I’m just going to start this with a possibly startling fact. PWNtcha can break 90% of known CAPTCHA algorithms. If that doesn’t tell you why they’re totally useless, then I don’t know what will.
It’s no secret that I detest and will not use CAPTCHA on any site I build. I have a math-test on one site where I get a lot, but that’s as far as I’m willing to get into that world. People often ask me why I hate it, and I tell them that it doesn’t work and it’s bad for accessibility. The fact that it doesn’t work is proven by PWNtcha pretty well, but the concept that it’s bad for accessibility seems to be lost on a lot of people.
CAPTCHA stands for Completely Automated Public Turing test to Tell Computers and Humans Apart. In the begining, it was a great idea. The computer world had just started to try and make AI, and the first attempts at that on the Internet was to put little bots out that talked to people, asking and answering questions. That, in itself, is pretty damn cool, I agree. With working AI, we’re one step closer to ‘Computer, I’d like a bottle of Chateau Picard’s chardonnay, chilled to 68 degrees Fahrenheit, and play some Barry White at volume level 3.’ (illustrated to the right). AI is a great concept. But. What we actually got was people thinking ‘Wouldn’t it be cool if I made something that listened for key phrases and told them about my cool product?’ Basically, spam.
An early defense against spam was that you had to enter a CAPTCHA code, which showed a picture with letters and numbers, and you entered those letters and numbers into a text field. The magic CAPTCHA verified they were the same and let you in. Pretty cool, right? Except that if there was a way for CAPTCHA to compare the image to the text you entered, then there had to be a way to reverse engineer that so a spam bot could read and enter the same code. Ever since then, it’s been an ongoing fight to make a better mousetrap.
See, a human can easily read CAPTCHA like these:
But the best ones, the ones that can’t be solved by computers, the ones that even PWNtcha says will last for a long time, are ones I look at and wince:
Clearly if you make it good enough that a computer can’t crack it, you make it harder for a human to be able to understand it. In that one moment, anyone who has limited vision can’t access your site. Which means you’ve lost a visitor. If this is your business, you’ve lost revenue. And if you think there aren’t a lot of people that this will keep out of your site, think about how many people you know with some form of dyslexia. Think about how many people over the age of 40 (the age at which most of us need reading glasses) visit your site. Even if you run a trendy under-30 store, grammy may want to buy junior a new hip shirt. And don’t even pretend that older people don’t matter. Remember how long ago you were in College? Yeah, you’re getting older too, buddy.
So they don’t work, they keep real people out of your site, and did I mention you probably don’t need it? I’ve been running ipstenu.org for a very long time (on Internet time – it’s been over a decade). I’ve had less than 20 spam posts show up on my site. None since I turned on comment approval (where I must approve your FIRST comment, but after that, you’re free to post). Akismet has caught about 50k spam posts. Bad Behavior’s caught even more (100k at last gasp) and only two ‘real’ people have ever complained about being caught (one had a virus, one had a bad firewall at school). Sure, if you’re Yahoo, you might need it, but did you know the ‘unreadable’ examples I used above were from Yahoo? Yeah. Google has a pretty basic, easy to read one, and so does Twitter. Facebook has too many, and they’re annoying. They actually probably don’t need them, either.
Turn off your CAPTCHA. Your users will thank you.
• Inaccessibility of CAPTCHA – W3.Org
• It’s Official: Captchas Are Bad for Business – The ZURBlog
• Why you should never use a CAPTCHA – Online Aspect
• CAPTCHA Effectiveness – Coding Horror