Just to make sure you are human please type the following phrase:
Unless you are blind. Then, if you are lucky, you can click here to hear a spoken version of the captcha. However, most sites don’t implement a version that offers a spoken word. Facebook, MySpace, and other social networking powerhouses currently only cater to the vision capable crowd.
While the use of captcha was originally quite effective in preventing the use of scripts to gain access to a particular function of an application, it is only a matter of time before the script loses its effectiveness due to hacks. Both Yahoo and Google’s captchas have been hacked (click their captcha above to link to the articles talking about them being hacked).
Captchas are painful for all users, not just the visually impaired. I recently set up a phpBB bulletin board and watched someone try to sign up only to find that they had to enter the captcha over 10 times, all of which I verified to be correct, before it finally worked. This is just one of many examples – I have been at countless sites where I had to enter the characters multiple times just to get an acceptance. There are some versions of captcha that provide an additional use, such as the reCaptcha project that uses user inputs to help digitize scanned copies of old books, but the pain for the user still exists.
A newer concept that has started to show up more and more is the challenge question. Sometimes this challenge will come in the form of something simple, such as, “Add the two numbers to the right (3, 18)”, then validates that you entered the correct numbers. Others, such as the one below, is quite simple to read and simply asks you to enter the letters from either the top or the bottom, presumably at random. Yet others I have seen show you a picture of a common object then ask for you to type what the object is.
Traditional captchas, simple language challenges (add 3 and 18), and other methods are increasingly obsolete as the repository of anti-captcha code grows. Breaking the security for any given application is simply a matter of having a large library of anti-captcha code and a rule set that defines when to try to apply each one.
So the question is, how do you prevent scripted access to applications without alienating users? If you came here for the answer you are going to be disappointed. I have some general ideas on how to help solve the problem but no ideas that I’d classify as a silver bullet. None are fleshed out enough to share here yet though. When they are you’ll hear them first. In the meantime, think about this problem and how to fix it. There are millions of brilliant minds out there and an answer is to be had. Its just a matter of one of those minds having a eureka moment.