Captchas are bad?

According to boingboing, allot of people don’t like the graphical turing tests called CAPTCHAS (Completely Automated Public Turing tests to tell Computers and Humans Apart). You know what they are – blogger just implemented them in their Word Verification comment feature. If you are still drawing a blank, go ahead and try to post a comment. You will be asked to type in the text from a picture – that’s CAPTCHA. W3C is even drafting a paper on Inaccessibility of Visually-Oriented Anti-Robot Tests.

I find this interesting. Of course they are right – these things are a major pain for blind, and visually impaired users. On the other hand, they do serve their purpose quite well. Despite what the anti CAPTCHAnists claim, it’s not that easy to defeat them. For example, they claim that “renting eyes” is the ultimate CAPTCHA killer.

Hmmm… Let’s see. To flood a system without CAPTCHA all you need is a perl script and an internet connection. To successfully defeat CAPTCHA via “eye rental” method you need a server where you can host your spoof site, a script that will grab the image from the attacked website, serve it up on your site, and then pipe the user input back into the attacked site. And on top of that you need a successful pish to generate enough traffic to your spoof site to make this enterprise worthwhile. For that you will probably need a mass mailer, and few thousand valid emails – which may or may not be easy to obtain (depending on your resources and connections).

All of that of course can be set up within an hour or two, with minimum effort provided that you know what you are doing. Still, it requires much more effort and preparation than downloading and running a perl script. Which means that a simple turring test will prevent all the script kiddies and most of the lazy crackers from abusing your system. That is a major benefit, which sometimes can outweigh the risk of locking out the odd blind user.

I guess it all depends on what kind of service you are running. Most likely, a blind user won’t really need a Flickr account – so that type of websites are probably pretty safe using CAPTCHA’s. On the other hand, if you are a federal institution, a health provider or some sort of social service, you might be locking out visually impaired users.

The problem is that none of the proposed alternatives are any good. When you use CAPTCHA, you pose a significant disadvantage to maybe 5-10% of your potential user base. If you use any of the proposed schemes, you disadvantage much larger sections of your user base. How many users will you loose if you introduce a credit card check? How many of them will be royally pissed when you put limits on their accounts, or start banning them for “suspicious” activities. Can you afford to piss these people off?

We have to draw the line somewhere. How many blind, deaf, cognitively impaired people regularly visit your website? And if they are, how the hell are they doing it? As far as I know, some 50-60% of the web is inaccessible right now because people insist on using flash, image maps, and can’t be bothered to validate their HTML. Of course, you also have to admit that most of the screen readers are total shit anyway.

I’m all for making the web more accessible. But so far, CAPTCHA’s are the most effective, least intrusive and least obnoxious turing tests available. That is why they are so popular. I would love to see someone coming up with a better solution – but everything presented in the w3c paper either does not exist, or is seriously flawed. So I’m not giving up my CAPTCHA’s anytime soon.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: