CAPTCHA usability: Humane alternative to CAPTCHA

Revisiting CAPTCHA: Since W3C wrote about “inaccessibility of CAPTCHA” almost a year ago, a new technique has emerged:

Using technology, to make it easier for humans, and challenging for robots to fill out a form, and using a more traditional fall-back method in the rare cases where the system cannot detect if a human is filling in the form.

CAPTCHA is for instance showing an image with distorted text in order to make it impossible for computers to read. The side effect has been problems for people using assistive technology such as blind people using screenreaders.

The problem from an accessibility point of view, is that most CAPTCHAs challenge people just as much as they challenge machines. Sam Ruby described an alternative back in June:

I’ve implemented an unusual captcha system.

First, the images are not distorted. In fact, if you have posted to my weblog in the past 90 days, or have visited it within the past week (but more than an hour ago), and aren’t running afoul of the throttle, the display of the image will be entirely suppressed; furthermore, the input field will be pre-filled in for you and hidden.

If you are not recognized, but have JavaScript turned on, DHTML will be used to fill in that input field for you, and that portion of the form will be set to display:none.

In fact, even if you are new, have both JavaScript and images turned off, you will find that the alt attribute of the image will contain the necessary text.

I’m really not targetting humans with this.

So, much of this is learning from usability: Stop hurting the users! There are so many problems with traditional CAPTCHAs described already by me, Roger Johannson, Peter Krantz, Michael Mahemoff, Bob Easton, Christian Heilmann.

I really like the new and far more usable approach as it still makes it hard for machines, but this time easier for humans.

I just saw that in Microsofts AJAX toolkit for .NET, there is a “NoBot” widget: http://ajax.asp.net/ajaxtoolkit/NoBot/NoBot.aspx

NoBot is a control that attempts to provide CAPTCHA-like bot/spam prevention without requiring any user interaction. This approach is easier to bypass than an implementation that requires actual human intervention, but NoBot has the benefit of being completely invisible. NoBot is probably most relevant for low-traffic sites where blog/comment spam is a problem and 100% effectiveness is not required.

NoBot employs a few different anti-bot techniques:

* Forcing the client’s browser to perform a configurable JavaScript calculation and verifying the result as part of the postback. (Ex: the calculation may be a simple numeric one, or may also involve the DOM for added assurance that a browser is involved)
* Enforcing a configurable delay between when a form is requested and when it can be posted back. (Ex: a human is unlikely to complete a form in less than two seconds)
* Enforcing a configurable limit to the number of acceptable requests per IP address per unit of time. (Ex: a human is unlikely to submit the same form more than five times in one minute)

NoBot can be tested by violating any of the above techniques: posting back quickly, posting back many times, or disabling JavaScript in the browser.

Very nice work, Microsoft! I’d really like this approach ported to WordPress (our justaddwater.dk blog software).

Last week we had 1,334 spam comments that were all caught by the Akismet plugin (except for a dozen that we had to remove manually).

Related reading:

Technorati Tags: , , , , , , ,

21 Responses to “CAPTCHA usability: Humane alternative to CAPTCHA”

  1. WebWord » Blog Archive » Usability Tidbits for Monday 20-October-2006 Says:

    […] CAPTCHA usability – “Stop hurting the users!” […]

  2. Aankhen Says:

    So if I disable JavaScript in my browser, any site using this NoBot widget will think I’m a spam bot?

    I don’t condone the use of CAPTCHAs, but this doesn’t seem like a viable alternative to me.

  3. Kim Says:

    Hi,

    Why not use a simple question like I’ve done for some time now. For instance… which day comes after sunday or what is color is an orange? Simpel and efficient.

    Great blog.

    Kim

  4. Lloyd D Budd Says:

    Kim, your method only works as long as it is not profitable enough — ugh, I don’t want to try and get inside the head of spammers.

  5. Urls Sinistras » Captcha Says:

    […] CAPTCHA usability: Humane alternative to CAPTCHA. […]

  6. Rafael Franco Says:

    I think Captcha’s can input a difficulty level to newbiews. Then, it is important to think that it will be really necessary to a website, because the negative effects can bring problems to site.

    Rafael Franco
    Unicard Mega Bonus

  7. Rafael Says:

    I think too, that kim’s method only works as long as it is not profitable enough.

  8. Dunc Says:

    With the increasing use of CAPTCHA, I wonder if we will see more ‘human powered’ spam, with spammers employing people to post comments manually.

  9. kim Says:

    I wonder how many of you actually read what I write about my little script so I quote… “SpamTrap is NOT a guarantee against spam! It’s just another tool in the spam fighting toolbox, just like Captcha” and it’s obviously for non tech people…

    Human powered spam is the next big thing… and there is absolutely nothing you can do about it.

    Kim

  10. Heather Says:

    Millions of man hours are wasted in filling the captcha. This article is a welcome gesture to remove manpower wastage.

  11. Hale Groves Says:

    Captcha can drive me crazy. I have resubmitted pages before about 4 times before I got the CAPTCHA correct. I like the new ones that ask questions like, “When was the Constitution of the Untited States ratified”? I can Google the answer in seconds and I learn a bit of trivia. I’m OK with that and I’m sure SPAM bots will never figure our random things like this.

    I’ve also seen SPAM question like, “What is the 2nd letter of the the third word in this question?” (Answer is h).

    I’m just not a big fan of letters so distorted you can’t make them out, if you press the “read it to me” button it’s almost impossible to make out the letters also.

  12. Edinburgh Architect Says:

    I think the use of CAPTCHA could be legally challenged here in the UK. Architects like me have had to wrestle with the Disability Discrimination Act (DDA). for the last few years here, working out how to make our buildings accessible to people with every imaginable disability. Its a very difficult and frustrating job sometimes, especially as the official guidelines are not clear. The law here relies on court cases to establish legal president, which will then be worked into all future guidelines. There have been a number of cases over the last few years, usually against large property owners (McDonald’s for example)

    It seems that the Equality and Human Rights Commission here has now published guidelines relating to accessibility of websites. It is now just a matter of time before someone who is visually impaired challenges the use of CAPTCHA.

    Check out their website for more details.

  13. Techie Says:

    I agree with Hale Groves, it is pretty annoying when you have to try several times over to enter a captcha containing some of the less distinct letters. Moreover, the use of pastel colours on similar backgrounds doesn’t help.
    Just yesterday, I decided to try the audio output alternative because a text input box had not accepted a couple of attempts. The audio turned out to be a snatch of rapid conversation – no chance of transcribing that. So I too prefer to be asked a question or a simple calculation; what’s wrong with that as a way of determining that it is a human on the input end?

  14. Joe Says:

    I kinda like the captcha’s that many drupal users have implemented where there it presents a nonsense phrase and the asks what is the first word in the phrase . . . . No matter how nonsensical the word is, you can at least read the letters and duplicate the phrase.

  15. John Says:

    I can’t stand the captchas that bend the words and add squiggles (is it a dash? or an apostraphe?) – I’ve sometimes just discarded my comment after 4 or five attempts to get it right. As for listening to the audio, sometimes I’m prompted to install upgrades (that I don’t need if I can listen to music with no problem, or I just installed the same update yesterday!), so they don’t help. Yes Techie, a simple sum or trivia question is best IMHO

  16. Eddie Says:

    The worst ones to solve are the Captchas that myspace uses and Google – I get them wrong a couple of times before I can get it right due to not wearing my glasses – still though –

  17. Marvin Africa Says:

    In the past I’ve sometimes given up trying to get past some over zealous captchas.

    Maybe genuine comments should be given strong keyword orientated backlinks. If a good comment was considered more valuable web users would work harder to make sure they get what they are after, and that is backlinks.

    A start would be to stop linking the name field back to a website. It would make more sense to have a keyword field that links back to the website. Then take out the option to have any live links in the comment box. Continue with using filters and good eyesight to seperate the unwanted spam from the genuine comments. Captchas have to evolve as the bots will always figure them out eventually.

    I can imagine someday having to complete an entire level of super mario just to prove that I am a human being (or am I?)

    Marvin Africa

  18. business communication Says:

    I think that the captcha process is very confusing, especially for those who are new to it. It can be very difficult to get the symbols correct because frequently they are very hard to read.

  19. Jason S. Says:

    Though my eye doctor says that I have perfect vision I still get stumped by a couple of catcha’s that I have to input multiple times, such as myspace and facebook – I think there has to be a better solution than me trying to make a comment on a buddys profile but have to type in teh captcha 3 or more time.

  20. Mark Says:

    We run a commercial website and after struggling with different spam prevention systems, we decided to let spammers do their job and make our customers’ lives easier. We prefer to clean up a database and have higher sales volumes; CAPTCHA is a hassle and some prospects are not interested in coping with it.

  21. Marisa Says:

    Akismet has been a real good for detecting spam comments and I never use anything else on blogs. If you don’t approve comments automatically then you can spend a few minutes every week to quickly scan all the spam mails through. There is a little change that some usefull comments will end up in the spam folder but that is a fact of todays websites and comments.
    If you really want to do blog commenting then you should try a few times if your comment is not approved immediatly. Not all comment will go to the akismet spam folder.
    I really hate those hard to read captcha’s some sites use. If you use cpatcha then automated browser calculated one sounds like a real good option. Not sure if spammers can replicate that browser behaviour and make delay to commenting but it’s not in the near future.