if you keep rotating them, you don’t really have to worry about it. Just an idea…

  37. Mark Entingh Reply

    I developed a sort of revolutionary CAPTCHA engine that is unlike any other. It displays 3 images, then asks you to click on a specific part of one of the images. “Click on the nose of the woman to continue”. It uses javascript to grab x & y coords where you clicked, sends the x & y to the server, and the server checks an image with shapes of color on it to see if the x & y coord is touching the right color.

    As a developer, all I have to do is build a database of photos paired with images that have shapes of color scattered on the image, where each color represents an object on the photo. I can use people, toys, places, even holidays (pumpkins & ghosts & santa).

    You can see it being used on the log in form for http://www.rennder.com

  38. GIK Web Design Reply

    I started reading this article and thought if I take CAPTCHAs off my sites it will just lead me to a world sorting through spam (I get enough now with the CAPTCHA on). However I do like the alternatives particularly the pick a picture one. Its takes away the biggest problem with a simple CAPTCHAs actually making sense of the image.

  39. Carl Reply

    I just Stumbled this page and I’m glad I did. I have a little blog that uses CAPTCHAs that even annoy me, and I’m wondering why I don’t get many comments. It’s amazing what you can miss when you can’t see the wood for the trees.

    And look here, as I type this comment, no awful code to decipher, just a nice Submit Comment button. Great article, many thanks.

    1. Web Cooperative Reply

      Agree with Carl. CAPTCHAs are one of the most irritating features of websites and I tend to avoid sites that use them. I’ve never had reason to implement them on sites I’ve created either. There are always more subtle and user friendly ways to avoid them as Oskar points out in the main post.

  40. Warren Reply

    Although it seems this is, at the moment, a losing battle, I want to thank you for this article! Of course I am here as a result of captcha induced rage 😀

  41. Fizz Web Design Reply

    Captchas can be a lot of excess code churning away in the background for what is essentially a simple task, if you’re looking to just avoid the spam advertising then i like steve garufi’s idea – it forces a thought process to complete the task but remains lightweight & simple.

  42. BLuFeNiX Reply

    Never, ever, ever, put the authentication method on the client side. If you use javascript to handle your captcha, all you are doing is letting the spambot change a couple variables and get right in, but making your users suffer.

  43. Tim Reply

    I know this is an old post – but why can’t you just use the following challenge:

    “What is this?” (question to the viewer) next to a picture of an apple.

    Then check for the word apple/Apple etc and only submit if it is correct…

    This is probably a naive solution, but can BOTs interpret pictures and get roud this?

  44. Khaos vi Brittania Reply

    I came here after passing a really hard captcha that was 2 squares filled with random dots and I should multiple the dots from first square with the second one and write down the right answer it even felt I was doing some math test lol I really wonder if nowadays we can’t have better ways to solve the bots and spam issue, there’s nothing more annoying than trying to comment or register at something and fail the dumb captcha 3 ~4 ~5 times

Leave a Reply

Your email address will not be published. Required fields are marked *