CAPTCHA: Are you for real?

CAPTCHA challenges are so ubiquitous these days that major web sites are frustrating users by the millions with distorted text, mathematical equations, puppies, and more. CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”. Typically, they are employed to allow web sites to reject, for example, blog spam entered by automatic spam programs.

Unfortunately, CAPTCHAs don’t work.

The problems with CAPTCHAs

It’s an arms race. As spammers and attackers get better at programmatically breaking CAPTCHAs, web sites use more ridiculous CAPTCHAs, and so on. We are already at the point where many CAPTCHAs are very difficult for most humans to read:

Of course, on the other end of the spectrum, CAPTCHAs like the following are really just an inconvenience to both users and computers alike (this one is very easy for a computer to see, so it defeats the purpose of CAPTCHA altogether):

The majority of ordinary users are penalized for the actions of the minority of spammers. This is like forcing all drivers of a certain highway to take a breathalyzer test without probable cause in case they might be drunk.

Users with impaired vision (in some cases, colorblindness might be enough!) might find it impossible to read CAPTCHAs. On sites that do not have an audio CAPTCHA option, vision-impaired users are often out of luck. Heck, my vision is fine, and even I have to take several attempts at some CAPTCHAs.

Real humans are for hire. A truly determined spammer with a few dollars to spare can easily hire extremely cheap labor to sit at a computer and type in CAPTCHA responses all day long. Sadly, this is surprisingly cost effective for many spammers.

Humans will tend to give up after a few attempts, but computers are very patient by nature, and robots have numbers on their side. If a site doesn’t have any sort of rate limiting, a spam bot can and will easily hammer a form hundreds of times to slip one submission through.

For these reasons, current CAPTCHAs are far from a panacea.

In a nutshell

The pure idea is sound—to tell humans and computers apart—but, in my opinion, the execution is fatally flawed. All current CAPTCHAs, being “Completely Automated”, rely on computers to tell humans and computers apart. Essentially, this boils down to computers trying to fool other computers. See the problem, here?

Sure, if we had computers that could replicate human AI, they would probably do pretty well at telling humans and today’s computers apart. But, by then, the spammers’ bots will have full human AI, too. That’s an even bigger problem. See http://en.wikipedia.org/wiki/Turing_test

I am definitely not saying that web sites should immediately abandon all use of CAPTCHAs. I still use CAPTCHAs on this blog to slow down the spammers. I would get a few more comments from real users if not for that, but I understand the drawbacks, and I’m willing to take the hit.

It is beyond the scope of this article to go into a full discussion of all alternatives to CAPTCHA, so I will say only this:

Choose the right tool for the actual problem you need to solve.

CAPTCHA on, say, a sign-up page, can easily do more harm than good; you’ll be losing some percentage of legitimate users while you unwittingly support some 3rd-world economy. Basic rate limiting, exponential backoff, and reporting on new account creation, are probably enough for all but the most high-profile sites. But, again, this depends on a thorough understanding of your problem domain, coupled by a careful analysis of the available options.