Should you use CAPTCHA?

Written on 9 October 2014


Everyone hates CAPTCHA. It’s hard to use*, slows the sign-up process for the user and doesn’t provide them with any advantage (it’s a spam reduction measure for the business, it has no value to the user and affects the user experience).

As a technology, CAPTCHA is a smart, simple idea; require a response that you have to use cognitive ability to solve in order to prove you are not an automated bot. However, it is too often implemented badly. There are many types of CAPTCHA available, from reading a scanned word, picking out the odd image, solving a mathematical problem or typing spoken characters. The issue is that even as the human you can’t tell what the correct response should be – whether it’s aural or visual*.

In a world in which you “need” to prove that you’re a human, there are better ways to achieve this.

Solve spam, minimise user experience disruption

The business goal is to minimise spam sign ups to your site. The payoff is user disruption.

When seeking a CAPTCHA solution, you need to match the required effectiveness to achieve the business goal to the acceptable level of user disruption. For example, if you are a business like Wired.com, your requirement to eliminate spam is very high – you may get thousands of sign ups per week, and therefore it’s really important you don’t compromise your security. If you are a small business, say a local restaurant, your volume of sign ups is likely to be (relatively) very low, and whilst you don’t want to end up with a spam issue, you also want people to complete the sign-up process so you can increase your mailing list!

Alternatives

There are several types of CAPTCHA that carry minimal user disruption. These are preferable to the classic “read this and type the same thing”.

Honeypot fields
Add a visually hidden form element, which only a bot will see and fill in.

Cognitive questions
e.g. A cartoon of three images – “what color is the highest/biggest/first image?”

e.g. Ask a mathematical question – “type one number less than the answer to 4 + 7 – 3”

Set a time limit
Humans usually take a few seconds to decide on a response and complete the field, whereas a bot will likely respond instantly, providing a clue to its non-human nature.

Achieving your aim

Providing security and avoiding spam as a business does not need to annoy or disrupt your real clients – in fact, that totally misses the point.

If you must use CAPTCHA, implement it with the thought for your intention: are you trying to solve a problem that exists, or avoid a potential annoyance? The level of effectiveness needs to be measured against the level of user frustration you should sensibly inflict.

FOOTNOTE – according to a study carried out by Stanford University of more than 1,100 people, gathering 11,800 completed surveys, and studying 14,000,000 samples from a week’s worth of data from eBay, on average:

  • Visual CAPTCHAs take 9.8 seconds to complete
  • Audio CAPTCHAs take much longer (28.4 seconds) to hear and solve
  • Audio CAPTCHA has a 50% give-up rate
  • Only 71% of the time will 3 users agree on the translation of a CAPTCHA
  • Only 31.2% of the time will 3 users agree on the translation of an audio CAPTCHA

More from the blog