Security

CAPTCHA and the Non-Standard User

April 20, 2006 /

In the last year or so a number of sites that offer a service or interact with readers via comments have started using images as a way to authenticate users as living people rather than a piece of software. These CAPTCHA images reduce fraudulent accounts used for spam, spreading malware and engaging various other nasty practices. A Captcha is an image of a few characters (letters and numbers) without actual meaning, that are deliberately distorted so that a human is usually capable of deciphering them, but a piece of software is not. CAPTCHA stands for Completely Automated Public Turing Test to Tell Computers and Humans Apart. There’s a picture of one over there to the left, in case you’ve somehow missed them.

I think I first noticed captchas on Yahoo, but captchas have began appearing all over the place, in Google services account creation pages, on Blogger for comment posting, and in various blogging systems via plug-ins. The user sees the captcha, decodes it, and then types the nonsensical but short text string in a box to authenticate as a Real Live User. I’m sure using CAPTCHA to authenticate users reduces fraudulent accounts and spam comments.

But I can’t read them, most of the time. I suppose you could say I failed the Turing test. I’m dyslexic. My dyslexia rarely affects my reading, because while a b p and d might as well be the same letter, there’s context so I can figure out what the word is—and it’s not like I’m going to see b, p, and d in the same word  often. I’m actually a good reader. Usually. But captchas rarely use real words, they tend to mix letters and numbers, and they’re distorted spatially (which I do quite well on my own, thanks). In some implementations, captchas include extraneous data like “scratches” as well. More often than not, I can’t decode the image and so can’t type the letters in the field, and consequently can’t authenticate myself as human.

That means, for instance, I may not comment on your blog. No big loss that. But what if you’re using CAPTCHA on an educational site, perhaps part of a LMS or class web site? What if the workplace uses Capcha for authentication for some services? Oops.

MIT, who created CAPTCHA, created a system of audio captchas; that is, a digital recording (usually a string of numbers) with a lot of background noise (say, burbling water, or “wallah”) and perhaps two voices providing the numeric string, and then inserting extraneous words. I have a hard time with those too, but at least Google thought to offer them; I can play the audio as many times as I want while I make a transcription. So far, Google is the only site I’ve seen using CAPTCHA that offers an alternative for those who can’t decode the image. There’s a useful Note on the Inaccessibilty of CAPTCHA from the W3C.

If you’re using CAPTCHA

  • Please provide a clear alternative for people who have difficulty.
  • Consider providing an e-mail address, where a user can introduce themselves and you can post their comment or create the account for them when they really can’t deal with the captcha.