A CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) is a program that generates and grades tests that are human solvable, but beyond the capabilities of current computer programs. It is a standard security mechanism used to combat malicious bot programs—mostly used to spread junk—and is seen on most websites including Google, Facebook and Yahoo. There are three main types of CAPTCHA:
- Text-based - Sophisticated distortion of text images rendering them unrecognisable to the pattern recognition programs but recognisable to human eyes.
- Sound-based - Require users to solve a speech recognition task.
- Image-based - Rrequire users to perform an image recognition task.
This post will discuss only text-based CAPTCHA. Why? Well, text-based CAPTCHA is the most widely used types of CAPTCHA that requires users to perform relatively simple task—character recognition. Although our discussion focuses on text-based CAPTCHA, it can also be applied to other types of CAPTCHA.
Distortion clearly has an impact on usability since distortion is used on a string of character—mostly common words—to make the characters unrecognisable. The question is where do we draw the line on the level of distortion? And to cope with some over-distorted texts most CAPTCHA will allow multiple attempts resulting in a extremely annoying user experience.
Distortion results in ambiguous characters especially when the characters are tightly spaced. Users often find themselves confused on certain single or pairs of distorted characters.1
- Common confusing single characters includes letter “l” or number “1”, letter “O” or number “0”, letter “G” or number “6”
- Common confusing pair characters includes letter “vv” or “w”, letter “cl” or “d”, letter “nn” or “rn” or “m”
Another possible usability issue may arise for foreigners using different keyboard such as chinese or arabic or users whose mother tongue does not use Latin alphabets. While some websites might have little or even none of such users, major websites like Google or Microsoft that serves their website to millions of people will need to look into this potentially serious issue.
There are several alternatives spam prevention system that we can use while the many CAPTCHA issues are being fixed. Microsoft’s has a AJAX Control Toolkit NoBot that
attempts to provide CAPTCHA-like bot/spam prevention without requiring any user interaction, which employs various brilliant anti-bot techniques.
Another good alternative to CAPTCHA is to ask users to perform very simple tasks or ask users to answer simple question. Tasks like “Please write ‘alan turing rocks’ in the field below to prove you are not a robot” and questions like “Is the Sun hot or cold?” can be very simple and easy for the users to perform.
Defeating the automated bots are a never-ending battle to limit widespread abuse. Even the most advance system can’t cover all human users as such it is necessary for websites to ensure that users with disabilities will have some human-operated means of interacting with a given resource in a reasonable amount of time.
With low traffic sites, the use of CAPTCHA is unnecessary and may have a bigger negative impact than it would positively to the users. The alternative systems suggested have is not only much more usable but also very often more effective.
Lastly the issues raised here is hardly complete and a lot more issues may be explored on other types of CAPTCHA. This post is never intended to dismiss the functions of CAPTCHA in websites but rather to point out that CAPTCHA is very much like a balancing act with items being added on either side constantly and it requires considerable amount of study for CAPTCHA to evolve into a secure and usable system.