A Much Better Form of CAPTCHA

I really hate most encounters I have with CAPTCHA. Visually obscured random groups of distorted letters and numbers tend, for those of us in the older-Netizen crowd, to become sometimes insurmountable barriers to accomplishing a goal on the Web. Last week, I abandoned an attempt to do something on a Microsoft site (I can't recall now what; I found a non-Microsoft alternative) after 12 — that's right 12!! — failed attempts to reproduce the CAPTCHA code in an entry form.

Today I had a CAPTCHA encounter of a different type. I'm reviewing a product called Titanium Appcelerator and I ran into a question about one of the SDKs it supports. I logged into the forums and posted my note. At the end, I was face with the question, "The opposite of down is" followed by a box into which to type my answer. A second use resulted in my being asked a similar question, one a human could read and easily answer (even if English weren't one's first language) but which a bot roaming the Web looking for forums in which to spew spam would utterly fail. This is a great idea. I realize it might be less secure than the obfuscated characters or words used in most such systems but almost all of which is being protected against bot-spam is not of such enormous value that attempting to make it absolutely impossible for a non-human to access it is worth the aggravation of driving even one qualified human away from your site.

Wikipedia says, "Even an audio and visual CAPTCHA will require manual intervention for some users, such as those who have visual disabilities and also are deaf. There have been various attempts at creating CAPTCHAs that are more accessible. Attempts include the use of JavaScript, mathematical questions ("what is 1+1"), or "common sense" questions ("what color is the sky on a clear day"). However they do not meet both the criteria of being able to be automatically generated and not relying on the type of CAPTCHA being new to the attacker." I'd disagree. First, the "such as those" is too limited. I encountered two CAPTCHA challenges in the past two weeks that had audio assist but in both cases the audio had also been badly distorted. I couldn't understand it and neither could three much younger people I asked to try it. Second, although it's true this type of CAPTCHA can't be auto-generated, it does not rely on the type being new to a would-be attacker or bot, just that the question be new or unpredictable. Again, as I said above, this type of security doesn't need to be ironclad, just strong enough that all but an inveterate hacker will be unable or unwilling to expend the effort to defeat it.

Posted via email from danshafer’s posterous

Share This Story:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • email
  • FriendFeed
  • LinkedIn
  • MySpace
  • NewsVine
  • Posterous
  • Reddit
  • Slashdot
  • StumbleUpon
  • Suggest to Techmeme via Twitter
  • Technorati
  • Tumblr
  • Twitter
  • Yahoo! Bookmarks
  • Yahoo! Buzz
February 6, 2010 · Posted in Web technology  
    

Comments

Comments are closed.

Bad Behavior has blocked 249 access attempts in the last 7 days.