Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Why CAPTCHA?

We’ve all seen them, and to one degree or another, been frustrated by them: those distorted characters we’re supposed to be able to recognize, read, and type into a corresponding field on a web page.

That’s a CAPTCHA, which is an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart.” It’s even trademarked by Carnegie Mellon University.

As frustrating as they sometimes are, they exist for a very important reason.

Become a Patron of Ask Leo! and go ad-free!

It all comes back to spam

As with so many things these days, it’s all about spam and spammers.

There are several scenarios for which CAPTCHAs stem the tide of spam.

Without CAPTCHA, it’s easy to use a computer program to open thousands1 of free email accounts, and start sending spam from them. Sure, the accounts would eventually be blocked, but the program just keeps on creating thousands more.

Without CAPTCHA, it’s easy to use a computer program to leave thousands of spammy comments on Ask Leo! and other blogs and websites. It’s easy to overwhelm just about any web site that has an input form that even looks like it might be a comment-submission form.

Spammers have incurred untold millions of dollars of additional cost and burden on website owners and internet users.

CAPTCHAs are one way to keep that from growing out of control.

Computers trying to act like humans…

One of the oldest challenges in computer science is to build a computer (or software) that mimics “thinking” like a human and does it so well you can’t tell the difference. Asked a series of questions, you wouldn’t be able to tell whether the responses came from a real human or a computer.

That’s referred to as a “Turing test”, named after the computer scientist Alan Turing.

A CAPTCHA is a kind of Turing test. It’s a test to prove you’re human.

Why CAPTCHAs work

Distorted Words CAPTCHA

If you look at the two scenarios I outlined, each began with the phrase, “it’s easy to use a computer program”. Basically, CAPTCHAs prevent those computer programs from working.

For example, the traditional distorted letter type of CAPTCHA is indecipherable to contemporary computers and software. If the process of creating a new email account or submitting a comment requires you to prove you’re human by filling out a CAPTCHA, then the programs spammers love to use are stopped cold.

They can’t figure it out.

You and I, however, can (usually) make out what those letters are, and type them in correctly. We must not be computers. We’ve proven we’re human.

The drawback to CAPTCHA

CAPTCHAs have one huge drawback: they assume you can see.

Blind computer users – of which there are many – cannot complete visually-oriented CAPTCHA.

As a result, there are alternatives. Some use images (“click on all the pictures with a tree”), or even simple math expressed as a sentence (“what do you get when you add two and seven?”). The goal is the same; answering these types of tests is surprisingly difficult to automate, so a correct result is reasonably possible only if you’re human.

As another alternative, many text-based CAPTCHAs play an audio that sight-impaired visitors can listen to and then type in.

Of late, an even simpler CAPTCHA has become very popular: the “click here” CAPTCHA.

recaptcha1

As simple as this seems, it’s apparently fairly effective. The “trick” is that you can’t click the checkbox right away. It’s actually replaced by a spinning disk until it’s ready for your input. Current automated spam bots aren’t capable of something as simple as detecting that a delay is required.

I'm No Robot

Why Ask Leo! has no CAPTCHA (today)

So, I take comments, but I currently don’t use CAPTCHA. How’s that possible?

I throw money at the problem so as not to inconvenience you.

WordPress-based sites have a service called Akismet available, which acts as a real-time spam filter. Every time someone posts a comment on an Ask Leo! article, that comment, and information about where it came from, is passed through Akismet for analysis. If Akismet says it’s spam, it doesn’t get posted, and you never see it.

I get a lot of spam, so I pay for Akismet’s premium service. As I write this, there are over 44,000 comments on Ask Leo! articles on this site. One hundred times as many spam comments have been blocked.

Akismet Count

Because spammers aggressively and constantly change their approach, I’m not ruling out requiring CAPTCHA sometime in the future. But for now, things seem to be working well.

The future

CAPTCHA’s future will be interesting. There’s no doubt that image-processing software, and computers themselves, will become more powerful. Eventually, technology will be able to automatically decipher today’s CAPTCHA images and techniques. Look for new approaches – hopefully still easy for humans to use – to prevent spammers from further automating their efforts in the future.

But the bottom line? Don’t blame a web site for using CAPTCHA. It’s a corner they’ve been forced into.

Blame the spammers.

Play

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Footnotes & references

1: And by “thousands”, I also mean hundreds of thousands, if not millions.

17 comments on “Why CAPTCHA?”

  1. I saw an interesting Captcha the other day. Instead of a picture it had an easy to answer question. Something like “Which is not a tree? with six possible answers. The wrong answer was “2×4”. Since it was text it could easily be used by a screen reader. It would be interesting to know how easy it would be to beat.

    Reply
  2. I didn’t know that these things had a specific name. I suppose “captcha” sounds better than “gotcha”. :-)

    I encounted one the other day (I think it was eBay’s “contact the seller” link) which included a “hear the code” link next to the picture. I guess they’re getting enough flak from people who can’t see the pictures to enter the code.

    Reply
  3. I’m not certain about CAPTCHA, but there is a variant called reCAPTCHA that has a side benefit. There are thousands of books and documents that cannot be accurately converted to digital via OCR. In the case where a word or phrase is unrecognized, it is used as part of a reCAPTCHA item. When enough people have been presented with that item, the majority “opinion” is generally the correctly identified word or phrase.

    Reply
      • I saw a reCAPTCHA a few weeks ago, but they are rare. One kind of CAPTCHA that I liked a lot is the “What does 6 times fifteen equal.” kind. Apparently, those must be bot accessible, or they would probably be more common. I could handle a simple word problem like “If a car goes 30 MPH and goes 10 miles, how long did the car drive.” Maybe if they let you choose a word problem instead of illegible letters or find the road signs in a fuzzy picture, it would make is easier for some.

        Reply
  4. It sure would help if the captcha creators would indicate if the response is case sensitive. Same problem with password creation. Rarely are the rules for a password presented before the first attempt. Both are unfriendly.

    Reply
    • I used to design and program financial systems. I found that a major deficit with software designers is that they understand the technical details to get the job done, but many don’t empathize with the average to technically challenged users (actually the average user is technically challenged :-) ). That part is an art, not a science. Now I teach in an engineering school, and the vast majority relate much better to machines than humans. There should be classes on interfacing with humans. I should suggest that where I teach.

      Reply
    • No kidding – and sometimes, they *never* give you their password requirements – you just have to trial-and-error it until you figure it out. I actually had one website accept my password, but then I couldn’t log in. I finally ended up calling their customer service – turns out, my password was too long – it accepted my original input for the password, but wouldn’t accept the whole length when I tried to log in!

      Reply
  5. I hope you won’t ever feel compelled to use the current CAPTCHA that’s going around. The one that after you check I’m Not A Robot then shows you a page full of mostly fuzzy photographs. You’re required to pick the ones that show trees, or storefronts, etc… I’m failing 80% of those, to the point of giving up, and on the ones I successfully pass it’s only after 10 minutes of repeated tries. This CAPTCHA is becoming ubiquitous and the catch-22 is that you can never contact the website to complain about it because you have to sign in first (and pass the CAPTCHA).

    Reply
    • Yeah, CAPTCHAs can be especially problematic for people with visual disabilities – but they can be problematic for people without visual disabilities too. I find the CAPTCHAs that use strings of random, squiggly numbers and letters to be particularly difficult, and I have perfect eyesight.

      Reply
  6. The pictcha captcha (sorry) is certainly more accessible than the squiggly letters, especially, as someone aid, when they don’t tell you in advance whether they are case-sensitive. There are cultural issues, though. Is a laundromat a shop? Is a château a house? It doesn’t bother me, but I can see that people from other cultures might have problems. Perhaps it’s all designed to make us aware of the world beyond our borders, in which case, I’m all for it. Thank you for your informative and entertaining blog, Leo.

    Peter

    Reply
  7. It seems like CAPTCHAS have become more tamed lately. They still use the – identify which fuzzy drawing contains a certain object. It still usually takes me 2 or 3 attempts, but once successful it appears they set a cookie which they check when you click the “I am not a robot” box instead of making you pass the CAPTCHA test each time.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.