Aral Balkan: Historical Archive — Making captchas less annoying

Making captchas less annoying

I personally find captchas annoying. And most of them are completely inaccessible to people with visual problems. But if you find that you must implement a captcha, you can at least try and make it as painless as possible for the user to use.

First off, let's review what the purpose of a captcha is. A captcha aims to differentiate human beings from bots. As such, there is nothing more annoying than proving to a captcha that you are a human being by replying correctly to it only to be asked again and again when form validation fails for some other field.

So here's a pattern for captchas that should improve the usability of systems that employ them:

If the captcha is valid but form validation fails for some other reason, store the fact that the user is a human being as a cookie or on the server and don't present the captcha to the same user next time the same form is submitted. You can even go so far as to not present that user (based on IP/cookie/session) with captchas for other forms. If you're worried about spammers getting through, you can limit this to a specific period of time (ten minutes, an hour, a day, etc.)

Update: I just saw that Google's Blogger implements a similar pattern to what I describe here in their commenting system and doesn't keep presenting you with the captcha once it's reasonably sure that you're human. Good one, Google! :)

Comments

This doesn't solve annoyingness or accessibility, but is pretty cool none the less: http://news.bbc.co.uk/1/hi/technology/7023627.stm
by Luke on 2007-12-12 16:45:42
The problem with those kind of solutions is that they work until you or your software gets enough attention. It's the same as captchas asking to type in a specific word - works, until a spammer looks at it and updates his script. The cookie scenario is trivial just as much - open it once in a browser, copy and paste the cookie into a script. The fundamental problem is that anything that could be set up to be resent back to the server is very much vulnerable to the repeat attack.
by Alex G on 2007-12-10 14:45:52
Normally Bad Behavior and Akismet are doing a great job in filtering SPAM. If a wave of SPAM sometimes really gets through I activate AntiSpamImage temporarily which still provides a very readable image. The worst thing imho is blogger.com! Their captcha images are totally messed up, even if you have good eye sight it often tells that the input is wrong. This led me to stop writing comments on blogs that user blogger.com, not worth my time!
by sascha/hdrs on 2007-12-11 02:43:42
This is kinda freaky! My wife is blind (she'd have to be, right?), and she was only saying how impossible they are for her to overcome, because they're naturally inaccessible. However, they are kinda necessary. If it wasn't for all the pillocks who like mass spamming and ruining everyones informational pseudo life, they wouldn't exist, and we'd all get along like one big happy family. How about someone (a reader of this blog, maybe?) invent us an accessible alternative???
by Lee McColl Sylvester on 2007-12-11 13:50:22
There are lots of sites offering audio captchas along side. Microsoft have done it for a long time and I've implemented them before myself. I've not see any research into the usability or effectiveness of them though. None visual CAPTCHAs such as those that ask for the answer to a question might be a better option, although some people claim they discriminate against people with cognitive disabilities or none native speakers of that language. More reading from Gez Lemon: http://juicystudio.com/article/accessibility-of-captcha.php
by Thom Shannon on 2007-12-12 10:55:24
This is where OpenID and BotBouncer come into play. Not tremendously useful in Flash, but if you want to verify someone with OpenID is a real person, just push them through BotBouncer. Also, for registration on GetSemantic.com, I'm using ReCaptcha. Love it. Helping OCR books and preventing wiki spam at the same time. Great. Both ReCaptcha and BotBouncer have an accessible option to that uses sound rather than graphics. It'd be interesting if one or both of those could support Flash too.
by Tom Morris on 2007-12-12 17:44:36
Some CAPTCHAs are better than others. Blogger's isn't too bad. Signing up for AIM, however, proved to be nearly impossible. It's also been noted that spammers can always hire cheap labor to break through CAPTCHAs, rendering them useless. Now, Blogger's CAPTCHAs are weird. They have a timeout. So, if you have the comment form in another tab, the CAPTCHA might be invalid by the time you get there. Also, getting a pass and not having to bear with CAPTCHAs is temporary.
by Keith on 2007-12-19 23:04:29
Sorry if this is old news to to you.... Check out http://research.microsoft.com/asirra/ It's called "Image-recognition CAPTCHAs" and seems very promising "Image-recognition CAPTCHAs Some researchers promote image recognition CAPTCHAs as a possible alternative for text based CAPTCHAs. The U.S. financial institution Bank of America has used image-recognition CAPTCHAs as part of the secure login process for their personal banking website. Image recognition CAPTCHAs face many potential problems which have not been fully studied. It is difficult for a small site to acquire a large dictionary of images which an attacker does not have access to. Without a means of automatically acquiring new labelled images, an image based challenge does not meet the definition of a CAPTCHA. Some current image recognition CAPTCHAs ask the user to make a binary choice (such as "Is this a cat or a dog?").Even with just sixteen images, a bot has a 1 in 65536 (2^16) chance of getting the image right every time. In order to be effective against a botnet attack, the user would be forced to solve a prohibitively large number of images."
by Teo from Greece on 2007-12-21 20:37:26
Captcha is annoying. As designers shouldn't we be more concerned about our visitors state of mind more than our own? I blogged about this a while back and talked a bit about a technique you can use to minimize spam without a CAPTCHA block. http://www.designinginteractive.com/code/how-to-make-captcha-usable/ Thanks Aral.
by Josh Walsh on 2007-12-10 17:09:35
@Alex that would only be possible if your cookie auth was badly designed, the cookie should use a session id that only allows one account to be created from it. The other really annoying thing about visual CAPTCHAs is when they make them impossible even for humans to read and case sensitive when you can't even tell the case of the letters!
by Thom Shannon on 2007-12-10 18:46:09
Would it be possible to create some sort of audio-based captcha for the seeing impaired?
by John-Paul DeVries on 2010-06-30 21:44:08
Very well written! It inspired me to leave my comments. It great to read an article suggesting that programmers not be lazy when coding advanced features such as captchas.
by Jonathan Holland on 2010-12-21 02:04:30