The Rise of CAPTCHA
The acronym CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”, (Turing test being named after Alan Turing the British computing pioneer) and the web is now littered with them. Forms online are often accompanied by an image containing text which the user is asked to enter into a text input field. In doing so the user is proving to the website or application that they are in fact a human. There are a few variations on this basic premise, some CAPTCHA methods use simple maths questions or pictures of identifiable objects in place of just text but the basic idea is the same; if you fill the CAPTCHA then you are (probably) not an automated piece of software (known as a bot).
Forms on websites are the prime way for capturing information from users on the web, as such they have become a target for bots for a number of reasons. Bots are able to crawl webpages and submit form data much faster than a human user ever could, as such they allow for many submission attempts to be made on many forms very quickly. This makes them perfect for spamming (from simple advertising to malicous link spreading) and for attempting to find security vulnerabilities using methods such as SQL injection and cross site scripting, amongst others. With the creation and spreading of off the shelf CAPTCHA solutions (such as reCAPTCHA) and the ease of developing similar solutions using image manipulation software in most common server-side languages, CAPTCHA has become ubiquitous on the web as a way of protecting forms, as the vast majority of evil bots in the wild cannot read the text in these images.
Fit for purpose?
So now we have come to the current state of play, with forms far and wide almost invariably having a CAPTCHA solution. However there is a problem, one which unfortunately seems to be often overlooked and that is the effect of using these CAPTCHA solutions on the usability of forms and websites. Forms are essential components of most websites, be it for user registration, email signups or purchases, these forms need to be highly usable. Reduced usability on any given website will increase drop-out (the number of visitors leaving the site) and therefore directly reduce conversion rates for your website goals. This is where CAPTCHA fails, due to poor implementation (how many times have you seen an unreadable CAPTCHA?), character clashing (is that a `1` or an `I`, or maybe a `l`), user error or poor eyesight, mistakes with CAPTCHA entry are common. On top of that, in using CAPTCHA you are asking your users to enter one more form value, which in itself could have an effect on drop out. Generally speaking the more input fields a form has, the less likely it is that a visitor will complete it.
What are the alternatives?
Thankfully there are many alternatives to using the standard ilk of text CAPTCHA to help protect your forms from bots, below are just a few ideas, many of which are becoming quite widespead. Many of these options can be combined to provide more robust solutions.
Timed Load: This method simply keeps track of the load time of the form, then compares this to the submit time. If the form was loaded and submitted in less than say 1 second, then you can be pretty sure the form was submitted by a bot, and the data should be discarded.
Hidden Fields: Sometimes known as ‘Honeypot Traps’, these are empty hidden fields which can be added to a form and checked for filled values on processing. This can be done using the hidden input type in HTML, or by using CSS to hide the input from the user (but not from bots).
Tokens: Generating a one-time token for a user on form load, and comparing this when processing the form. This blocks externally made requests to the form, (a common method for bots and malware).
Submission Confirmation Page: This method involves adding an extra page between the form and a submission, where users are asked to confirm the details they have entered. This method works because most bots are designed for single page entry and submission of form data. Implementing an extra page in this manner for every form does force extra interaction from the user, but has the added benefit of giving them an opportunity to verify the information entered, which can lead to more effective data capture.
Image CAPTCHA: Use easily recognisable images and have directions such as ‘Click on the Monkey’. To an extent this solution is moving the problem (as we are still asking the user to commit an action to prove they are not a bot) but it can reduce the affect on usability if done well.
Math CAPTCHA: Ask the user to answer randomly generated (but simple) maths questions In most cases this will be simpler than standard CAPTCHA, however this still requires the extra user interaction, and some bot makers are becoming wise to this method due to it’s popularity.
Variable CAPTCHA: Use a standard CAPTCHA solution but only use this when activity is suspicious (multiple submissions from the same IP address for example).
Log everything / Discovery: This is not an alternative as such but a way for you to possibly discover patterns with bot form submissions which could allow for simple filtering rules for form submission data. (‘Log everything’ is always a good mantra when working on the web).
Perhaps it is time for more web designers and developers (including CMS and framework companies) to move away from text CAPTCHAs. An increasing number of people seem to agree with this, hence the proliferation of the alternative methods. With the multitude of alternatives available which either require no extra user action, or an improved level of usability there really is no need to use text CAPTCHAs when building your forms. With the use of alternatives you could achieve goal conversion gains as well as improving the user experience for your customers.
- CAPTCHA Wiki
- Turing Test Wiki
- Evengrounds Article: ‘Alternatives to CAPTCHA’
- Sitepoint Article: ‘CAPTCHA Problems Alternatives’
- Sitepoint Article: ‘CAPTCHA Alternatives’
- Get Elastic Article: ’6 CAPTCHA Alternatives To Improve Conversion
- Yahoo Article: ‘Use It Better: 8 Alternatives to the Hated Captcha’