I've been brooding on captchas recently. They have clear difficulties for
usability, and a recent article:
showed quite a dramatic effect on conversion rates.
The article recommends a 'honeypot captcha'
(an ordinary input field that is hidden by using CSS, so that if it's filled
in then it's likely a spammer)
So far, my clients have resisted captchas. What are you doing? What are your
Usability - Forms - Content
"Forms that work: Designing web forms for usability" www.formsthatwork.com
Captchas can be trivially defeated. Even a honeypot captcha can be
trivially defeated once a human takes a quick look at the form.
for a particularly innovative captcha defeating solution.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
Rather than trying to discover if a user is human, focus on the
opposite. Look for inhuman actions. The honeypot option is a good
initial barrier. But monitor that user's actions from that point on.
Are they doing something at super-human speed? Are then repeating
themselves a lot? Repeating ones self doesn't just mean the same
text exactly, it might mean almost the same text.
Perhaps it is valid for a user to sometimes include a volume of
gibberish, but scan all posts for consistent gibberish.
These are just a few things you can do to avoid bothering the humans.
There are undoubtedly many more and better ways to discover someone
as a computer.
Above all, take the penalty-box angle on all suspicions of being
inhuman. First, 1 min. Then 5. Then 30. Then an hour. Then a day. No
need to go longer than a day, really.
I think this is an important question, Caroline.
We're using the "honeypot" method on a redesigned site whose
primary audience is people with disabilities (including cognitive).
We're using ColdFusion for the validation, rather than PHP, for what
it's worth. This site previously used only the Hiveware Enkoder to
encode e-mail addresses. We'd never had much trouble with spam that
way, though we did get some (possibly because some of these addresses
had been posted early on without encoding).
It was important to us not to place roadblocks in the way of users,
to totally separate content and presentation, to use progressive
enhancement, and to do as much of the work as possible on the server
side. We want the user experience to be as simple, as seamless and as
instantaneous as possible.
This is not a high-traffic site, so I can't speak to how well this
would work elsewhere ... but two weeks into this, the "honeypot" is
working well and I don't know of a better solution. Another advantage
for us is that it is remarkably simple, and dismantling it to
implement something else will be a piece of cake.
I think some who implement Captcha are suffering from delusions of
grandeur or unwarranted paranoia. If your audience does (or may)
include users who are blind, even with the audio Captcha option, the
frustration will drive people away. We should always ask ourselves
whether we can really afford to lose that visitor.
I've had problems on our own site with getting a great deal of spam
through our enquiry form, even though I took many precautions before
finally settling on a captcha. Since I implemented the captcha, almost
all spam has stopped (certainly robot-generated spam has).
Given the amount of effort that some hackers appear to be willing to put
in to 'cracking' an enquiry form (I don't begin to understand their
motivation since the messages are seen by one or two people at the
most), I doubt that a 'honeypot' approach will work for long.
I like (and use) reCAPTCHA - http://recaptcha.net/
It isn't too challenging to use or to implement. It includes an aural
interface for users who cannot see the screen.
Design for Usability
US Toll Free 1-866-SYNTAGM
mailto:william.hudson at syntagm.co.uk
Syntagm is a limited company registered in England and Wales (1985).
Registered number: 1895345. Registered office: 10 Oxford Road, Abingdon
Confused about dates in interaction design? See our new study (free):
12 UK mobile phone e-commerce sites compared! Buy the report:
Courses in card sorting and Ajax interaction design. London, Las Vegas
> -----Original Message-----
> From: new-bounces at ixda.org [mailto:new-bounces at ixda.org] On Behalf Of
> Caroline Jarrett
> Sent: 18 July 2009 05:06
> To: discuss at ixda.org
> Subject: [IxDA Discuss] Captchas - what do you currently do?
> Hi all
> I've been brooding on captchas recently...