Are you human? For most of you, hopefully, the answer is yes. Throughout the years, CAPTCHA has provided us with a number of ways to answer the same question. Why? Well, the answer is in the question: to make sure that you are a living, breathing, real human being. Why would a website want to verify this? To prevent spam, of course.
Since the dawn of the internet, spammers have created, used, and sold automated software programs to do their dirty work. Your average spammer is a pretty busy guy, he can’t be bothered to actually take the time to type out a blog comment, forum post, and/or status update to explain the benefits of Viagra to you. No, no… his schedule is much too hectic.
CAPTCHA forms, originally developed by Carnegie Mellon researchers and professors in 2000, provided webmasters with a solution to the spam that plagued their sites. By generating an image containing a string of random, warped characters, CAPTCHA forms stopped automated spam bots in their tracks… for a time, at least.
Spammers, being the innovative people that they are, quickly adapted their automation software to bypass their new nemesis. How? By programming their software to remove a CAPTCHA’s background, separate and identify individual characters, and ultimately type in the displayed character string — in effect, completely bypassing the CAPTCHA.
Spam, without a doubt, makes for a negative visitor experience on any given website. CAPTCHAs, while often effective in fighting spam, are also an annoyance for visitors. The struggle to make CAPTCHAs the lesser of two evils has resulted in multiple iterations of CAPTCHA forms. Let’s take a look at how developers have attempted to balance user-friendliness with site security over the years, starting at the beginning.
Early and “Improved” CAPTCHAs
Early CAPTCHAs used the EZ-Gimpy program to generate and display the warped character strings we’ve all come to know and love. Effective at the time, Yahoo used these early iterations of CAPTCHA to prevent automated account creation. Realizing the imperfections in early CAPTCHAs, developers later moved to “improved” CAPTCHAs to provide a more user-friendly and secure form. These improvements included higher contrast for increased readability, and varying fonts between characters for enhanced security. While these were definite improvements at the time, this variety of CAPTCHA also proved to be easily crackable.
Moving forward, modern CAPTCHAs focused less on background noise, and more on making the individual characters harder to separate. This was accomplished by striking an angled line through the character string, making it exceptionally more difficult for automated bots to segment and identify characters. One of the most common versions of modern CAPTCHAs is Google’s reCAPTCHA. While this renders simple spam software useless, advanced programs can still bypass these forms with moderate success rates.
As you might assume by their name, animated CAPTCHAs display the standard CAPTCHA text string in an animation. Being an animated GIF, the image contains multiple frames that (when combined) display in a fashion that is easily readable by humans. These CAPTCHAs attempt to increase security by spreading the characters out over multiple frames, never displaying letters in the same frame. This makes it more difficult to crack, but hardly impossible. Spammers can break these CAPTCHAs with relative ease, and as a result, animated CAPTCHAs are rarely used.
Using various characters to form a visual display of a random text string, ASCII CAPTCHAs attempt to fool automated software. While this is sound in theory, it is not very effective in practice. Not only are ASCII CAPTCHAs capable of being bypassed by bots, they have also been proven confusing to site visitors.
Another tricky type of CAPTCHA is the reverse CAPTCHA. Attempting to use “reverse psychology” on automated spam programs, reverse CAPTCHAs ask visitors to leave the CAPTCHA field blank. Again, while this may sound good in theory, its effectiveness is marginal and may be confusing to the less than savvy web surfer.
Image Recognition CAPTCHAs
Essentially reinventing the standard character string that has defined CAPTCHAs from the start, image recognition CAPTCHAs ask users to identify a specific image within an image gallery. Using a command such as, “Click the cat,” humans are able to easily pass through the CAPTCHA without typing anything in. Image recognition CAPTCHAs are a definite improvement in usability, but also in security. Because image CAPTCHAs, such as the ones being provided by Confident CAPTCHA, use a dynamic gallery of images and questions, it makes cracking these forms nearly impossible (at the time being, at least). Although this is an obvious improvement over traditional forms, you better believe that the companies providing image recognition CAPTCHAs are cashing in on the recent trend of CAPTCHA advertising.
There are a couple of ways that 3D CAPTCHAs have been used as a solution to spam. Early versions were formed by raising a text string out of a distorted background, creating a 3 dimensional effect. This type of CAPTCHA was often used in the past, but hasn’t seen much use lately. Recently, 3D CAPTCHAs have taken on a new form, similar to image recognition CAPTCHAs. This variety of 3D CAPTCHA shows the visitor an image containing 3D objects, and asks users to identify the objects from either a gallery of images. Some forms of 3D CAPTCHAs give users a 3D image and ask them to identify specific portions of the it using corresponding letter labels. Though this is a highly secure form of CAPTCHA, it is also a major annoyance, making it impractical for widespread use.
Problem Solving CAPTCHAs
Depending on the approach taken when using a problem solving CAPTCHA, their security can either be highly effective, or virtually useless. A simple problem solving CAPTCHA may ask a question such as, “What is 2 + 2?” in text. While this is (hopefully) easy for most humans to figure out, it’s not much of a struggle for computers either. If you need proof, go ahead and open up your Windows calculator.
More complex problem solving CAPTCHAs, however, prove to be the most secure measure to take in preventing spam. An image containing a complex algebra equation would require the automation software to segment the individual numbers, letters, and symbols, identify them, and calculate the equation. This goes beyond simple addition or subtraction problems. In reality, if a website is using a CAPTCHA similar to this, the programmer behind the bot is most likely going to rule out your site as a waste of time as oppose to adapting their software to bypass it.
Problem solving CAPTCHAs can take on nearly any form imaginable from a question like, “What color is the sky?” to complex algebraic equations to word puzzles. The problem with these problem solving CAPTCHAs is that if the problem is too simple, it is easily cracked by spamming software. If the problem is too complicated, 99 percent of people confronted with the CAPTCHA are going to decide that it’s not worth the time or energy to leave a comment or make an account on the forum, blog, or any other kind of website using it.
Making the perfect CAPTCHA all boils down to creating the perfect balance between security and user-friendliness. There is wide variety of CAPTCHA forms because not a single type has got it right just yet. In fact, it may be impossible to obtain the ideal balance of spam protection and usability. With services like Decaptcher that provide spammers with dedicated human CAPTCHA solver (what a terrible job), spammers can essentially bypass any CAPTCHA that they please, for a price of course.
If you ask me, the best form of CAPTCHA currently available is of the image recognition variety. Yes, spammers can still bypass these CAPTCHAs by outsourcing the “work” to a CAPTCHA solver overseas, but at this time, software alone cannot crack them. Besides, at least you have the comfort of knowing the spammers are paying for their annoying male enhancement comments out of their own pocket.
Security aside, image recognition CAPTCHAs provide the best user experience. No longer will you or I be forced to lean forward in our chair to decipher and type out a nonsensical string of text to prove our humanity. The obvious downside, of course, is the fact that advertisements will be displayed within the dynamic image gallery. Is it worth the tradeoff?
Security can be tested, but measures of usability vary from person to person. What kind of CAPTCHA do you prefer?