Web Accessibility Blog | About Matt Bailey | Contact Form

«November 29, 2005»

W3C Formally Dislikes the CAPTCHA

Courtesy of Accessify.com,

The W3C has created a formal document on the inaccessibility of CAPTCHA (Turing Test) as a security device on sites as a means of keeping automated bots from registering as users. The main criticism of CAPTCHA has been the inability of blind, dyslexic or other vision-impaired users to use pass the test of identifying characters in a low-contrast or difficult-to-read bitmap.

Search engines and blogs are primary culprits in this area, as many people would like to use services offered by search engines, such as instant messaging, and blogs use the CAPTCHA to prevent automated comments.

Who Uses the CAPTCHA?
AOL - offered an audio alternative.
Google - all of their services are tied into the captcha.
Yahoo - invisible attempt at a work-around.
Verio - no domain registration for you!
MSN - blind music fans couldn’t vote at MSN Entertainment.

CAPTCHA’s Don’t Work!
Despite all of this, the W3C article shows that CAPTCHA only provides a false sense of security, as 88% to 100% of optical character recognition software testing was able to overcome the captcha on PHP and ASP-based systems. Many sites have published defeats of the captcha and outline specific ways to work-around this method.

Despite the high failure rate and the ability of automated spambots to defeat the captcha, it still seems to be the favored method of security. All the while keeping actual users, who are intended to use the applications, out of the site.

CAPTCHA Options
The document goes on to explain alternative methods;

  1. Logic Puzzles - which software can still defeat
  2. Audio Captcha - testing shows audio to be harder to detect for users than for software
  3. Limited Use Accounts - a band-aid
  4. Spam Filtering - non-interactive solution that screens for “hot words” to disallow bots”
  5. Heuristic Checks - again, non-interactive solution, but checks more information, such as IP address, pages visited, checking the user “footprint” against known bot behavior. Very cool ideas and technology in this category.
  6. Microsoft Identity Systems - I don’t know about you, but something like a user ID card or security code just sounds to “Big Brother-ish” to me, especially if it is created and offered by Microsoft.

While a little dry in areas, this is a recommended read, especially if you are using a Captcha on your site or blog to keep bots out and people in. It could be working in the opposite effect of which it is intended.

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • StumbleUpon
  • del.icio.us
  • digg
  • NewsVine
  • Reddit

Filed under: Assistive Technology, Low Vision & Blindness
Written by: Matt Bailey

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>