There may be a better way to weed out spammers than CAPTCHABy Chad Perrin
Takeaway: CAPTCHAs may be the de facto standard for protecting against spammer scripts, but that doesn’t mean they’re always the best tools to use.
CAPTCHA, or “Completely Automated Public Turing test to tell Computers and Humans Apart”, is easily the most widely used approach to testing site visitors on the Web to determine whether they are humans or scripts. As scripts become more sophisticated in their text recognition for purposes of solving CAPTCHAs, the CAPTCHAs themselves have to get harder to read, to one-up the scripts and keep spammers off their sites.
There are two problems with this arms race, from the point of view of the defenders, that are becoming huge issues:
- CAPTCHAs are getting too difficult even for humans to read, let alone scripts. While this may help keep the scripts out, it also keeps the humans out, which generally defeats the purpose of the site. As the arms race progresses, we may soon reach a point where the scripts are better at solving CAPTCHAs than the humans.
- Spammers are starting to use humans to augment their scripts, crowdsourcing their CAPTCHA solving. Human micro-employment services like Amazon’s Mechanical Turk are actually being used to get real human beings to solve CAPTCHAs. Sometimes, this is just someone testing CAPTCHA generators to ensure that humans are capable of reading them, but CAPTCHA solving for spammers is also being crowdsourced, which means that differentiating between human and code is no longer sufficient. What difference does it make how well you differentiate between people and scripts if the spammers are getting humans to do their work for them anyway?
Other approaches than CAPTCHA are needed, if we wish to continue actually accomplishing something aside from encouraging the development of strong AI in malware. Some special case examples have already arisen, and tend to be less annoying and intrusive in the context of human users’ Web browsing experience. Two that I have used include:
- Source checking for trackbacks and pingbacks to test for legitimacy.
- Using hidden fields to catch scripts reading what humans do not see.
Trackback and pingback source checkingRead More...
Man, I'm all for anything Besides CAPTCHA!:O I have always had trouble reading those things and lately can hardly even get one right! It usually takes me 3 tires or changing to different ones, when that option is available on the site. And the Audio CAPTCHA's, which is offered on some sites, are even harder to decipher! I have gotten to where, I just don't make a comment, most of the time when I see a CAPTCHA. And it is SO AGGRAVATING to go to all of the trouble to think up and type out a good comment, only to find a Surprise CAPTCHA in the Submit Process. They Should have called just them GOTYA's!:O
People who read this...
- DIY: Replace a Windows Server with open source software to save money
- Maybe your random CAPTCHA string generator should be less random