Re: From the Department of The Bleedin Fekkin Obvious Department...
The problem with a "did you register for this" email is that bots are quite capable of clicking a link in an email.
The Australian Communications Consumer Action Network (ACCAN), Blind Citizens Australia, Media Access Australia, Able Australia and the Australian Deafblind Council have banded together to campaign for the demise of the CAPTCHA. CAPTCHAs, or Completely Automated Public Turing test to tell Computers and Humans Apart, ask users to …
The problem with a "did you register for this" email is that bots are quite capable of clicking a link in an email.
There are a couple of further problems:
Abuse of the email verification system to abuse mailboxes - sending thousands of non-wanted "confirmation" emails from your domain is a quick route to be marked as a spam source. Similarly receiving hundreds of these things would quickly annoy any recipient.
Secondly... what about the case where it's not a registration link? How about where you're just sending a message or reply on a website? Do you really want the hassle of having to check your inbox for a message, that is likely filed under junk, just to send a two line reply to a post or message?
I totally agree. Even for people with close to normal vision, these things are really difficult - I just find them almost impossible to do and extremely frustrating.
> sending thousands of non-wanted "confirmation" emails from your domain...
So don't send thousands, it should be quite easy to detect when the system is being abused, just restrict the confirmation emails to one a minute.
> How about where you're just sending a message or reply on a website?
Why should you have to enter a CAPTCHA once you're registered and logged in?
> > How about where you're just sending a message or reply on a website?
> Why should you have to enter a CAPTCHA once you're registered and logged in?
I think there are times when I should be allowed to interact with a web site without being required to register with it first. (and some of those times I should not be required to supply an email address)
I'd think that if it were quite easy to detect when the system is being abused, then we wouldn't need captchas in the first place.
And what when I DON'T want to tell the website my email address? Oh, so I have to create a one-off hotmail address...
A right ballache that they are, Captchas still serve a useful purpose in keeping out bots.
"A simple "Did you register for this?" email is the easiest & most Accessable way to handle the issue, doesn't discriminate against anyone with Disabilities (if they can't read the email, they probably can't read your site, either), and allows for the verification of a person's humanity in a way that doesn't make us want to put a bullet through your face for "proving" otherwise via technology that is, itself, Not Accessable.<br>"
It's also stupid and can become a wonderful and simple tool to flood people you don't like.
"Any place that uses CAPTCHA's to prove a potential user's humanity, automaticly deserves to be branded "Fuckwad" in big, bold letters across the forehead, shaved bald, & have a lifetime Execution Sentence if they allow their hair to cover the brand, or otherwise allow it to be obscured."
Ditto for anybody who sticks an apostrophe into a simple plural.
I think I speak for the population without disabilities who also agree FUCK CAPTCHA!!!!!!!!
Even when I had "perfectly good eye sight" I still really struggled with these damn CAPTCHA things. Since hitting the age where reading glasses are necessary I find them even worse.
I realise that something is needed to stop the SPAMmers but this isn't it.
I'm sure I remember a story here on El'Reg a while back about SPAMmers getting around CAPTCHA by using porn bate, getting left handed typists to solve the CAPTCHAs for them.
I'm a left-handed typist.
I hold my pen in my left hand. I throw a ball with my left hand and stir my coffee anti-clockwise - how do these skills help?
> I'm a left-handed typist.
Left-handed typist is a euphemism describing a porn sites visitor's need to type with his left hand because the right hand is being used for, erm .... other things.
> how do these skills help?
" Left-handed typist is a euphemism describing a porn sites visitor's need to type with his left hand because the right hand is being used for, erm .... "
Bloody amateurs. Everyone knows you're supposed to change hands every ten minutes or so.
Captcha's don't work. The spammers get past them, probably with cheap labour.
So there's no real point in having them.
Totally disagree. I had a form on a site of mine with no captcha...was fine for a while, then the spam attacks started, all sorts of crap ending up in the database. Captcha added, problem went away, no spam for 3 years.
Until someone can suggest a better solution that isn't completely user-unfriendly (the link-in-an-email doesn't suit our use case at all) then I'll have to keep on using them.
You might not even need any labor at all. How sure are you that various shady yet widely-used MegaSuperFileStorage & co. type sites never re-serve captchas actually presented by other sites, reusing the provided answers for their own purposes...?
I've seen a great new captcha type verification that solves this. A simple question like "Which of these are dogs?" and 8 pictures with dogs and cats. Click on the dogs and in you go... Works very well.
As far as small sites go it's a great solution, but once larger sites start using it it's not random enough to keep out the hackers/spammers though.
I have lattice degeneration, as well as partial posterior lens capsule opacity and moderate hearing loss and tinnitus secondary to an IED blast, I fucking HATE CAPTCHAs and wish bodily harm on those who insist on their use.
I'm now at the point where I avoid services that utilize the damned things, as I'd rather masturbate with a cheese grater than screw about with CAPTCHAs.
I feel your pain, but wishing bodily harm against someone is a bit like planting an IED yourself
No, wishing it is something that only happens in the mind, while actually planting an IED is something that happens in the real world - as such they are totally different.
Unless you're with the thought police.
Are you with the thought police?
...I did really well in the exams until we got to the "mind captcha" as they call it - totally failed at that one!
be careful what you wish for
> I'd rather masturbate with a cheese grater
What's stopping you?
Far too many CAPTCHAs are so "obscured" that I have to repeatedly ask for a different CAPTCHA... sometimes as many as a dozen or more times... either make them more legible for the average person with age related vision problems or get rid of the damn things...
I've got decent eye sight, but I still struggle with those bloody captchas. Although someone above claimed that spammers can automate the response to verification emails, I'm not convinced. They normally contain multiple links to the confirmation form - a "clever" bot may follow all the links, so the answer could be to include one that cancels the subscription request. Another option is to include a keyword or phrase in the verification email that must be entered into a form on the page the verification link points to.
My eyesight is better than 20/20 but I suffer from degenerative monochromachia. One problem this causes is that coloured text often becomes illegible.
When it's been deliberately munged AND coloured on top, it's literally impossible to read.
I don't have a solution but I really wish that captchas didn't come in so many multicoloured varieties.
...which raises an interesting question: can you mount a DDOS attack on CAPTCHA by repeatedly asking for a different phrase? If so, they need to introduce some sort of authentication mechanism to ensure it's an actual person asking for a different CAPTCHA and not a bot...
You an evil, evil man.
How about another captcha to make sure a person is asking for a different captcha and if he/she requests another captcha for the captcha making sure that a person is requesting a captcha for the captcha request?
At this point we'd have to rename it from CAPTCHA to KAFKA.
Working out a suitable backronym for this, I leave as an exercise for the reader...
I suffer from molluscum Contagiosum, Dacryoadenitis, Thygeson's superficial punctate keratopathy and Keratoconjunctivitis sicca and can't see these frickin CATCHAs. Also these eye diseases names are peeing me off. How am I expected to spell them propelry?
Although I hate having to enter captchas, as a support forum admin I have to implement them.
Before I had captcha on the registration process, the forum was being spammed into oblivion every day. Having email confirmation was next to useless as the spambots could automate it; they would hit the board with hundreds of spams in less than an hour.
It reached the point where I disabled the board entirely, before enabling a rather vicious captcha. Spam still gets in, thanks to the cheap-labour issue mentioned before, but a mere fraction of what used to hit.
I can understand that it makes life difficult for people with visual impairment etc, but the fact is that without it, there would be no forum at all for people to register on as I could not contain the levels of spam. Until something appears that works as well (or better) without the disadvantages, then this is the only option.
Have you tried image-based ones (like Photo Captcha)...? I'm pretty sure describing / recognizing the content in a random image is way harder for a machine (for now) than recognizing some letters twisted out of shape too much even for average humans.
The suggested implementation above could even be expanded upon by bringing in fresh, new images all the time - serve more (2-3) of them, ask the user to describe them with one word - the first one would be an already "trained" photo with a collection of most often suggested answers while the second (third) would be a fresh image in training, gathering suggested keywords until a confidence level is reached and itself becomes a trained one. I think ReCaptcha does something similar, sans the photo angle (and they swear they manage to avoid brute-spamming particular words into something they are not).
Granted, this might not do much for people with disabilities, but I think the rest of the world would be rather grateful... ;)
That doesn't solve the cheap labour angle because they're actually HUMAN, meaning anything a genuine user can solve, THEY can solve. Basically, cheap labour end-runs around the CAPTCHA because they're not the type of spammers the thing's intended to block. In fact, cheap labour may be an unsovleable problem in general because you're trying to tell between two humans: one of which is willing to mimic the other well enough to pass any kind of test to tell them apart.
Plus one to you good sir/madam.
This is the 'brass tacks' of the situation - for some website operators, the option is between a flawed but viable and largely-effective system and shutting down their sites.
CAPTCHAs are annoying and I don't need a better reason than that to want them gone.
But, taking the argument of ACCAN, their alternative doesn't hold up. They are limiting themselves to registration forms for signing up to websites which is a valid issue but not the only instance where CAPTCHAs are used.
Thankfully not all websites require you to sign up to use them (yet) and so there are a lot of CAPTCHAs in use where the proposed solution of sending an e-mail just doesn't make any sense.
To find a real alternative, you have to start by asking what the product does.
The purpose of those annoying scribbles is to verify that a human rather than a 'bot' is interacting with the website. Further, it is doing that in the website, without the any additional processing from the user OR the site operator. FURTHER, it is a bit of bolt-on code that requires no additional infrastructure, maintenance or support from the website operator.
Compare that feature-set to 'just send an e-mail'. That 'solution' addresses none of the above points.
There needs to be a better solution but I think it's naive to just blurt out a 'common sense' answer, without accepting that if a workable alternative was that simple then we would have it already. There is a reason why 'just send an e-mail' isn't on the W3C's list and it's not because they haven't thought of it.
There's also a reason why none of the proposed alternatives have gained any acceptance, and that is because they are intensive to implement. A small business can very easily add a CAPTCHA to their website. Try adding 'Heuristic checks' to your small business's website!
I agree with ACCAN - they are difficult for even the most sharp-sighted of people to use so it is evident they would pose problems for others, less able users (including the elderly). I just think they need to recognise that the solution isn't that simple.
That post is far too reasonable and thought through. How the hell did you get access to these forums?
I've always hated CAPTCHAs. It's a rare time that I can get the buggers on the first go. I have very severe sight problems. Sadly the audio ones are even harder to decipher, and I've got pretty good hearing. So I just merrily go through a few (swearily if I'm being honest), until I get one right, like house drumpBty or somesuch. The nonsense words are particularly hard for me, because there's no context, so if there's one letter I can't read, then it's impossible to guess. Whereas if the u in house is unclear, I can get it from context.
Unfortunately the same problem applies to OCR. If it's unclear about one letter, it can go to word tables, and come up with a probability for what word it'll be. Hence making it easier for me, is probably going to do the same for the bots.
Actually I think this is the first time I've properly thought about the bloody things, and despite the fact that they're hateful, annoying and discriminatory - they're also quite hard to replace. Email confirmation isn't going to stop a well-written spam-bot. Anything that's commonly used, and available for people to just bolt-on to their site is going to be worth the spammers writing a counter to. And there's always the problem of paying peanuts to people in web cafes.
Someone suggested a simple astronomy question for their local astronomy site. Which works by security through obscurity. As soon as that solution became commonplace, bots would be written with a database of easy astronomy questions. Anything that a test can get me to look up, the spammers can also do.
Anything I can think of that's more human is even harder to make accessible. Things like cartoons, or puzzles are going to be much harder to bung through a screen-reader - and I'd have thought any questions can be looked up as easily by the spammers as the customers. Or at least put onto the spammers database, as fast as they go on the questioners database.
Perhaps the answer to spam is identity confirmation before you're allowed to register a domain, and then vigilantes with baseball bats? There are more of us than there are of them...
I hate CAPTCHAS
If we don't use them we get spammed to the bejesus!
A necessary evil?
I'd love to see some effective alternatives.
Can bots get around pictures?
So, for example rather than an obscured word I get a picture of a herd of cows and am asked to type in, in English, the singular of the animal/object in the picture. There could be quite a lot of pictures to pick from, and not necessarily animals.
Just a suggestion.
Two words: Screen reader. Or if you want different ones: Visual impairment. Which was rather the point of the article. Pictures resolve a small amount of annoyance for people who can already solve CAPTCHAs, but do nothing to solve the problems for many of the people who struggle with them.
Also, if it's a limited database of pictures, implemented by a commonly used piece of CAPTCHA software, then yes, the bots can solve it. By having access to the same list of pictures and answers. So the arms race would continue and the pictures would have to start being obscured and buggered around with, to stop the bots recognising them...
But going to pictures means you inconvenience the blind, which means you create accessibility problems. Pictures are the bane of screenreaders, and anything you do to make it more accessible to a screenreader instantly makes it easier for a bot to read (because both improve when you make things machine-readable).
But computers today are fundamentally devices with a visual-tactile interface. If you are blind and fingerless, you really need to find some other hobby than responding to comments on El-Reg (for example).
Firstly I'd like to disagree with the sentiment involved in your post. So long as we don't greatly have to inconvenience society in order to be inclusive, we should do so. There's obviously a trade-off once things become more difficult and expensive - and that's where a process realistic of negotiation needs to take place - which is hopefully the role of politics.
There's no excuse, or reason, for marginalising large sectors of society. Particularly as computer aren't a hobby. They're a vital in many jobs, as well as being a medium of access to various services.
Secondly I'd like to point out your error of fact. Computers aren't fundamentally devices with visual-tactile interfaces. The ones you use might be, but many others aren't. For example look up the Braille-note, which is a 'laptop' with braille keyboard and output device. Which has a tactile interface, with optional spoken output.
Complete speech interfaces have been commonplace for years now, and are getting to be rather good. Plus you've got Microsoft's Kinect and equivalents - which can track gestures or eye movements.
Now I'm happy to admit that the internet has a lot of content that's visual, either video or pictures. But a great deal of it is also text, plus big chunks of audio - and various other formats. For example El Reg. There are pictures and video all over this site, but apart from an odd video podcast, none of it is vital to the articles, so someone could perfectly happily get 99% of the sense of this site by screen reader or braille display.
Now if we return to the topic of the article, we find that CAPTCHAs are extremely unpopular even for people without visual impairments. Thus a discussion of alternatives seems like a pretty reasonable idea, and while we're doing it, considering the convenience of as many users as possible makes sense.
on the site I built most recently (a site for a regional amateur astronomy group), I ask a couple questions that anyone with even a remote knowlege of astronomy and who is local should be able to answer easily. this site has been active a year, I have several 100 registered users and.... NOT A SINGLE SPAM.
on a forum site I built that uses a conventional captcha (because its engine doesn't have any other options), I'm getting 100 bogus signups per DAY from stupid bots that fill in the same random garbage into various fields.
since I'm doing both these sites for gratis ('you couldn't pay me enough to do this for a living'), this situtation has remained as is for awhile.
When I setup a forum I started almost immediately getting spam, so I briefly added a captcha. I then got some of my users complaining that they couldn't use them for these reasons, so I removed it.
In the end the spam outweighed the number of comments so as it's UK based I ended up using GeoIP restricting it to UK only IP's.
Although the free GeoIP database is not accurate it's cut the spam down to 0 (every spammer's IP I had traced to India, South Korea or China).
on the site I built most recently (a site for a regional amateur astronomy group), I ask a couple questions that anyone with even a remote knowlege of astronomy and who is local should be able to answer easily
I've seen this on a couple of fairly niche forums that I'm subscribed to, and it works well. The only way around it for the spammer is to use low paid folk to subscribe by Googling the answers. For something with a limited subscriber list, this probably isn't worth their while.