If you follow me on Twitter, you know I HATE CAPTCHAs. I’ve sworn never to use them for years now. I guess it falls in line with my politics – I refuse to treat all commenters like spammers. I use Askimet here, and even it eats legitimate comments once in a while. But at least it’s invisible to users – no need to make everyone pass a Turing Test to do anything.
Vidoop’s new CAPTCHA system, pictured above, is atrocious. They advertise it as “computer proof but not human proof.” It stands as a perfect example of what I hate: increasingly difficult hoops for customers to jump through to use a product or service. I get a headache just thinking about the possibility that one day I might have to take tests like this one every single time I sign-up to try a new web service, participate in an online discussion, or even leave feedback or ask for support from a service I pay for.
Even if it turns out to be easier than deciphering and correctly typing blurry numbers and letters, I worry that it may in fact be, on occasion, human proof.
Let’s look at their demo. Which ones is “castles”? It must be S, even though that doesn’t look like a castle to me. In this case, there’s nothing else that seems to qualify so it should work out. But assuming they’re putting one of their best examples forward as a demo, what do their less-than-best ones look like? Is there really no chance that sometimes it might be a little confusing which picture they want? Especially for people who aren’t native English speakers.
Designers & developers: your job is to decrease the number of annoyances in people’s lives, not increase them. Your job is not to keep spammers out, it’s to keep customers in.
March 31, 2009 at 7:10 pm
In the future, you are right, hopefully you won’t have to use this type of thing. You will authenticate in a way that proves you are a human, and have control over said account. For example, no one can access my Bank of America account without having my cell phone.
However, since all sites don’t support this type of strong authentication, how do you suggest they deal with SPAMMERS and automated attacks (like automatically purchasing all the tickets for a concert, only to create and control and a secondary market)?
Interested in your thoughts…
March 31, 2009 at 7:52 pm
Yikes. That is painful. Not only is the “castle” terribly nondescript (does this source from a random pick from an image search?), there is NO picture of ‘castles,’ ‘dogs,’ or ‘birds.’ I see a castle, a dog, and a bird, but plural? Nope, not one.
Argharghargh.
Here’s a thought: why not do what email spam filters do, ie: mark spam based on content, rather than requiring everyone who wants to send you an email to pass a Captcha/turing-style test.
Sure, just like email spam filters, some will get through. Personally, I’d rather have to go through the blog and weed out the occasional spam comment than have every single commenting visitor tormented with ridiculous Captcha variants like this.
March 31, 2009 at 8:07 pm
Note: Luke is from Vidoop.
Luke, thanks for reading and replying to this post.
“How do you suggest they deal with SPAMMERS and automated attacks”
It all depends on the site and the specific needs of that site or system.
I think the way many designers and engineers are approaching the problem – “make the users prove their human” is flawed and leads to these one-size-fits-all solutions like CAPTCHAs or the strong authentication systems you suggest (which might be good things but has its own implications).
I mentioned that here to deal with spammers I use Askimet – though I might scrap it in leiu of another solution: moderation of comments on posts older than X days (since Askimet occasionally eats legit posts and most spam is on older posts).
For sites that use CAPTCHAs just to sign up – I would recommend that they just don’t. Ban users or IP addresses for bad behavior, don’t worry about making people jump through hoops to use a service.
The ticket purchase system is an interesting edge case. Apart from a system that detects suspicious use – lots of registrations and purchases from the same IP address or credit card number (which I’m guessing they’ve already thought of – if not, wtf?) I’m not sure what to do. I’d have to know more about what they’ve already tried and the specifics of their technology.
April 1, 2009 at 12:11 am
Wanted to “disclaimer” the fact that I use the myVidoop OpenID service.
That being said, the image shield is an excellent and secure way to keep screenshots/keyloggers/etc from getting my passwords. It *works*, and works extremely well, for the myVidoop service.
I’m not so convinced about the Captcha move though. More and more my site is being plagued by spammers who are not bots, but humans paid $.10-.15/post to hit websites…sometimes even less. There is no way that this would stop a human, and most of the simple anti-spam services are able to filter out bots with quick captchas – like simple math or technology checks for Javascript and the like. With spam databases like Akismet, you have an even larger net to filter out the autospambots.
Having to use the imageshield to post comments as well would be slightly irritating. Simplicity and speed are key to keep users commenting and signing up.
April 1, 2009 at 3:58 pm
However, since all sites don’t support this type of strong authentication, how do you suggest they deal with SPAMMERS and automated attacks (like automatically purchasing all the tickets for a concert, only to create and control and a secondary market)?
I used to do hacky stuff for ticket scalpers. We had several techniques, OCR was only like 20% effective, but since you can run it 24/7 it’s worth it.
The most general and best method is to trade off human and computer interaction, so you have a bot running a session on the site you want, he gets to the point where the CAPTCHA comes up, and throws the image to a big queue which parcels out the CAPTCHAS in a batch of like 50, which only takes 30 secs for a human to run down the list and type all the words (or whatever). (I don’t think that description gives away too much)
This particular CAPTCHA scheme is additionally vulnerable to caching the keywords for the individual images.
CAPTCHAs are a broken strategy for any site that will be ACTIVELY targeted, although they’re pretty good for keeping out the mindless spam drones.
lots of registrations and purchases from the same IP address or credit card number (which I’m guessing they’ve already thought of – if not, wtf?)
haha, i’ll tell you: they do limit by IP… but they don’t give a damn about credit card #s! …which tells me ticket vendors only front like they fight scalpers for the sake of appearances.
April 1, 2009 at 5:43 pm
captcha is often another way the disabled are kept offline. “Which of these squares shows a castle?” doesn’t mean much to a blind person.
April 1, 2009 at 5:58 pm
Dr Philippe & prunes – I was thinking after I wrote my last comment that it wouldn’t be that hard to just hire someone in Flint, MI a dollar an hour to pass CAPTCHA’s for ticket scalping or anything else where there’s serious money riding on the outcome.
Trevor – good point, thanks. Many CAPTCHAs now have an audio file you can play as an alternative to typing the letters. That reminds me that I need to do an accessibility audit on my owns sites since I’ve been ridiculously lax about it for the past couple years.
April 1, 2009 at 6:01 pm
Also, it surprises me that online ticket systems aren’t checking for duplicate credit card numbers – that would be a much better fix than CAPTCHAs. It’s also bypassable – you can buy disposable debit cards at grocery stores now.