CAPTCHA: Is There A Better Way?
You may have never heard of a CAPTCHA, but if you spend any time on the internet, you've definitely seen one. CAPTCHAs most often take the form of distorted words that a visitor has to type in to complete an action, and are designed as a test to tell humans from programs.The current state-of-the-art of is reCAPTCHA, pictured below:
From a usability standpoint, CAPTCHA represents a hurdle for human visitors. While people who design CAPTCHAs are trying to solve a very real and difficult problem, the war against malicious programs and spammers has escalated to the point where it has a human toll, and we need to seek out alternatives.
The Captcha Arms Race
Unfortunately, the current incarnation of CAPTCHA is a losing proposition. Originally, it made sense to use reading to tell humans from programs; reading is easy for most people and difficult for computers, and words represent an almost unlimited task variety. Unfortunately, as computers get faster and programmers get more creative, creating a secure, word-based CAPTCHA means making the reading task increasingly more difficult, which adversely effects human users. Computers are getting better and better at reading all of the time, while our reading ability as adult humans stays roughly the same (and often gets worse as we age). Logically, it's only a matter of time before simple, word-based CAPTCHA is completely ineffective.The Sesame Street Solution
So, how do we up the difficulty level for computers without hurting people? For word-based CAPTCHA, we've really only followed one path: making the words more and more difficult to read. What if, instead of making the answer more difficult, we focused on the question?If you ever watched Sesame Street you probably remember the game "One of these things is not like the other." We humans are naturally good at detecting differences; it's an evolutionary necessity and built into many of our sensory systems. Consider the examples below:
In all of these, you can easily tell which of the 3 words is different. Now, consider asking a computer the question: "Which word is different?". Current technology could easily read the three words in every example above, but how does a machine parse the word "different"? Does it mean red, bold, italicized, green, underlined?
By making the question ambiguous, we've added a layer of difficulty for machines that's easily resolvable for humans. This "Difference CAPTCHA" could allow us to increase the level of security without increasing word distortion. Granted, it's not a perfect solution, and has many of the issues CAPTCHA currently has, but it taps a strength of human brains and at least buys us a bit more time in the arms race.
A Note About reCAPTCHA
I want to emphasize that this post is in no way an attack on people who design CAPTCHAs. The real enemies are the spammers and hackers who have made CAPTCHA a necessary evil. The folks at reCAPTCHA have done an admirable job of trying to deal with accessibility issues and are using CAPTCHA to accomplish a worthwhile task, helping to decipher digitized books.
Dr. Pete
· Tuesday, July 1@Florian - That's definitely the problem: how do you design something the average person can easily solve while machines get "smarter" all the time? At best, it's a battle to find imperfect solutions, and you have to fight it from both sides.
Sean
· Tuesday, July 1My basic issue with captchas is if I have to do it twice because I've misinterpreted the letters, I usually just abandon the site. If the hurdle to interact is too high, then interaction will decrease.
I don't really know what the solution is, but I know captchas really aren't it. I was thinking about a more simple challenge-response process, but that runs afoul other issues.
I like your idea, though. It is at least coming at this from a different angle. I also believe diversity is what will save us from the spammers. We can't have one unified way of doing something, but any processes developed needs to be braindead intuitive.
Dr. Pete
· Tuesday, July 1@Sean - I completely agree that we have to come at it from a lot of different angles. I like to do as much as possible behind the scenes, in a way that's invisible to users, and then consider CAPTCHA as a last resort. I'd also like to see more people consider the security/usability tradeoff. A blog or contact form doesn't need high-security CAPTCHA.
I've been brainstorming ways we might turn low-security CAPTCHA into more of a game, and make it less obtrusive. I'll probably be writing about that in a couple of weeks.
Avinash Kaushik
· Tuesday, July 1Regardless of if the Sesame Street solution will stand or not, I really like the spirit of creating solutions that is in your post. Think first of the user, then of the spammer. It is possible to be innovative and tough without making the life of the user miserable.
Excellent post, excellent point.
-Avinash.
PS: Yes computers will become smarter, but they are not user centric! So we will always win!! :)
Dr. Pete
· Tuesday, July 1Thanks, Avinash: I think it's important to think out loud about these problems and I'm trying to treat some of my back-burnered ideas as a bit more "open source". The internet is still young, and tackling problems like spam is going to take a constant stream of new ideas.
anna
· Tuesday, July 1I am not a programmer, but I like this idea very much: show a photograph and ask people to click on something particular like a black dog, or a yellow flower or whatever.
A bit like this: http://labs.mininova.org/passclicks/ It is used in a different manner, but maybe it will also work for validating a form with some changes here and there.
Dr. Pete
· Tuesday, July 1@Anna - I've seen some interesting photo-based CAPTCHAs, but they don't seem to have caught on yet. Part of the problem is apparently technological: you have to maintain the catalog of images on your site, and that limits the range of choices (which makes it easier for a computer to solve). From a usability standpoint, though, they definitely have some advantages.
David Mihm
· Tuesday, July 1Dr. Pete, what an insightful post. I was waiting with bated breath when you were hinting at something big coming up in July...and it didn't disappoint.
I would think that a Sesame Street solution, even without the bolding or underlining, would be equally effective? Surely computers are not smart enough to judge word meanings yet?
Something like "pork beef soap" -- how would they know soap was the right answer?
Dr. Pete
· Tuesday, July 1Thanks, David. The meaning-based CAPTCHA would be interesting, but you'd have to provide a database of words categorized by meaning. Once nice thing about the straight reading versions is that it's easy to generate a huge number of options (which would be multiplied by adding font styles). In high-security situations, the higher the number of possible answers, the harder it is to crack.
BTW, I've got a surprise announcement in store for next Tuesday's post, but something a bit more on the fun side.
Dr. Pete
· Tuesday, July 1@Sean - My spam filter apparently didn't like your message: "Turkey Apple Megatron Buy Viagra" ;)
I'm sure my blog readers are smart enough to answer your example, but I don't know about my faith in the broader population. It reminds me of the Illinois Lotto game show I once watched. Essentially, they had to make a game show that anyone who could use a scratch-card could play, regardless of age, education, native language, trivia knowledge, etc. The final result was a show were each of 3 contestants just picked a number on a board, which they flipped to reveal a dollar amount. The person with the highest total at the end won. Not exactly compelling TV.
I'm not sure what my point is :)
Eric
· Tuesday, July 1Interesting idea. There are a couple of sites that I use regularly that have CAPTCHA systems that are a real pain. They distort the letters/numbers enough that it's a challenge to figure out what they are, and when it's on a timed website (one is for buying baseball tickets, and there's a short window before the tickets are released), it's very frustrating. Maybe the solution is to design CAPTCHA systems to detect spammers, let them in to a trapped website, and use the trap to ruin their very lives (report them to DHS, send Gremlins to their homes, etc).
Dr. Pete
· Tuesday, July 1@Eric - Not to name names (*cough* Ticketmaster *cough*), but I can't think of a much more joyful user experience than to wade through a dozen cryptic forms, wait for each one to load because the server is bogged down, navigate a CAPTCHA, and then be told that you didn't complete the race in time. Then, on top of it, once you've done the whole thing over 3 more times, you get to pay a $25 "convenience fee".
Michael
· Wednesday, July 2The main problem with this solution is that is that the odds of getting the right answer just by guessing is one in three. For an automated system, that is plenty good enough. Even being able to get through one in a hundred times is probably good enough.
One of the problems with designing an effective CAPTCHA system is that you need to have a really high rejection rate, because the attacker is brute forcing and even a fairly low success rate is satisfactory to them.
It's good to make something usable but if it doesn't meet the requirements it is useless.
Dr. Pete
· Wednesday, July 2@Michael - I think you misinterpreted something (which maybe I didn't explain well): it isn't multiple choice; the user still has to type in the word that's different. What makes it more usable is that you can increase the difficulty without as much word distortion. It's really just a variant on existing word CAPTCHA, but the idea is to give developers another lever to pull to increase the difficulty for programs with minimal impact on people.
Michael
· Wednesday, July 2Yes, Pete. I understand, but I'm going on the assumption that the spammers have solved the OCR problem. That's the reason for the arms race that results in requiring more word distortion in existing CAPTCHA's.
So my point is that the spammer will be able to determince your three choices by OCR and then pick one at random to enter into the textbox.
However I think I see your point is that you still have word distortion that reduces the attacker's recognition percent, and then on top of that you are adding another layer. And that you can probably find a balance that gives you the same difficulty rate as the heavily distorted text but with less distortion.
So if I understand correctly, what you are saying is that a particular level of distortion might give me a 1/1000 recognition rate when I try to read it using OCR. In your example I can use a more human readable distortion that might have a 1/300 recognition rate, but with the added chalenge, I get the same overall protection.
I think I missed the point that there would still be some distortion.
Dr. Pete
· Wednesday, July 2@Michael - That's exactly it. My examples were purposely oversimplified, but the idea is that, by adding the additional challenge, we might be able to get the same level of computational difficulty with less word distortion. Of course, it only buys us more time, but that's the game at this point.
Of course, I freely admit that it's all theory at the moment. I've decided to think out loud a bit more about these things, and stop worrying about having an ultimate, implemented solution for every idea. The whole point is to spur discussions like the one we're having.
Steve
· Wednesday, July 2As for the "State-of-the-art" in reference to "re-CAPTCHA" I 100% disagree.
"re-CAPTCHA" has got to be THE WORST CAPTCHA implementation ever. I regularly get them wrong (50%+) and thus have stopped using ANY site that uses re-CAPTCHA.... Period.
Dr. Pete
· Wednesday, July 2@Steve - If it make you feel any better, there are far worse CAPTCHAS. I completely understand your frustration, though: in a perfect world, honest people wouldn't have to jump through hoops because of the bad behavior of a few idiots.
Bert Dingman
· Thursday, July 3Spammers have figured out ways around captcha a while ago. It uses HUMANS to read the captcha and enter the code for them. Spammers put up a throw-away porn site. They require users to perform a captcha step to access the content. They use the back end to get the captcha code from the site they want to spam, and wait for their other users to tell them what the captcha is. Total end around.
Arjan
· Sunday, July 6From an accessibility point of view almost all captchas are in-accessible. Even those who have a sound option do not work properly (for example: the one Google Accounts uses).
My suggestion is to use a sentence with a question like "What's the color of grass?". Everyone knows the answer (even blind people who use a screenreader or braille apparatus).
Dr. Pete
· Monday, July 7@Bert - I have heard about that hacking approach, although it seems to have only been successful in some cases. I think some of the newer versions may block that kind of use by 3rd-party sites. Still, crowdsourcing the task to humans (to solve human problems) is ingenious, in a devious way.
@Arjan - You're absolutely right: accessibility is still a huge issue for almost all CAPTCHAs. The audio-based solutions are a nice idea, but most of them are as distorted and bizarre as their visual equivalents.
The problem with the question-based approach is that there ends up being a very limited set of questions that aren't specific to a culture, age-group, etc., and those limited options make the CAPTCHA too easy to crack.
Lori
· Friday, July 11Great post about a common problem. I love the Sesame Street analogy - I used it myself in a post a few weeks ago about how kids learn to classify things. Trouble is, as someone else mentioned, it becomes a bit of a test of logic and intelligence and sadly, not everyone would find it doable.
I love these topics because at the heart, they are about what it is that separates people from computers. The line is thin, since people create computers and the programs (like spam bots) that run on them. You can make CAPTCHAs smarter, but then spammers can make smarter bots. Sort of like a never-ending cycle.
But I do admire you for trying!
David LaFerney
· Friday, July 11Interesting post - great discussion in the comments too. Sorry I came so late to the party.
It strikes me that this arms race is really going to push technology on both sides forward quickly as long as it lasts. What has already happened though is the devaluation of what is behind the CAPTCHA - when comment spam gets to be too much of a pain the blogger implements nofollow. Eventually an equilibrium is reached between difficulty / value to the spammer - the less valuable it is to defeat the safeguards the less trouble the spammer will go to to defeat them.
Ultimately everyone including the spammer loses.
anna
· Monday, July 14A while ago I came across this method to show a secret message.
I know it is not a solution for the spam-problem, because there probably never will be any, but I thought it was creative and not a nuisance.
Eric
· Monday, July 14Retinal scanners.
Florian Bailey
· Tuesday, July 1Clever, I like it, but I see some problems mainly we are starting to design IQ tests for users ... sooner or later that will limit your userbase a lot ;-)