If it’s one thing that I hate worse than spam, it’s CAPTCHA. We’ve all seen CAPTCHA ages before, they look like a three year old scribbled some random letters on a piece of paper, and than spilled a can of paint in the middle of that paper. Somehow, we are supposed to be able to read these letters, and insert the correct characters in order to submit a form. Most of the time, the CAPTCHA level of noise, or amount of ink splots and other material added to distort the letters, is so high that I can’t even tell if a character is even a member of the same alphabet that I use.
Perhaps the most damaging part of CAPTCHA is the assumption that you are up to no good. A website is placing an undue amount of stress upon you, for what? To enter a comment on a blog? To register for an email address? To send someone a message? I wonder how many potential customers and clients alike have been turned away from a website or vendor because of their CAPTCHA implementation. Personally, I’m afraid of it as well (on my contact form), that’s why I haven’t implemented it yet on that form.
However, alternatives to CAPTCHA are gaining ground. Acceptable alternatives, in my opinion, involve the least troublesome challenges to your website visitors or clients. Examples include:
The problem that most opponents have with CAPTCHA alternatives is that they can be easily spoofed, if the script creator doesn’t add enough random challenges into the mix. Admittedly, if your form only contained the challenge, “Is ice cold or hot?”, you would be in some trouble shortly. However, you can always combine challenges, and with a set greater than 20 challenges, have a very formidable defense against spam bots. Especially, when you combine images with text. Consider the following challenge:
Is ice hot or cold? ________
Now, this challenge isn’t particularly difficult for most spam bots, you just need to re-write some code. You could even allow it to guess, buy inputting as the answers “is”, “ice”, “hot”, “or”, and cold”- until you finally got the right answer. However, let’s take it a step further. Let’s do this:
_______
Now, we’ve got the same question, just inserted into our site as an image. Assuming that the image is randomly named, this is an excellent way of combining different CAPTCHA workarounds. Now, in order to defeat our form script, a bot writer will have to implement OCR technology into his script, and also implement a routine that submits every word in the challenge sentence, in order to try and fool our form script.
Now, let’s make things interesting. In our form script, let’s have a set of, say 20 questions. These 20 questions are selected from a database (to make things a bit easier to add or remove questions), and we randomly pick our question from that database. We can go further from our “Is ice hot or cold”, to include such questions as “What is the name of the planet that you live on?”. In this last example, the correct answer, earth, is not located anywhere in that question. Now, the person writing a bot to spam our form has to hand write each and every answer to every question.
We can stop this game at any time, but the bottom line is that with the proper amount of preparation, our form script can be harder to beat than CAPTCHA. Most importantly, it will not cost us ANY visitors, clients, or customers. The humans can still easily submit information to us using our form, and all of the spam bots won’t know what to do with our web form.
Now, the tricky part is just getting everyone else to switch over from CAPTCHA to one of these alternatives. Perhaps over time, these alternatives to CAPTHA will gain in popularity. Only then will I finally be able to create an account on a website without pulling my hair out at a mixture of something from Picaso’s works and the modern alphabet.
