I wrote an article for ReadWriteWeb earlier this summer about a way to replace those annoying CAPTCHAs with a miniature game. They are annoying because Web site operators put them in place to check for bots or spammers who are trying to gain access, such as setting up a bunch of accounts automatically. Computer scientists at Carnegie Mellon University developed them in 2000 and they have been popping up pretty much everywhere online ever since.
Many spammers use various methods to defeat them, including paying slave wages to real people to input values or through the use of special optical character recognition software. As the bad guys are getting better at defeating them, the CAPTCHA tests are getting harder to read and parse out.
In my article for RWW, I mentioned Play Thru, which invites users to solve a game, such as figuring out what ingredients are used to make pancakes. One programmer wrote about a way around the Play Thru system here.
There are other attempts to try to perfect this genre. First is this comic from XKCD that attempts to play on arcane human knowledge.
In this post on the Sophos Naked Security blog, there are some pretty funny examples of really difficult tests that most of us would have a hard time passing.
But last week there was another innovation, what is being labeled as CAPTCHAs with a conscience. The idea, from the Swedish activist organization Civil Rights Defenders, is to pose a political question asking the viewer how a loaded question (prisoners being tortured, or gay-bashing) makes them feel? Of course, soon we will have computers that can correctly interpret human feelings, but it is an intriguing thought nonetheless.
How do you feel about this approach? And can you prove that you are really human when you reply?
I would like to prove that I’m human, but I don’t know how to do that as I’m not entirely sure what “human” means anymore.
David, I enjoyed this article. I am curious now, I’m going to leave this reply and see if I get one of these next-generation CAPTCHAs!
The sooner we can get rid of CAPTCHAS and any other road blocks the better. A terrible solution to a real problem. Adding something that has political messages would only be good if you liked the message ! (And even then my day is too busy for that)
I will only believe that there is no better solution when Amazon starts to add questions after I press the one-click order button !
IF you are doing a hard identity check, things can get pretty easy. You can verify a cell phone or other number or e mail address and use that for two factor authentication if needed. Normally, though, a human would be involved.
The problem comes when you are trying to eliminated humans from the security equation, make it easy, and protect resources from exploitation that are not all that valuable. Captcha is one way. Another way might be a huge array of pictures of animals, states, buildings, or other objects that people could type in, or pick the picture from a typewritten explanation. Then you have to make it difficult for machines to repeatedly try to guess.
You have to make it something that people with different levels of knowledge about the world will know. A blue butterfly or a yellow hippo might be OK, but a silver capibara would be a terrible choice. Color-blindness would also be a big issue as would visual impairments.
Another way to make Captcha work would be attempting to duplicate a simple drawing directions given by voice. “Start at the circle and move your mouse to the square and then the triangle.” Human responses will be pretty slow and uneven, but they should be able to do it.
The fundamental problem with Captcha is that it’s a single solution that’s used by a zillion websites, and therefore it’s profitable for spammers to work hard to break it. I solved the spambot problem on one of my feedback forms by asking the commenter to type a single letter that I generate randomly when the page is viewed. Very easy to code and almost 100% effective. Of course it would be extremely easy for spammers to break, too, but since my relatively obscure site is the only place this exact method is used, they’ll never bother. So my advice for those who run medium-to-low traffic websites is to come up with your own simple but unique solution, and it’ll probably work just fine.
If you’re Facebook or Amazon or any other high-visibility site, I dunno what to tell you.
You could have lots of unique security methods, but using something like Captcha is common and people get used to it. It makes it easier for them. Captcha can work for those who are color blind and those who are entirely blind. That’s hard to beat. My idea of drawing some diagram is difficult for those with bad eyesight or hand-eye coordination. Still, it is one that is commonly used to unlock cell phones, so it could be used other places as well. Furthermore, computers and humans would have completely different input methodologies, so you could probably tell if it was a computer drawing versus a person.