We’ve all seen them, and to one degree or another, been frustrated by them: those distorted characters we’re supposed to be able to recognize, read, and type into a corresponding field on a web page.
That’s a CAPTCHA, which is an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart.” It’s even trademarked by Carnegie Mellon University.
As frustrating as they sometimes are, they exist for a very important reason.
Become a Patron of Ask Leo! and go ad-free!
It all comes back to spam
As with so many things these days, it’s all about spam and spammers.
There are several scenarios for which CAPTCHAs stem the tide of spam.
Without CAPTCHA, it’s easy to use a computer program to open thousands1 of free email accounts, and start sending spam from them. Sure, the accounts would eventually be blocked, but the program just keeps on creating thousands more.
Without CAPTCHA, it’s easy to use a computer program to leave thousands of spammy comments on Ask Leo! and other blogs and websites. It’s easy to overwhelm just about any web site that has an input form that even looks like it might be a comment-submission form.
Spammers have incurred untold millions of dollars of additional cost and burden on website owners and internet users.
CAPTCHAs are one way to keep that from growing out of control.
Computers trying to act like humans…
One of the oldest challenges in computer science is to build a computer (or software) that mimics “thinking” like a human and does it so well you can’t tell the difference. Asked a series of questions, you wouldn’t be able to tell whether the responses came from a real human or a computer.
That’s referred to as a “Turing test”, named after the computer scientist Alan Turing.
A CAPTCHA is a kind of Turing test. It’s a test to prove you’re human.
Why CAPTCHAs work
If you look at the two scenarios I outlined, each began with the phrase, “it’s easy to use a computer program”. Basically, CAPTCHAs prevent those computer programs from working.
For example, the traditional distorted letter type of CAPTCHA is indecipherable to contemporary computers and software. If the process of creating a new email account or submitting a comment requires you to prove you’re human by filling out a CAPTCHA, then the programs spammers love to use are stopped cold.
They can’t figure it out.
You and I, however, can (usually) make out what those letters are, and type them in correctly. We must not be computers. We’ve proven we’re human.
The drawback to CAPTCHA
CAPTCHAs have one huge drawback: they assume you can see.
Blind computer users – of which there are many – cannot complete visually-oriented CAPTCHA.
As a result, there are alternatives. Some use images (“click on all the pictures with a tree”), or even simple math expressed as a sentence (“what do you get when you add two and seven?”). The goal is the same; answering these types of tests is surprisingly difficult to automate, so a correct result is reasonably possible only if you’re human.
As another alternative, many text-based CAPTCHAs play an audio that sight-impaired visitors can listen to and then type in.
Of late, an even simpler CAPTCHA has become very popular: the “click here” CAPTCHA.
As simple as this seems, it’s apparently fairly effective. The “trick” is that you can’t click the checkbox right away. It’s actually replaced by a spinning disk until it’s ready for your input. Current automated spam bots aren’t capable of something as simple as detecting that a delay is required.
Why Ask Leo! has no CAPTCHA (today)
So, I take comments, but I currently don’t use CAPTCHA. How’s that possible?
I throw money at the problem so as not to inconvenience you.
WordPress-based sites have a service called Akismet available, which acts as a real-time spam filter. Every time someone posts a comment on an Ask Leo! article, that comment, and information about where it came from, is passed through Akismet for analysis. If Akismet says it’s spam, it doesn’t get posted, and you never see it.
I get a lot of spam, so I pay for Akismet’s premium service. As I write this, there are over 44,000 comments on Ask Leo! articles on this site. One hundred times as many spam comments have been blocked.
Because spammers aggressively and constantly change their approach, I’m not ruling out requiring CAPTCHA sometime in the future. But for now, things seem to be working well.
The future
CAPTCHA’s future will be interesting. There’s no doubt that image-processing software, and computers themselves, will become more powerful. Eventually, technology will be able to automatically decipher today’s CAPTCHA images and techniques. Look for new approaches – hopefully still easy for humans to use – to prevent spammers from further automating their efforts in the future.
But the bottom line? Don’t blame a web site for using CAPTCHA. It’s a corner they’ve been forced into.
Blame the spammers.
Podcast: Download (Duration: 6:28 — 6.0MB)
Subscribe: RSS
I saw an interesting Captcha the other day. Instead of a picture it had an easy to answer question. Something like “Which is not a tree? with six possible answers. The wrong answer was “2×4”. Since it was text it could easily be used by a screen reader. It would be interesting to know how easy it would be to beat.
I didn’t know that these things had a specific name. I suppose “captcha” sounds better than “gotcha”. :-)
I encounted one the other day (I think it was eBay’s “contact the seller” link) which included a “hear the code” link next to the picture. I guess they’re getting enough flak from people who can’t see the pictures to enter the code.
My problem is that I often can’t tell whether a letter is upper or lower case. Does it matter?
@Bill
Some are case sensitive. Others are not.
Hey Leo, could captcha be incorporated into an email client? Seams like that would break the back of spam’rs…
An email client is simply a program for sending and receiving emails. If a CAPTCHA was built into it, spammers could use a program without CAPTCHA. Spammers have their own bulk email sending programs.
I don’t know how, but … spammers would just use a different client.
I’m not certain about CAPTCHA, but there is a variant called reCAPTCHA that has a side benefit. There are thousands of books and documents that cannot be accurately converted to digital via OCR. In the case where a word or phrase is unrecognized, it is used as part of a reCAPTCHA item. When enough people have been presented with that item, the majority “opinion” is generally the correctly identified word or phrase.
I haven’t seen a reCaptcha like that in a while. If you go to their site they now have the “I’m not a robot” checkbox CAPTCHA.
I saw a reCAPTCHA a few weeks ago, but they are rare. One kind of CAPTCHA that I liked a lot is the “What does 6 times fifteen equal.” kind. Apparently, those must be bot accessible, or they would probably be more common. I could handle a simple word problem like “If a car goes 30 MPH and goes 10 miles, how long did the car drive.” Maybe if they let you choose a word problem instead of illegible letters or find the road signs in a fuzzy picture, it would make is easier for some.
It sure would help if the captcha creators would indicate if the response is case sensitive. Same problem with password creation. Rarely are the rules for a password presented before the first attempt. Both are unfriendly.
I used to design and program financial systems. I found that a major deficit with software designers is that they understand the technical details to get the job done, but many don’t empathize with the average to technically challenged users (actually the average user is technically challenged :-) ). That part is an art, not a science. Now I teach in an engineering school, and the vast majority relate much better to machines than humans. There should be classes on interfacing with humans. I should suggest that where I teach.
No kidding – and sometimes, they *never* give you their password requirements – you just have to trial-and-error it until you figure it out. I actually had one website accept my password, but then I couldn’t log in. I finally ended up calling their customer service – turns out, my password was too long – it accepted my original input for the password, but wouldn’t accept the whole length when I tried to log in!
I hope you won’t ever feel compelled to use the current CAPTCHA that’s going around. The one that after you check I’m Not A Robot then shows you a page full of mostly fuzzy photographs. You’re required to pick the ones that show trees, or storefronts, etc… I’m failing 80% of those, to the point of giving up, and on the ones I successfully pass it’s only after 10 minutes of repeated tries. This CAPTCHA is becoming ubiquitous and the catch-22 is that you can never contact the website to complain about it because you have to sign in first (and pass the CAPTCHA).
Yeah, CAPTCHAs can be especially problematic for people with visual disabilities – but they can be problematic for people without visual disabilities too. I find the CAPTCHAs that use strings of random, squiggly numbers and letters to be particularly difficult, and I have perfect eyesight.
The pictcha captcha (sorry) is certainly more accessible than the squiggly letters, especially, as someone aid, when they don’t tell you in advance whether they are case-sensitive. There are cultural issues, though. Is a laundromat a shop? Is a château a house? It doesn’t bother me, but I can see that people from other cultures might have problems. Perhaps it’s all designed to make us aware of the world beyond our borders, in which case, I’m all for it. Thank you for your informative and entertaining blog, Leo.
Peter
It seems like CAPTCHAS have become more tamed lately. They still use the – identify which fuzzy drawing contains a certain object. It still usually takes me 2 or 3 attempts, but once successful it appears they set a cookie which they check when you click the “I am not a robot” box instead of making you pass the CAPTCHA test each time.