Re: From the Department of The Bleedin Fekkin Obvious Department...
The problem with a "did you register for this" email is that bots are quite capable of clicking a link in an email.
The Australian Communications Consumer Action Network (ACCAN), Blind Citizens Australia, Media Access Australia, Able Australia and the Australian Deafblind Council have banded together to campaign for the demise of the CAPTCHA. CAPTCHAs, or Completely Automated Public Turing test to tell Computers and Humans Apart, ask users …
This post has been deleted by its author
There are a couple of further problems:
Abuse of the email verification system to abuse mailboxes - sending thousands of non-wanted "confirmation" emails from your domain is a quick route to be marked as a spam source. Similarly receiving hundreds of these things would quickly annoy any recipient.
Secondly... what about the case where it's not a registration link? How about where you're just sending a message or reply on a website? Do you really want the hassle of having to check your inbox for a message, that is likely filed under junk, just to send a two line reply to a post or message?
> sending thousands of non-wanted "confirmation" emails from your domain...
So don't send thousands, it should be quite easy to detect when the system is being abused, just restrict the confirmation emails to one a minute.
> How about where you're just sending a message or reply on a website?
Why should you have to enter a CAPTCHA once you're registered and logged in?
> > How about where you're just sending a message or reply on a website?
> Why should you have to enter a CAPTCHA once you're registered and logged in?
I think there are times when I should be allowed to interact with a web site without being required to register with it first. (and some of those times I should not be required to supply an email address)
"A simple "Did you register for this?" email is the easiest & most Accessable way to handle the issue, doesn't discriminate against anyone with Disabilities (if they can't read the email, they probably can't read your site, either), and allows for the verification of a person's humanity in a way that doesn't make us want to put a bullet through your face for "proving" otherwise via technology that is, itself, Not Accessable.<br>"
It's also stupid and can become a wonderful and simple tool to flood people you don't like.
"Any place that uses CAPTCHA's to prove a potential user's humanity, automaticly deserves to be branded "Fuckwad" in big, bold letters across the forehead, shaved bald, & have a lifetime Execution Sentence if they allow their hair to cover the brand, or otherwise allow it to be obscured."
Ditto for anybody who sticks an apostrophe into a simple plural.
Even when I had "perfectly good eye sight" I still really struggled with these damn CAPTCHA things. Since hitting the age where reading glasses are necessary I find them even worse.
I realise that something is needed to stop the SPAMmers but this isn't it.
I'm sure I remember a story here on El'Reg a while back about SPAMmers getting around CAPTCHA by using porn bate, getting left handed typists to solve the CAPTCHAs for them.
Totally disagree. I had a form on a site of mine with no captcha...was fine for a while, then the spam attacks started, all sorts of crap ending up in the database. Captcha added, problem went away, no spam for 3 years.
Until someone can suggest a better solution that isn't completely user-unfriendly (the link-in-an-email doesn't suit our use case at all) then I'll have to keep on using them.
I've seen a great new captcha type verification that solves this. A simple question like "Which of these are dogs?" and 8 pictures with dogs and cats. Click on the dogs and in you go... Works very well.
As far as small sites go it's a great solution, but once larger sites start using it it's not random enough to keep out the hackers/spammers though.
I have lattice degeneration, as well as partial posterior lens capsule opacity and moderate hearing loss and tinnitus secondary to an IED blast, I fucking HATE CAPTCHAs and wish bodily harm on those who insist on their use.
I'm now at the point where I avoid services that utilize the damned things, as I'd rather masturbate with a cheese grater than screw about with CAPTCHAs.
I've got decent eye sight, but I still struggle with those bloody captchas. Although someone above claimed that spammers can automate the response to verification emails, I'm not convinced. They normally contain multiple links to the confirmation form - a "clever" bot may follow all the links, so the answer could be to include one that cancels the subscription request. Another option is to include a keyword or phrase in the verification email that must be entered into a form on the page the verification link points to.
My eyesight is better than 20/20 but I suffer from degenerative monochromachia. One problem this causes is that coloured text often becomes illegible.
When it's been deliberately munged AND coloured on top, it's literally impossible to read.
I don't have a solution but I really wish that captchas didn't come in so many multicoloured varieties.
Although I hate having to enter captchas, as a support forum admin I have to implement them.
Before I had captcha on the registration process, the forum was being spammed into oblivion every day. Having email confirmation was next to useless as the spambots could automate it; they would hit the board with hundreds of spams in less than an hour.
It reached the point where I disabled the board entirely, before enabling a rather vicious captcha. Spam still gets in, thanks to the cheap-labour issue mentioned before, but a mere fraction of what used to hit.
I can understand that it makes life difficult for people with visual impairment etc, but the fact is that without it, there would be no forum at all for people to register on as I could not contain the levels of spam. Until something appears that works as well (or better) without the disadvantages, then this is the only option.
Have you tried image-based ones (like Photo Captcha)...? I'm pretty sure describing / recognizing the content in a random image is way harder for a machine (for now) than recognizing some letters twisted out of shape too much even for average humans.
The suggested implementation above could even be expanded upon by bringing in fresh, new images all the time - serve more (2-3) of them, ask the user to describe them with one word - the first one would be an already "trained" photo with a collection of most often suggested answers while the second (third) would be a fresh image in training, gathering suggested keywords until a confidence level is reached and itself becomes a trained one. I think ReCaptcha does something similar, sans the photo angle (and they swear they manage to avoid brute-spamming particular words into something they are not).
Granted, this might not do much for people with disabilities, but I think the rest of the world would be rather grateful... ;)
That doesn't solve the cheap labour angle because they're actually HUMAN, meaning anything a genuine user can solve, THEY can solve. Basically, cheap labour end-runs around the CAPTCHA because they're not the type of spammers the thing's intended to block. In fact, cheap labour may be an unsovleable problem in general because you're trying to tell between two humans: one of which is willing to mimic the other well enough to pass any kind of test to tell them apart.
CAPTCHAs are annoying and I don't need a better reason than that to want them gone.
But, taking the argument of ACCAN, their alternative doesn't hold up. They are limiting themselves to registration forms for signing up to websites which is a valid issue but not the only instance where CAPTCHAs are used.
Thankfully not all websites require you to sign up to use them (yet) and so there are a lot of CAPTCHAs in use where the proposed solution of sending an e-mail just doesn't make any sense.
To find a real alternative, you have to start by asking what the product does.
The purpose of those annoying scribbles is to verify that a human rather than a 'bot' is interacting with the website. Further, it is doing that in the website, without the any additional processing from the user OR the site operator. FURTHER, it is a bit of bolt-on code that requires no additional infrastructure, maintenance or support from the website operator.
Compare that feature-set to 'just send an e-mail'. That 'solution' addresses none of the above points.
There needs to be a better solution but I think it's naive to just blurt out a 'common sense' answer, without accepting that if a workable alternative was that simple then we would have it already. There is a reason why 'just send an e-mail' isn't on the W3C's list and it's not because they haven't thought of it.
There's also a reason why none of the proposed alternatives have gained any acceptance, and that is because they are intensive to implement. A small business can very easily add a CAPTCHA to their website. Try adding 'Heuristic checks' to your small business's website!
I agree with ACCAN - they are difficult for even the most sharp-sighted of people to use so it is evident they would pose problems for others, less able users (including the elderly). I just think they need to recognise that the solution isn't that simple.
That post is far too reasonable and thought through. How the hell did you get access to these forums?
I've always hated CAPTCHAs. It's a rare time that I can get the buggers on the first go. I have very severe sight problems. Sadly the audio ones are even harder to decipher, and I've got pretty good hearing. So I just merrily go through a few (swearily if I'm being honest), until I get one right, like house drumpBty or somesuch. The nonsense words are particularly hard for me, because there's no context, so if there's one letter I can't read, then it's impossible to guess. Whereas if the u in house is unclear, I can get it from context.
Unfortunately the same problem applies to OCR. If it's unclear about one letter, it can go to word tables, and come up with a probability for what word it'll be. Hence making it easier for me, is probably going to do the same for the bots.
Actually I think this is the first time I've properly thought about the bloody things, and despite the fact that they're hateful, annoying and discriminatory - they're also quite hard to replace. Email confirmation isn't going to stop a well-written spam-bot. Anything that's commonly used, and available for people to just bolt-on to their site is going to be worth the spammers writing a counter to. And there's always the problem of paying peanuts to people in web cafes.
Someone suggested a simple astronomy question for their local astronomy site. Which works by security through obscurity. As soon as that solution became commonplace, bots would be written with a database of easy astronomy questions. Anything that a test can get me to look up, the spammers can also do.
Anything I can think of that's more human is even harder to make accessible. Things like cartoons, or puzzles are going to be much harder to bung through a screen-reader - and I'd have thought any questions can be looked up as easily by the spammers as the customers. Or at least put onto the spammers database, as fast as they go on the questioners database.
Perhaps the answer to spam is identity confirmation before you're allowed to register a domain, and then vigilantes with baseball bats? There are more of us than there are of them...
Can bots get around pictures?
So, for example rather than an obscured word I get a picture of a herd of cows and am asked to type in, in English, the singular of the animal/object in the picture. There could be quite a lot of pictures to pick from, and not necessarily animals.
Just a suggestion.
Two words: Screen reader. Or if you want different ones: Visual impairment. Which was rather the point of the article. Pictures resolve a small amount of annoyance for people who can already solve CAPTCHAs, but do nothing to solve the problems for many of the people who struggle with them.
Also, if it's a limited database of pictures, implemented by a commonly used piece of CAPTCHA software, then yes, the bots can solve it. By having access to the same list of pictures and answers. So the arms race would continue and the pictures would have to start being obscured and buggered around with, to stop the bots recognising them...
But going to pictures means you inconvenience the blind, which means you create accessibility problems. Pictures are the bane of screenreaders, and anything you do to make it more accessible to a screenreader instantly makes it easier for a bot to read (because both improve when you make things machine-readable).
Firstly I'd like to disagree with the sentiment involved in your post. So long as we don't greatly have to inconvenience society in order to be inclusive, we should do so. There's obviously a trade-off once things become more difficult and expensive - and that's where a process realistic of negotiation needs to take place - which is hopefully the role of politics.
There's no excuse, or reason, for marginalising large sectors of society. Particularly as computer aren't a hobby. They're a vital in many jobs, as well as being a medium of access to various services.
Secondly I'd like to point out your error of fact. Computers aren't fundamentally devices with visual-tactile interfaces. The ones you use might be, but many others aren't. For example look up the Braille-note, which is a 'laptop' with braille keyboard and output device. Which has a tactile interface, with optional spoken output.
Complete speech interfaces have been commonplace for years now, and are getting to be rather good. Plus you've got Microsoft's Kinect and equivalents - which can track gestures or eye movements.
Now I'm happy to admit that the internet has a lot of content that's visual, either video or pictures. But a great deal of it is also text, plus big chunks of audio - and various other formats. For example El Reg. There are pictures and video all over this site, but apart from an odd video podcast, none of it is vital to the articles, so someone could perfectly happily get 99% of the sense of this site by screen reader or braille display.
Now if we return to the topic of the article, we find that CAPTCHAs are extremely unpopular even for people without visual impairments. Thus a discussion of alternatives seems like a pretty reasonable idea, and while we're doing it, considering the convenience of as many users as possible makes sense.
on the site I built most recently (a site for a regional amateur astronomy group), I ask a couple questions that anyone with even a remote knowlege of astronomy and who is local should be able to answer easily. this site has been active a year, I have several 100 registered users and.... NOT A SINGLE SPAM.
on a forum site I built that uses a conventional captcha (because its engine doesn't have any other options), I'm getting 100 bogus signups per DAY from stupid bots that fill in the same random garbage into various fields.
since I'm doing both these sites for gratis ('you couldn't pay me enough to do this for a living'), this situtation has remained as is for awhile.
When I setup a forum I started almost immediately getting spam, so I briefly added a captcha. I then got some of my users complaining that they couldn't use them for these reasons, so I removed it.
In the end the spam outweighed the number of comments so as it's UK based I ended up using GeoIP restricting it to UK only IP's.
Although the free GeoIP database is not accurate it's cut the spam down to 0 (every spammer's IP I had traced to India, South Korea or China).
on the site I built most recently (a site for a regional amateur astronomy group), I ask a couple questions that anyone with even a remote knowlege of astronomy and who is local should be able to answer easily
I've seen this on a couple of fairly niche forums that I'm subscribed to, and it works well. The only way around it for the spammer is to use low paid folk to subscribe by Googling the answers. For something with a limited subscriber list, this probably isn't worth their while.
If one is looking to reduce post spam - a radio/options array on the HTML form with 'I am a human being' not the default option foxes 99.9% of the script kiddies.
If the bot can get through that and/or there's anything more precious you're protecting - captcha's probably aren't going to buy you much more.
I have seen this used on a number of sites. I suspect that this method will not hold up very well if it becomes more widespread. Given four choices, a bot that chooses randomly will get through 25% of the time, which will add up pretty fast stacked up against an automated attack. Perhaps if used in conjunction with another method, this might have some value.
I have pretty much 20/20 vision and love logic puzzles but I've lost count of the number times I've failed these bloody things, I think it took me 7 attempts to sign up for a Skryim game news site, in the end I gave up as each one seemed harder to decipher than the last. You need a degree ciphers and cryptography to work out some of these CPATCHAs!
I've seen "what colour is the text?"*, or "what is this a picture of?". Ridiculously easy for a human.
CAPTCHAs are already pretty easy for a human, so long as they can see properly. The whole point of this article was that if you can't see properly, they're ridiculously hard. And the audio versions are even harder.
Screen-readers tell you what text says, they aren't designed to tell you what colour the background is. Anything they can identify, is going to be equally easy for the spammers to spot.
Admittedly it might make things easier for someone like me, who has usable vision, but struggles with the text in CAPTCHAs.
Once upon a time the images used were scans from old books and docuemnts which were unresolved and then used the community to decipher them.
I didn't mind them as they were a form of community service and helped us get archived documents onto the internet. Plus they seemed easier to read than Captcha.
But these no longer seem to be in use which is a shame and the images they use seem to be impossible most of the time. I simply don't use sites which have them.
Those tests aren't in use anymore because OCR is a very mature technology. (Except when I need it to work, apparently.)
That's why these CAPTCHAs obscure the text so eye-buggeringly much.
The thing is, though, that these types of decypher-the-text tests are not the only form of CAPTCHAs. It is the type used in Google's implementation and therefore quite popular, but most of the alternatives given here - like equations, questions, logic puzzles, etc... - are also deemed 'CAPTCHAs'.
The problem with many of the alternative CAPTCHAs is that they are not as strong as the obscured text variety. It's true that on a small site, implementing a simple question-answer database or math problem may well work better but the question is what would happen if all the sites currently using obscured-text tests switched to maths problems or trivia questions? Once there are enough sites using such tests, it becomes viable for spammers to devote resources to defeat them. And defeat them they will.
This is the dilemma and it's why there isn't a better solution yet. Some options may work for individual sites but as a standard that can be used widely, this is it at the moment.
Of course, that's without even considering that a move to test cognitive faculties over eyesight would in turn affect another subset of users, such as those with learning disabilities.
>Once upon a time the images used were scans from old books and docuemnts which were unresolved and then used the community to decipher them.
reCAPTCHA are still doing this. Recent testing shows that the squiggled/warped word is the actual test, and you can put whatever you like for the blurred word.
What you charitably call "using the community" I call "cynically exploiting a huge and unwitting free labour pool", but this is personal inclination I suppose. My own is to make a point of getting that part wrong as humorously (or just profanely, more often than not) as possible.
Also I assume the spammers must also be aware of this, so half of what's on screen is bugger-all use in combating them anyway.
I do notice that on some sites the word that you're teaching them has been replaced by photographs of house numbers. As this is presumably reCAPTCHA's Choccy Factory overlords crowdsourcing enhancement of their Street View data, I now take even greater delight in utterly mangling my answers to these ones.
Ethics footnote: Yes, I'm probably a bit of a dick for doing this when the fruits of said exploitation are generally given back to the world for free (ads notwithstanding), but the secrecy (or keeping it pretty quiet, at any rate) about what they're up to left a bad taste. I like to at least KNOW when I'm being exploited, and it's also a form of security by obscurity, which I know how most folk round these parts feel about! (And of course it's Google, who really do bring out the juvenile troll in me.)
Ooooookay, I'll bite.
The Reg did an article about it thanks to "Reg reader Jim Allen" (says TFlinkedA). It's because of this rag's rather specialised readership that it can cover stories that otherwise it, or any well-read news outlets for that matter, probably wouldn't know (or, more often I suspect, care) about. El Reg found out about it != Google voluntarily announced it.
And if you don't agree on that last point, here's how much the News had to say about it. By my count, one unrelated article and one that's not in English. Not exactly shouting it from the rooftops, were they?
They can commission a bloody comic and get every known news outlet braying about it when they bring out a browser, but this one (which many would still consider altruistic enough to be acceptable as long as Google Maps remains free, I reckon) they for some reason can't cobble together as much as a 50-word press release?
(Sidenote: I used Google News because it's the only news search engine I know of at this moment. If you know others, it would be both interesting and pertinent to see what results they give.)
You need to understand that what's occurring here is they know they are big enough now to have irrational and destructive detractors (uh, like me I guess) so they are very careful about what activities they go out of their way to publicise. I'm not suggesting the Black Helicopter squad were at work, just normal PR behaviour: don't start trumpeting any news that some vocal people will find questionable. But by all means, carry on with your point-scoring if it makes you feel better.
Can't stand Captchas. I'm registered partially sighted, but on a bad day that can easily lower my vision to the levels of legally blind. (I have nystagmus, my visual ability varies greatly based on stress or how tired I am.)
I can agree whole heartedly that Captchas suck monkey nuts. I've seen a few very good alternatives to Captcha which work rather well. Here's a few of them just to give options.
Complete the sum. (or the rarer, reverse the symbol and complete the sum)
DELETE THIS MESSAGE!
(delete everything in the box)
Are you a bot? ( yes / no )
Get out of check. (a chess board where you're in check and only one move will get you out. A bit of a pain for those who aren't too bright... Therefore it should be used everywhere on the internet)
Those are just a few, I'd disagree that the email activation link is a good way of authentication, too easy to make a bot that'll activate the email.
This post has been deleted by its author
"A bit of a pain for those who aren't too bright... Therefore it should be used everywhere on the internet"
That made me chuckle a bit but seriously, if we're talking about not discriminating against people with disabilities, we have to accept that people with cognitive disabilities are just as vulnerable (if not more so) to discrimination as those with visual impairment.
Don't know if you've got any other condition, besides nystagmus. But I recommend alcohol. I did try to get my doctor to prescribe it last time I visited...
It's a side-effect of my eye condition, not the main problem. But I can see better after one glass of life-giving booze than before, as it's a muscle relaxant. Of course after ten...
The problem with most of those puzzles is that they're machine-solvable. So if they go into common use, the spam bots will simply be re-programmed to defeat them. I was trying to think of some way of working with jokes, but everything I can think of requires a database of questions for the CAPTCHA, at which point the spamming bastards just need to replicate (or steal) it and they're good to go.
Actually I have noticed alcohol makes a mile improvement before. Especially when playing pool. Start off okay, first couple pints my game improves amazingly. Then it gets worse, and then I can't get teh pool queue on my hand.
I have noticed there's a tipping point however, between my eyes slowing down, and my brain failing to compensate any more.
And yeah, nystagmus isn't the only problem. Occular Albenism, comes with all the bells and whistles, Myopia, photophobia, nystagmus, I'm always convinced there's a fourth one, but can never remember what it is.
As the author of many websites I have to say that Capatch does not work all the time, normally because of very cheap labor. I would suggest to anyone looking for a solution that to trap normal spam bots hidden input boxes work nicely and combined with a layer of bot protection from a cloud service such as Coudflare you only have to worry about Humans inputting
Cant we have simpler verifications setup by the sites user such as "what color is the sun" or a more regional question for local websites such as "how may stars are in the American flag?" , "what state is this store in?" things that would take time for a Human spammer to solve.
It is a bad choice of question anyway; most people incorrectly believe the answer is 'Yellow'; but in fact the sun is white. Indeed, the sun defines white. This is easy to test; take a white piece of paper and shine a coloured light on it, and it appears to be the colour of the light you exposed it to. Now, take it out into the sunshine. What colour does it look?
White with a touch of yellow in it. While the light from the sun trends yellow, our atmosphere tends to deflect longer wavelengths of light (thus why we see a blue sky: shorter wavelengths are passing through). Trouble is that it's such a high intensity that we're kind of experiencing a sensory overload. Plus there are a ton of other factors that can affect the outcome, such as whether or not the paper is truly white, is the image being seen through something like a camera, etc.
The sun doesn't define white; our eyes do, through the distinct range of electromagnetic frequencies they are able to perceive. White for us is an even spread of EM radiation, of at least moderate intensity, throughout the visible light segment of the spectrum. We can define it that way by means of something like a spectrophotometer, which can measure the levels of light throughout the spectrum, regard of how our eyes perceive it.
Let anyone onto a forum, but if more than n number of current forum members mark a users post as spam their account is locked and their posts deleted.
Send an SMS message? gets to be expensive but if there is a service where the reciever pays rather than the sender then any spammer will end up broke.
Forums have a voting system for other forum users to score a user - any unworthy poster gets blocked.
err - magic?
If you have to vote a user to mark them as spam then this is only good for regular trolls. Spammers aim to get a flash of a few messages across different boards and would expect to be blocked very quickly. That's why they register lots of accounts or come back again and again with different accounts.
SMS, so now you can only use the site when you also have a mobile signal? Can't see any issues with that ...
I am all for the removal of those things but what about all the places they are used where people are NOT registering for anything? Things like payment forms, commenting forms, etc...
Thankfully not all sites on the Internet requires users to register to use them but many of these still use CAPTCHAs to prevent spam.
They are truly rubbish. There's obscuring noise, otherwise the bots would just use speech recognition, which is nearly as good as OCR nowadays.
I can barely read visual CAPTCHAs but the voice ones are worse. And I've got above-average hearing, and experience mixing live music, so I was quite surprised by that.
Always have trouble with Audio Captchas i.e. Google. They never work for me and always sound scrambled. Yes, email activation can work but its not the best option as not all Captchas do require or should require email addresses. Plus, as stated Bots can activate links... So what are the alternatives.. Here's 3 quick suggestions I've seen sites use :-
A: Simple Math 14*4 = ?...
B: A general Knowledge question about a popular song, film, sports star or news story...
C. A question that utilizes simple shapes or colors to quiz for a human 'user'...
These are standard alternatives, however do have problems:
* Math's questions can be bot-automated. It only takes a simple parser and they'll have the answer
* General knowledge questions are very region and language specific. Want to have an international website? Then forget it.
* Shapes and colours don't work for the visually impaired or just the colour blind.
I wish I could think of a proper solution to the captcha problem but, the best solutions will be multi-layered and will need to adapt regularly in a kind of "arms race" with the spam bot engines... very much like viruses and anti-virus software. That's not a fun prospect.
Sorry I didn't make explain better. What I'd like to see is a menu of captcha choices offered to the user instead of just one highly obscured take it or leave it captcha which is a PITA!
* Math's questions can be bot-automated. It only takes a simple parser...
Not so, you still have to pass them through an OCR phase. There are math puzzles that do a good job of overlaying puzzles onto detailed color photographs. That's not easy to OCR, especially if you use people to make up the numerals in the puzzle and there are foreground and background objects in-between.
* General knowledge questions are very region and language specific
Fair Point! But there are already a number of alphabets on the planet with widely varying character sets, Japanese, Chinese, Cyrillic, Arabic etc. So an international site won't be able to prosper with a one size fits all captcha approach anyway, there's no escaping that!
* Shapes and colours don't work for the visually impaired or just the colour blind.
I have no better solution than Audio. What I can't understand is why Google's Audio captcha doesn't work based on personal experience and complaints from the community mentioned in the article...
"I have no better solution than Audio. What I can't understand is why Google's Audio captcha doesn't work based on personal experience and complaints from the community mentioned in the article..."
Because Google ALSO keeps a voice recognition system. Modern Android phones can use it in their searches. They probably first tune the system so that their voice recognizer balks at it and go from there.
This post has been deleted by its author
"KittenAuth - Need an audio equivalent for the blind/partially sighted."
It should be easy to add and identify animal sounds, even kids can do it! But I can still see some thug spammer building a neural net to get through...
P.S. Reg staff. The indenting on this new look Reg website isnt working IMHO...
The problem with these alternatives is that B & C really must be implemented with a static database.
That kind of things works at the small scale and can result in less spam than implementing something like ReCAPTCHA. But it ONLY works at the small scale. Imagine such a system replacing EVERY use of ReCAPTCHA through every website. Again, it is easily defeated by mass labour - having people record all the question-answer pairs. Indeed it's easier because there is very little on-going work - just keep the lookup tables up-to-date and most challenges can be passed with a simple DB query.
We could of course obscure the challenge but then we'd be back where we started.
Option A is slightly better as you can generate the challenges automatically, without requiring a pre-populated database. But then, this is no different to the existing ReCAPTCHA solution: a block of text must be read, understood and then answered. Mathematical problems give no no more trouble to bots than do the text recognition so again you have to obscure the text (equation) for it to work.
The strength of ReCAPTCHA comes from the strength of the underlying algorithm, which is made public to ensure it is as good as possible. The other options, save possibly the equation, rely on hiding the question-answer lists. Real security and strength comes when you actually EXPOSE your code to the world and it STILL works.
So while ReCAPTCHA is not be a perfect solution, it is an amazing achievement and allows webmasters the world over to add some exceptionally effective (all things taken into account) anti-spam technology to their site without much effort.
Alternative challenges are certainly worthwhile and your users will thank you if implement a solution that cuts down on spam without requiring users to click refresh 20 times, but know that the more people that implement a similar system of question/answer (whatever the subject matter), the more insecure your own, similar solution will be.
This post has been deleted by its author
"better than capcha!" Not from the point of view of the complainers, I'm afraid. It is still highly visual, and, on the demo I just took, it adds movement to the problem of very small graphics. There is no way I can see to make an audio version, for instance. And the amount of permissions I had to give to enable it to work was scary,
Personally, I find it worse than Capcha, but then I only rarely (perhaps only twice in the last 5 years) have any problems with the wobbly-text ones.
If you click on the wheelchair symbol, you get an audio CAPTCHA. I've no idea what it said, or whether they were even numbers of letters. The sound was so distorted I didn't even know when it started or finished.
The visual game was good. For most people, but then most people can already do CAPTCHAs. However it added some relatively fine motor-control to being very hard to see, so added a few more people with disabilities into the mix of people who won't be able to make it work. Back to the drawing-board I'm afraid. Next time, hopefully with less scripts and crap required to run it?
Plus, I might like the taste of a remote control on my sundae? Or hate cherries?
There's a lot of alternatives to capcha which require a small amount of intelligence on the part of the user. One of the better ones I came across (for a maths enthusiast group) required you to solve a rather complex piece of maths. Solution for the non-mathematically literate was to paste it into Wolfram Alpha and paste the result back.
That sort of thing is more-or-less soluble for spammers who use the low paid of course, but using domain-specific knowledge for your group seems quite an acceptable way of keeping away spammers and trolls.
SMS is good as a secondary authntication path for confirming the identity of a known user. The SMS is sent to a number that the site server already knows, so there's little opportunity to spoof the result. (Though there are some possible attacks, such as phone malware that automatically confirms without the user's intervention)
This is a different problem from the one that captchas are suppose to solve: determining whether the entity trying to gain access to a site is a human or a bot. Captchas are difficult for bots to complete for the same reason that they are difficult for humans (but, ideally, less so). Responding to an SMS can easily be automated, so doesn't solve the problem.
The use of SMS would not be universally acceptable as it would also require every user to have an SMS-capable phone, and to be prepared to disclose its number.
Crude? Yes, but used it on loads of websites and found it very effective - I'm sure there are many bots that could defeat it, especially if targeted directly, but in general very effective.
Quick google returns this:
As with most things on the web its a constantly changing attack vectors and inaccurate defences.
The other day I was trying to link my phone to laptop and was faced with entering a seven digit pairing code on a tiny keyboard within seconds, assuming I'd clicked okay on the phone first (which I failed to do the first time so ran out of time).
Goddammit, I'm in my own home with little possibility that my neighbours will also be Bluetoothing with their phones pressed against the party-wall hoping to hack into my boring files.
I've given up networking computers with different versions of Windows because they seem to have been deliberately hampered by each evolution of the OS in order to force you to upgrade every machine.
CAPTCHA is less annoying for me (as an able bodied person) but much of this security malarky is to do with product liability concerns rather than any real-world necessity.
When security sabotages what one is legitimately trying to do, it has gone too far. Would you shop at a place which regularly searched your bags ? In many circumstances an option which said "Thank you for your concern for my security but I'll pass on this occasion" would not compromise security a jot..
I don't think you understand the problem that CAPTCHA is trying to solve. Which is spammers spamming legitimate forums to buggery.
I'm on a forum run by my favourite science fiction author, with probably 50 regular posters, and I'm sure many more lurkers/occasional posters like me. She had 100 bots apply for accounts in one weekend this month. She doesn't use CAPTCHAs. That's an absolute load of work for a forum admin on a small forum to get through, and I don't want her nixing bots, I want her to hurry up and write more books.
I've done a turn as a Mod on Tom's Guide forum and spam postings were a problem, but many ordinary members took pleasure in reporting it, so it was just a routine chore deleting nonsense ads for fake trainers etc. I suspect the volume of crap has increased since.
My complaint is more about completely irrelevant security measures which sabotage one's efforts even when working on a home network.
>If your screen-reading software can tell a lion from a cat, so can the bot.
This really gets to the heart of the problem, most 'security', where the website doesn't know anything about the user, does rely on the user being able to clearly see/hear the CAPTCHA or similar and so successfully navigate the human-bot trap.
The fundamental reason why image and audio based security mechanisms such as CAPTCHA are favoured is because these represent hard knowledge-based AI problems for computers to solve and hence make it very difficult to create programs capable of solving them and that's before we begin to worry about the processing demands of such programs.
In some respects a person who has problems with CAPTCHA's probably needs a trusted man-in-the-middle who can satisfy the CAPTCHA test as and when needed...
Ever since I realised that people were using CAPTCHAs to digitise books I have been adding swear words instead of the word from the book. It's quite easy to tell, one word will be a real English word, unscrambled, that word you can substitute for some witty replacement, the other word, usually a random series of letters/numbers scrambled, you have to enter properly.
Take a look at the ACCAN website - they've managed to hide their "Contact Us" in plain sight.
When you find it, they've obscured the email addresses for human visitors (badly, using the cunning trick of replacing @ signs with (at) ) but left the addresses machine readable in the source - so it's deliberately harder for humans than computers.
CAPTCHAs don't recognise me as a human either but I don't have much problem with that when I look at the dregs of humanity that surround me. A better solution is required but email verification links are not the answer, writing a bot to monitor the email address and follow any links is trivial.
The Wordpress plugin is excellent at reducing comment spam. You install the plugin and register with Akismet for an API key. And that's it. The plugin automatically screens comments and only lets through genuine ones. I had it on my old news website (around 7-10k uniques per month, not huge but had a decent commenter community) and I never had any instances of genuine comments going astray.
Much of the below has been said here and there but a few points to start:-
1: The root cause is NOT Captcha, it is the nature of humanity that is the problem. If we were not a species of "nest foulers", defecating on the very things that we try to construct for ourselves, then in most cases we would not need any such protection as Captcha tries to provide. Nobody wants Captcha to need to exist.
2: Captcha is not necessarily unfit, as a general concept, it is the implementation that has short-comings. Most of the alternatives suggested have been Captchas in concept, just with different tests.
3: Email verification is NOT an adequate solution by itself, for many reasons mentioned already. It is an excellent 2nd or 3rd line of defence during initial registration.
4: Whilst some sites can be overly paranoid with putting a visitor through repeated Captchas there are good reasons for Captchas after logon E.g. defending against visitors that unknowingly having bots (viruses) that use un-closed sessions when there has been no user activity for a while. Also defends against cheap human labour registering and/or logging in and then running an automated system.
5: There is no single solution that will suit all, as the various suggestions have shown. All of them will fail if a visitor is not 80%+ able at least one of sight, sound, mental abilities, memory, dexterity etc.
On a sites I maintain, using off-the-free-shelf plug-ins, they usually ask random Captcha test type from a range of installed ones including some along the lines already mentioned and usually requiring a small degree of human logic (depending on the nature of the expected site visitor). That is not perfect but does address some of the perhaps less thought through objections.
Taking that Captcha, or an equivalent gate-keeper needs to exist. And that the gate-keeper needs to cope with the abilities and limitations of any visitor...
- When a user registers they select the types of Captcha tests they wish to avoid e.g. (_) Visual, (_) Colour, (_) Audio, (_) Literary, (_) Mathematical, (_) Intellectual
- Captcha mechanism to operate from a pool tests that are classified by the above styles so that excluded types are not displayed for that user. If you are impaired in sight or vision then you will be given tests that avoid your specific limitation(s).
- As new or updated tests are released in to that pool the site will make uses of them i.e. the site, and visitor's profile, are NOT configured to use any specific Captcha test.
- In addition general quality of Captcha tests need improving, use of standards, review process etc. for new added tests.
This would need to be a free community system available as plug-ins for all major website systems such as Joomla, Drupal etc.
There's a gap between weeding out bots and weeding out spammers. I'm on a forum which has CAPTCHAs on user registration, and posting for the first 50 or so posts. The new user registration also includes email verification. This has been effective at removing bots, but has been completely ineffective at removing human spammers.
Here's a way to remove bots: have an image map with a randomly mapped areas with random names. The user can click on the appropriate spot, but the bot will be confused. For audio, ask the user to differentiate between different sounds.
But if someone wants to stop *spam*, then you just have to wait until the bot or person actually posts something.
I work in online marketing/web dev. Here's how I see it.
- CAPTCHA's are a massive pain in the 'aris for anyone who has to fill them in.
- The number of man hours wasted on them is a disgrace.
- They *do* work, filtering out older spamming programs and those unable to automate
- There are captcha solvers "as a service" that cost next to nothing
- At the very least, CAPTCHA's slow the rate of spam.
Hashcash is actually an interesting concept that I think would be more effective at limiting spam.
Rather than eating up man hours though, it'll eat up CPU cycles and power.