E-mail List Archives

Re: Plug and play alternatives to captcha

for

From: Aaron Cannon
Date: Apr 17, 2008 1:50PM


If I am not mistaken, the ATM does not "read" the hand writing as such. It simply stores a digital image of it for the banks records.

However, this captcha issue has been bothering me for some time. There _must_ be a way for a computer to tell humans and computers apart, without relying on any of the physical senses of sight or hearing. I just can't for the life of me think of what it could be.

The solutions offered so far all either require the use of hearing, or aren't true captchas. I, for example, would argue that a system that randomly asks simple questions is not a true captcha, because when all is said and done, it is not the computer asking the questions. It is a human asking the questions through the computer. It is my belief that for a system to be a true captcha, the question has to be generated by the computer. Likewise, for the system to be a good captcha, the probability of getting the right answer through random guessing must be very small, and the question pool must be astronomically large. In short, we have to figure out a way for the computer to ask millions of questions that it can't answer but that a human of average to low intelligence and only the ability to read can answer. Obviously, not a small challenge, and potentially impossible, though I tend to doubt the latter.

The other problem with the offered solutions, aside from good audio captcha, is the problem of crackability. Current captchas are by no means perfect, but they are at least difficult to crack. The same, sadly, can not be said for the offered solutions. As has been mentioned, this is not a problem for the smaller sites, but what's a big name site to do? Big name = big target, and some times, some sort of captcha is the only viable option.

Aaron


>>> "Randall Pope" < <EMAIL REMOVED> > 4/17/2008 1:36 PM >>>

Mike,

Thank for the lanais of re-captcha. Being deaf-blind myself, you're quite
right it's very inaccessible. Even the low vision will have problem reading
or listen to any captcha.

Another thought: If the ATMs at the local banks are able to scan and read
the handwriting on the checks being deposit, I would have to assume the
today's scanners will read the captcha writing as well. With that
assumption I would say that Jared's approach would be the best route.

Randy Pope who is deaf-blind

-----Original Message-----
From: <EMAIL REMOVED>
[mailto: <EMAIL REMOVED> ] On Behalf Of Moore, Michael
Sent: Thursday, April 17, 2008 12:11 PM
To: WebAIM Discussion List
Subject: Re: [WebAIM] Plug and play alternatives to captcha

Jared,

Thanks for your suggestions, you are preaching to the choir. I would
much prefer that the agency avoids the use of CAPTCHA all together but I
don't think that I am going to win that argument. In the mean time I
will test your suggestions.

I just tested re-captcha and found that though it "works" I still have
some serious concerns.

1. The only options are visual or audio challenges. Deaf/Blind are
excluded.
2. The audio challenge requires the listener to remember 8 numbers which
are announced over a background of conversation noise. In a quick
experiment with two highly proficient JAWS users we recorded a 50%
failure rate with 6 tries per user. Part of the problem was getting JAWS
to shut up at the beginning of the audio file but even after the users
knew what to expect the failures continued. Both users failed on their
first attempt. This method also poses concerns for people who have
cognitive disabilities in addition to blindness. This is not an uncommon
combination, I know two individuals who lost their vision due to head
injuries.

Mike



-----Original Message-----
From: <EMAIL REMOVED>
[mailto: <EMAIL REMOVED> ] On Behalf Of Jared Smith
Sent: Thursday, April 17, 2008 9:02 AM
To: WebAIM Discussion List
Subject: Re: [WebAIM] Plug and play alternatives to captcha

On Thu, Apr 17, 2008 at 7:38 AM, Moore, Michael
< <EMAIL REMOVED> > wrote:
>
> Captcha is raising its ugly head here again so I am searching for a
> plug and play alternative to the usual inaccessible distorted letters

> that are available in most modules. I have code examples of
> alternative ways of accomplishing this but my customers are looking
> for an off the shelf solution that they can just add to the form
mail.

Here are a few options:

http://system-x.info/?pageid=18&;menutree=47

http://green-beast.com/blog/?p=128

http://www.purple-dogfish.co.uk/free-stuff/accessible-captcha

*All* CAPTCHAs can be broken. Even the most complex, inaccessible ones
at Yahoo and Google are being bypassed now. The question you have to ask
is, "would anyone dedicate a lot of time to implement a system for
bypassing my CAPTCHA?" If the answer is "no", then you don't even need
to implement CAPTCHA at all. If the problem is spam from a web form,
CAPTCHA *is not* the best solution.

By implementing just a couple of the simple, back-end techniques I wrote
about at http://www.webaim.org/blog/spam_free_accessible_forms/
you can get rid of probably 99.9% of bot submissions. While someone
could get around all of these techniques (and indeed any CAPTCHA,
particularly the "accessible" ones",) they probably are not likely to
spend the time to do so just to send you a bit of spam. For the many
sites on which I have implemented this approach, the spam has been
reduced to at most a few per year - and those are almost certainly human
spammers.

Jared Smith
WebAIM