Sunday, 3 February 2013

Captcha- is there anything worse?

A few weeks ago, if I did the settings right, I turned off the captcha for comments on this blog.  The reason was two fold:

  1. Even with the captcha enabled I had spam comments from time to time
  2. I'm trying to think of something more annoying when you are trying to do something on-line than having to read something deliberately made unreadable
Basically in user interaction terms it is about as bad as you can get at making sure users have the worst possible experience.  I have really good eyesight, and can read very well - but the captcha that Blogger uses can boggle me a lot of the time.  Blurred house numbers and swirly letters which could be a U or IJ etc.  Terrible!

So I decided that I would remove the hindrance from the blog. (If I failed, please let me know!)

For this blog it is not that much of a problem - it's not like my posts generate hundreds of comments, so if there is something there that I feel is wrong it gets removed with quite simple ease.

For other sites of course it is a different matter.  Take a system that allows users to do something with their account when they have forgotten some account details - whether that is the username or password.

So, if you really do need a captcha how can you ensure that your users do not pay the penalty?  After all should usability suffer just because you are looking for security?

My favourite option is this one - the honey pot captcha.  Basically, you add a normal sounding field to the site "Address" or something similar.  Then you hide it with CSS so users can't see it.

And in one swoop you have a field that Spam bots will want to fill, and humans will never even see! Then you check to see if the default value had changed when the form has posted and hey presto you can filter the comments that cannot have come from human users.

It's not perfect, and if someone really, really wants to spam your site they will be able to defeat it with some investigations.  But them how secure do you really need?  You can always make the name of the field random - that makes it harder to crack.

But the main thing is that your actual users are passing your test, and they don't even know that they are taking it!

I've seen comments that it won't stop human spammers, but then neither will a traditional captcha!

And if it's really that important you can always use learning software, ala Akismet.  The software goes through the comments and, the same as the spam filter on your email account, mark all the spam comments so they don't appear.

There are a  lot of options out there - there are even great CSS captchas that are perfectly readable to humans but unless you have a spam bot that renders a page with full CSS and interprets hundreds of DIV elements as a number then it stops bots.  I'd love to put a link to one, we used it for a few years at work - but I can't find it any more...

So why does Blogger (Google) not do some research into something cool that people don't struggle with!  The people they have working for them can surely come up with something much better!


  1. The honey pot is a neat idea. My own peeve is the blog/site requiring you to sign-in, which I guess in addition to harvesting an email address, they'd argue is their solution. Is it my imagination or has captcha generally gotten more unreadable recently - I often have to refresh in the hope of getting something I can have a go at interpreting!

    1. I like the honey pot. It is simple to code, and there are enough ways of making it harder to beat *whilst not antagonising the user*.

      Second attempt at this sentence. I was going to say that if you have to be logged in then you already have a capture on the page. But of course that isn't true - as I realised whilst tying the sentence. It's trivial to provide the bot with a log in routine so that it can leave comments as a registered user.

      I require a log in purely because I think people consider their comments more when they have a name left behind, even if it is not their real name they are traceable from comment to comment, than when you are anon. But yes, it is another threshold to get someone over.

      And yes, captchas do seem to be getting worse don't they. I remember when someone wanted to use recaptcha at work. I complained about the decision - recapture is maybe the worst for the users. The comment came back that recaptcha has an audio option for if you really can't read it.

      So we did a test. It was a 100% failure of people to be able to use the audio option. As a result I got my way and we kept the solution we had at the time (the CSS option - the problem being that each time we changed out site the CSS had to change or the captcha was still unreadable).

  2. I gave up with Captchas a while ago. They are so annoying and at times totally unreadable. Spams I can deal with ... Delete delete delete ....

    1. I gave up with it just because using it on other blogs / sites made me realise I was being evil to force people reading my blog to use a system that made me swear at my laptop every single time I used it.

      So far so good...

    2. Curses, knew I shouldn't have said anything. Three spams in the space of a day. Pan

  3. Of course they stick with it because its users are doing the hard work of Street View text recognition for them.

    Me, I'd go for a kitten captcha.

    1. I see the second point, but surely a company like Google [wants you to believe they are] should be out there doing really cool stuff and making life really easy for users.

      I like the kitty ones, it would be great on a machine with a touch screen...


    2. Yeah somehow "digitize street addresses, stop spam" sounds less public spirited than "read books, stop spam." If anything I can see how it might even lead to an increase in postal spam. The kitten "captcha" (trademark?) might be criticized on accessibility grounds, but "captchas" in general are about reducing accessibility to certain parties. No definitive answer.