Captchas - what do you currently do?

18 Jul 2009 - 6:05am
5 years ago
4 replies
1109 reads
Caroline Jarrett
2007

Hi all

I've been brooding on captchas recently. They have clear difficulties for
usability, and a recent article:
http://www.seomoz.org/blog/captchas-affect-on-conversion-rates

showed quite a dramatic effect on conversion rates.

The article recommends a 'honeypot captcha'
http://haacked.com/archive/2007/09/11/honeypot-captcha.aspx
(an ordinary input field that is hidden by using CSS, so that if it's filled
in then it's likely a spammer)

So far, my clients have resisted captchas. What are you doing? What are your
views?

Best
Caroline Jarrett

Effortmark Ltd
Usability - Forms - Content

"Forms that work: Designing web forms for usability" www.formsthatwork.com

Comments

18 Jul 2009 - 11:19am
Joshua Muskovitz
2008

Captchas can be trivially defeated. Even a honeypot captcha can be
trivially defeated once a human takes a quick look at the form.

See
http://blog.trendmicro.com/captcha-wish-your-girlfriend-was-hot-like-me/
for a particularly innovative captcha defeating solution.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=43847

18 Jul 2009 - 4:58pm
DampeS8N
2008

Rather than trying to discover if a user is human, focus on the
opposite. Look for inhuman actions. The honeypot option is a good
initial barrier. But monitor that user's actions from that point on.
Are they doing something at super-human speed? Are then repeating
themselves a lot? Repeating ones self doesn't just mean the same
text exactly, it might mean almost the same text.

Perhaps it is valid for a user to sometimes include a volume of
gibberish, but scan all posts for consistent gibberish.

These are just a few things you can do to avoid bothering the humans.

There are undoubtedly many more and better ways to discover someone
as a computer.

Above all, take the penalty-box angle on all suspicions of being
inhuman. First, 1 min. Then 5. Then 30. Then an hour. Then a day. No
need to go longer than a day, really.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=43847

19 Jul 2009 - 9:14am
Jeff Seager
2007

I think this is an important question, Caroline.

We're using the "honeypot" method on a redesigned site whose
primary audience is people with disabilities (including cognitive).
We're using ColdFusion for the validation, rather than PHP, for what
it's worth. This site previously used only the Hiveware Enkoder to
encode e-mail addresses. We'd never had much trouble with spam that
way, though we did get some (possibly because some of these addresses
had been posted early on without encoding).

It was important to us not to place roadblocks in the way of users,
to totally separate content and presentation, to use progressive
enhancement, and to do as much of the work as possible on the server
side. We want the user experience to be as simple, as seamless and as
instantaneous as possible.

This is not a high-traffic site, so I can't speak to how well this
would work elsewhere ... but two weeks into this, the "honeypot" is
working well and I don't know of a better solution. Another advantage
for us is that it is remarkably simple, and dismantling it to
implement something else will be a piece of cake.

I think some who implement Captcha are suffering from delusions of
grandeur or unwarranted paranoia. If your audience does (or may)
include users who are blind, even with the audio Captcha option, the
frustration will drive people away. We should always ask ourselves
whether we can really afford to lose that visitor.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=43847

21 Jul 2009 - 8:37am
William Hudson
2009

Hi, Caroline.

I've had problems on our own site with getting a great deal of spam
through our enquiry form, even though I took many precautions before
finally settling on a captcha. Since I implemented the captcha, almost
all spam has stopped (certainly robot-generated spam has).

Given the amount of effort that some hackers appear to be willing to put
in to 'cracking' an enquiry form (I don't begin to understand their
motivation since the messages are seen by one or two people at the
most), I doubt that a 'honeypot' approach will work for long.

I like (and use) reCAPTCHA - http://recaptcha.net/

It isn't too challenging to use or to implement. It includes an aural
interface for users who cannot see the screen.

Regards,

William Hudson
Syntagm Ltd
Design for Usability
UK 01235-522859
World +44-1235-522859
US Toll Free 1-866-SYNTAGM
mailto:william.hudson at syntagm.co.uk
http://www.syntagm.co.uk
skype:williamhudsonskype

Syntagm is a limited company registered in England and Wales (1985).
Registered number: 1895345. Registered office: 10 Oxford Road, Abingdon
OX14 2DS.

Confused about dates in interaction design? See our new study (free):
http://www.syntagm.co.uk/design/datesstudy.htm

12 UK mobile phone e-commerce sites compared! Buy the report:
http://www.syntagm.co.uk/design/uxbench.shtml

Courses in card sorting and Ajax interaction design. London, Las Vegas
and Berlin:
http://www.syntagm.co.uk/design/csadvances.shtml
http://www.syntagm.co.uk/design/ajaxdesign.shtml

> -----Original Message-----
> From: new-bounces at ixda.org [mailto:new-bounces at ixda.org] On Behalf Of
> Caroline Jarrett
> Sent: 18 July 2009 05:06
> To: discuss at ixda.org
> Subject: [IxDA Discuss] Captchas - what do you currently do?
>
> Hi all
>
> I've been brooding on captchas recently...

Syndicate content Get the feed