Justin Hartman

Posted on June 18, 2009 - by

CAPTCHA – A sure-fire way to lose customers

A CAPTCHA is a type of challenge-response test used in computing to ensure that the response is not generated by a computer. The process usually involves one computer (a server) asking a user to complete a simple test which the computer is able to generate and grade. Because other computers are unable to solve the CAPTCHA, any user entering a correct solution is presumed to be human. (via Wikipedia)

I really do consider myself an intelligent human being yet despite my own personal beliefs other websites simply don’t agree. For a long time I’ve struggled with CAPTCHA’s implemented on websites. Either I’m really dumb or the technology is flawed – I lean towards to later.

Let’s look at my latest example. Last night I went to Register.com to look for available domain names. Now I normally use GoDaddy for domain name squatting hunting but alas the last few days their search results have not been working properly so I decided to use the other giant.

When I tried to access the WHOIS details for a particular domain I was presented with a CAPTCHA – I guess in an effort to determine if I was a robot or a real human being – but after twenty unsuccessful attempts I simply had to give up the challenge-response test and succumb to the notion that I must be a robot/spammer/computer and not human after all.

After the first ten or so failures I decided to screenshot all my responses to the CAPTCHA images presented to me because I have to prove to myself that I am not a robot by getting your help on the matter. Here are my results.

Please can someone tell me where I went wrong…….?

The net-result is that Register.com will not be seeing any of my money any time soon and I can’t tell you how often this exact thing happens with CAPTCHA. I realise why a site like Register.com uses it, GoDaddy uses it too, but surely it could be easier for real people to pass the challenge-response test?

In 2005 the W3C Working Group wrote a paper on the Inaccessibility of CAPTCHA and there were some interesting findings. Most importantly they discovered that many of the CAPTCHA systems can be defeated by computers with between 88% and 100% accuracy and that all CAPTCHA effectively does is give site owners a false sense of security.

So if you implement a CAPTCHA system and are only able to achieve at best a 12% success rate in avoiding abuse of your system, then surely it’s time to implement other human verification methods?

Peep on Gatorpeeps 

Share this post: Share this post with the world.
  • Gatorpeeps
  • Muti
  • Twitter
  • Posterous
  • Facebook
  • laaik.it
  • del.icio.us
  • Digg
  • Friendfeed
  • Google
  • LinkedIn
  • Ping.fm
  • Reddit
  • StumbleUpon
  • Technorati
You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

23 Comments

I'd love to hear yours!



  1. Visit My Website

    June 18, 2009

    Permalink

    Stew West said:

    Heya! I hear you, sometimes these chaps just eat my goat, but I’d rather have a working version (which there are out there somewhere – just do some more digging), than have 100s of BotComments on my blog etc etc…



  2. Visit My Website

    June 18, 2009

    Permalink

    Conrad Strydom said:

    Hmm, I too share the dislike of captcha, in this case its clear that something clearly went very wrong and could probably be tracked to some sort of strange breakdown between the cookie and the sites general graps on reality.

    Still searching for the alternative though, there is sometimes a need to add that extra hurdle into a process to avoid easy (note I am saying “easy”) exploitation.

    Have seen some quirky things like the one google is working on where you have to flip the random upside-down images in a generated image sequence.. sigh.



  3. Visit My Website

    June 18, 2009

    Permalink

    Rustig said:

    They are a pain. Specially the ones where the “noise” has been increased to make it harder to read or even the letter at end is cut off. Simple few lines of php with 3+5=8 is sufficient. Not perfect, but reduce the spam.



  4. Visit My Website

    June 18, 2009

    Permalink

    Johann du Plessis said:

    I have found that ReCaptcha (recaptcha.net) works extremely well. The great thing about how it works is that the one word it displays (the one it actually uses to make sure you’re not a robot) will have been correctly identified by 1000′s of other users. I rarely make a mistake when entering one of their captcha’s (which I do a lot), and I’ve found it to be very secure.

    As for other captcha systems, I’ve lost count how many times I’ve been frustrated as well. I have given up many times to register for a site, just because their captcha is too difficult.



  5. Visit My Website

    June 18, 2009

    Permalink

    Justin Hartman said:

    Stew I hear you completely. However, if it’s on a blog I’d look at trying to implement Akismet (akismet.com) as it’s not only a WordPress thing or if you really want a Captcha then I’d use recaptcha.net as they’re more in alignment with accessibility guidelines – plus I generally am able to pass their tests :-)



  6. Visit My Website

    June 18, 2009

    Permalink

    Justin Hartman said:

    Conrad, thanks for confirming my suspicions!

    Rustig – I don’t even both with noise captcha – I just move on ;)

    Johann, love recaptcha.net – just a bit of latency if you use it on your own site which is a small problem but for end-users it’s the best Captcha technology IMO



  7. Visit My Website

    June 18, 2009

    Permalink

    Gustav Bertram said:

    You are dismissing an entire technology based on one bug, on a single site!

    In addition, your article title is misleading. I thought you would have some unique insight. Instead I found a rant.

    Here’s a thought. Put all this in an email, and send it to register.com!



  8. Visit My Website

    June 18, 2009

    Permalink

    Justin Hartman said:

    Gustav, the W3C Working Group paper wasn’t insightful?



  9. Visit My Website

    June 18, 2009

    Permalink

    Lester Hein said:

    I while back I started getting more and more spam bots and dodgy russian registrations on my blog.

    I added a CAPTCHA form to the registration page and since then they’ve stopped coming through. The good thing I noted was that the number of legit regs. didn’t tail off, so I guess it’s working.

    I use SI Captch a for WordPress (http://wordpress.org/extend/plugins/si-captcha-for-wordpress/) and can’t say that I’ve had any issues so far.



  10. Visit My Website

    June 18, 2009

    Permalink

    Kevin said:

    You’ll start to see the value of Captcha’s when you start dealing with a lot of “customer support” through your contact us pages.

    If your traffic is large, inevitably your contact us spam is proportionally large. Without captchas, handling these messages for a small company is a nightmare!

    I think they’re a G-d-send!

    P.S. they should work if you’re going to use them :-)



  11. Visit My Website

    June 18, 2009

    Permalink

    Deems said:

    Justin, I’ve had the same problems with Register.com – I don’t think it’s a CAPTCHA issue as they generally do work well, but if not implemented correctly, well then it’s a case of GARBAGE IN = GARBAGE OUT.

    There’s nothing wrong with any of the entries you posted screenshots of above. I just think the team that implemented it on Register.com’s WHOIS pages made some serious error.



  12. Visit My Website

    June 18, 2009

    Permalink

    Steve Crane said:

    I came across a very nice, simple CAPTCHA the other day. I forget where it was but it simply presented six normally-displayed characters, three of which were black and three red. Above the entry box was the instruction to enter only the red characters.



  13. Visit My Website

    June 18, 2009

    Permalink

    Justin Hartman said:

    Steve, that’s a really smart way of doing it!!!



  14. Visit My Website

    June 18, 2009

    Permalink

    Justin Hartman said:

    Deems I tend to agree with you on that.



  15. Visit My Website

    June 18, 2009

    Permalink

    Gustav Bertram said:

    There’s a huge difference between “Oh, this might be inaccessible to some disabled users” and “OMW, CAPTCHA will lose you customers!”



  16. Visit My Website

    June 18, 2009

    Permalink

    Justin Hartman said:

    Gustav, captcha will lose you customers if the technology doesn’t work. This isn’t a problem on one single site – it’s a problem on numerous. I decided to blog it because I’m tired of fighting with a technology that clearly doesn’t work for “humans”.

    Clearly you’re pro the technology, I’m not convinced, particularly when it directly impacts on your ability to sell something to someone. It’s just not good business sense irrespective of whether it prevents your site from being abused.



  17. Visit My Website

    June 19, 2009

    Permalink

    Chris M said:

    Story of my life! GoDaddy hasn’t worked for me for over a month, it’s terribly annoying indeed, so I just went forward and built my own little checker in PHP :)

    The number of times I’ve done CAPCHAs over and over and over is insane, definitely a “sure-fire way to lose customers”!



  18. Visit My Website

    June 24, 2009

    Permalink

    Sara said:

    Pretty cool post. I just came across your site and wanted to say
    that I have really liked reading your blog posts. Any way
    I’ll be subscribing to your blog and I hope you write again soon!



  19. Visit My Website

    June 26, 2009

    Permalink

    Abraham van der Linde said:

    Hey Justin.

    I’ve been using a capcha on my about page with success, but as you say, there are those that just don’t work like they should.

    Normally, When I enter something in a capcha and does not work on at least 3 consecutive retries, I quit doing it and leave the site.

    My conclusion of capchas,:

    NOT GOOD : not working always as in your case.

    VERY GOOD : When it works, blocks spam and ill content better than Akismet.

    Use it, don’t use it, up to you.

    Final thoughts, Nothing beats personal moderation of comments. If you don’t like what you see, DON’T approve.



  20. Visit My Website

    June 26, 2009

    Permalink

    Ross said:

    I also noticed that godaddy’s search wasn’t working… went and use http://www.whois.net instead. I think I’ll steer clear of register by the looks of things… will give me grey hairs by the looks of things.



  21. Visit My Website

    July 4, 2009

    Permalink

    Peter said:

    I’m a web developer and have found captchas necessary to stop spam for my company and clients.

    My solution for the sake of usability is to provide some form of “refresh” button next to the captcha. Refresh all you want until you find one that you don’t have trouble reading.

    Not to mention that I generally implement forms that use Javascript to validate them before they get submitted, so you get a much quicker response if you got it wrong instead of having to wait for the page to reload.

    Check out the captcha on the contact form here on my site: http://titaniumwebsolutions.com/contact (click the send email link to open up the contact form).

    If you ask me, this is how captchas should be implemented. It’s tough for bots to crack due to the wavy, crammed together letters and made more usable by letting users get a new one if they can’t read the first one that loads with the form.



  22. Visit My Website

    July 15, 2009

    Permalink

    Oluniyi David Ajao said:

    You are indeed a human being :roll: They must have had a temporary problem at the time you were trying. I dare say that captchas are a necessary evil. They help with managing spam on wordpress installations.



  23. Visit My Website

    September 17, 2009

    Permalink

    Tiny said:

    Then you get ever better Captcha’s, like this 3D one being used at Yuniti.com

    http://www.yuniti.com/register.php

    It just looks so good. And I believe you will have far less false positives!