WebAIM - Web Accessibility In Mind

E-mail List Archives

Thread: Captchas

for

Number of posts in this thread: 8 (In chronological order)

From: Tim Harshbarger
Date: Wed, Sep 20 2006 12:50PM
Subject: Captchas
No previous message | Next message →

Debbie,

All I can offer is the opinion of someone who uses both a screen reader
and screen magnifier. I tend to use the screen reader the majority of
the time and the screen magnifier only when I have to do so.

This summer I tried using Ticket Master to purchase tickets to attend
some of the plays at our local Shakespeare festival. It was very
frustrating.

I personally don't like the approach that requires me to fill out a form
and wait for someone to contact me or that requires me to call someone
so I can access their site.

Imagine how useful people would think the internet is if they had to
call the site owner or wait for the site owner to call them in order to
gain access to a new site.

SO, by now, you probably guessed correctly that I tried using screen
magnification. Also, by that point, I was becoming very bull-headed.
Between 1.5 and 2 hours later, I managed that was just clear enough to
let me guess the right answer. Probably, not the best use of my
evening. However, by that point, I wanted to find out how accessible the
rest of the application was. That is a hazard of this kind of work.

I believe Christian is right that there is no completely satisfactory
answer. Even if one just focuses on the user (forget the bot issues
that captcha is supposed to solve,) each solution by itself proves to be
inaccessible to some other group of users. So, if you have to use
captcha, you may not find a 100% solution.

Tim




From: Christian Heilmann
Date: Wed, Sep 20 2006 1:00PM
Subject: CAPTCHAS [was] Re:? I don't even know what subject headingto put for this question :)
← Previous message | Next message →

> If you've been on Ticketmaster or similar sites, you have seen the box with
> a word, letters/numbers, etc. used to keep people from using automated
> programs to block other users. On the Ticketmaster site, there is a 'can't
> see the word' link that directs the user in ordering if they are using a
> screen reader. My coworker has also seen some that are adding an audio
> equivalent of the word, etc. What is the recommended way to incorporate
> this technology so it is accessible? We have found that we have a need for
> it in one area of our site.

They are called CAPTCHAS and there is no real accessible alternative
at the moment. There are some options, but the big issue is weighing
accessibility and hackability...

I've posted about that quite a while ago and got some good comments:
http://wait-till-i.com/index.php?p=203


--
Chris Heilmann
Book: http://www.beginningjavascript.com
Blog: http://www.wait-till-i.com
Writing: http://icant.co.uk/




From: Paul Bennett
Date: Wed, Sep 20 2006 3:10PM
Subject: RE: Captchas
← Previous message | Next message →

Thanks for your feedback Tim,

It's great to hear the experience of someone who uses screen reader and screen magnification software.

I noticed on this page:
http://www.gr0w.com/articles/work/scooch_slide_show_11/index.php
that the site owners use a plain text option as their security question.

Does this strike a better balance between security and usability? If so I'll consider using it on our site, as the spam bots are starting to discover us too...

Paul




From: Darrel Austin
Date: Wed, Sep 20 2006 4:40PM
Subject: Re: CAPTCHAS [was] Re:? I don't even know what subjectheading to put for this question :)
← Previous message | Next message →


On Sep 20, 2006, at 1:02 PM, Christian Heilmann wrote:

>> We have found that we have a need for
>> it in one area of our site.


Do you REALLY need it?

These are not only often accessible, but usually hard to use and just
plain annoying.

I was helping my father set up a Flickr account the other month and
between the two of us, we had to guess at 4 separate captchas before
we finally got it right.

Just be sure that IF you are using them you have run out of all other
options. Annoying the end-user should always be a last resort.

-Darrel







From: Jared Smith
Date: Wed, Sep 20 2006 5:10PM
Subject: Re: CAPTCHAS [was] Re:? I don't even know whatsubject heading to put for this question :)
← Previous message | Next message →

Darrel Austin wrote:
> Just be sure that IF you are using them you have run out of all other
> options. Annoying the end-user should always be a last resort.

Amen!

For 99% of sites, there are many things you can do instead of implementing CAPTCHAs. Is the problem
that bots are simply submitting data, such as spam messages, into your forms? Or are they actually
trying to establish an account or your specific site data in an automated way?

Most of the problems that folks encounter are bots that inject data into your form processing
scripts. They do this to spam you and annoy you, or in the hopes that your site will display a link
to their site, thus boosting their Google ranking and potentially bringing more traffic. Most of the
time, this can be avoided by checking page referers (to ensure the form data is coming from your own
site), parsing form data for suspicious spam-like content, and perhaps flagging against a list of
blacklisted words.

The following few lines of PHP code are used to flag about 90% of the form spam on our site:

if ( preg_match( "/bcc:|cc:|multipart|<a|[url|Content-Type:/i", implode($_POST ) ) ){
$spam=TRUE;
}

There is also the option of less intrusive, relatively easy tests to ensure the user is a human,
such as logical puzzles...

Enter the word "human" into the text box.
or
What color is a red rose?

While these types of test receive some criticism for requiring some cognitive processing and load,
most anyone that comes to and understands your site, knows what a form is, and can complete/submit
it, will probably be able to handle such questions. This does not, however, mean that you SHOULD use
them. And these types of tests can be easily bypassed if someone is targeting your site
specifically, but the chances of low-life spammers taking the time is very slim.

But if you do have a site that has the potential of being specifically targeted for form automation
(like Flickr, Yahoo, etc.), then the solutions become much more limiting. These are the situations
that CAPTCHAs were designed for (NOT for things like blog comments or contact forms). And there's a
fair amount of work out there on accessible implementations and alternatives for these graphical
CAPTCHAs.

But as Darrel says, it should take a VERY strong argument for you to want to annoy and discomfort
your users in this way.

Jared Smith
WebAIM.org





From: Tim Harshbarger
Date: Thu, Sep 21 2006 6:10AM
Subject: RE: Captchas
← Previous message | Next message →

>I noticed on this page:
>http://www.gr0w.com/articles/work/scooch_slide_show_11/index.php
>that the site owners use a plain text option as their security
>question.
>
>Does this strike a better balance between security and
>usability? If so I'll consider using it on our site, as the
>spam bots are starting to discover us too...

Paul,

I think that approach would work better for me personally. However, I
would be unwilling to assume my personal preferences equate to great
accessible design for everyone else. My good friends in the field of
Human-Computer Interaction at least managed to teach me that much. If
there is any way you could have actual users of your site try it out,
that would probably give you a much clearer picture.

I think Jared makes some great suggestions. It is very important to
define the problem well before seeking potential solutions. I have
experienced a few problems that seemed unsolvable that were easily
resolved once we took the time to go back and better define the problem
we wanted to address. It might be that a captcha is unnecessary to
solve the problem with which you are dealing.

Darrel also makes a good point about not annoying the users.
Interestingly, every article I have read about captchas (that did not
focus on accessibility) tends to discuss the advantages and
disadvantages from a site owner's or developer's point of view. I don't
think I recall any of those articles taking a user perspective or
discussing how captcha might impact a site's user base.

Tim




From: Moore, Michael
Date: Thu, Sep 21 2006 7:30AM
Subject: RE: CAPTCHAS [was] Re:? I don't even know whatsubjectheading to put for this question :)
← Previous message | Next message →

Captcha's are actually pretty useless, at least in my own opinion. They
are suppose to be a type of Turing Test, but actually can be defeated by
automated means. Methods of defeating them are probably improving in the
spamming community. For one example see http://sam.zoy.org/pwntcha/.
Using an auditory substitute does not guarantee either accessibility or
the inability to defeat the captcha using an automated system. Finally,
if you wanted to defeat captcha to create a large number of accounts to
use for spamming, you could probably contract it out and pay a few folks
to create the accounts for a couple of days. The international labor
market would make this a rather inexpensive proposition, possibly as low
as $0.01 US per 1000. Don't quote me on the price, I haven't actually
solicited a bid for the service.

In general, I don't really feel that Turing Tests are a good method of
providing site security. Each method that I have seen has both security
problems and accessibility issues. By the time you have provided enough
alternatives to deal with all of the potential accessibility issues, and
still managed to maximize the security, you have likely already blow
both your project budget and your project time line. If you really need
the type of security that you hope to get from a captcha, using email
responses, or another even more secure method of account creation
probably more effect both for accessibility and security. If your just
trying to prevent comment spam on your blog use a filter or moderate the
comments.

That's my two cents anyway.

Mike

From: Phil Teare
Date: Thu, Sep 21 2006 12:00PM
Subject: Re: CAPTCHAS [was] Re:? I don't even know whatsubjectheading to put for this question :)
← Previous message | No next message

I agree that Captcha's are not a way to secure anything. But in practice
they do keep the spamming down to bareable levels in most situations.

An interesting thought is that audio snippets could possibly be easier to
recognise with a speech rec enabled app than OCRing the Captcha. Unless
that were overlaid with some background noise. But then you get to the point
were many users will not be able to recognise it either.

hmmm...

Phil

*http://*www.Textic.com


On 21/09/06, Moore, Michael < = EMAIL ADDRESS REMOVED = > wrote:
>
> Captcha's are actually pretty useless, at least in my own opinion. They
> are suppose to be a type of Turing Test, but actually can be defeated by
> automated means. Methods of defeating them are probably improving in the
> spamming community. For one example see http://sam.zoy.org/pwntcha/.
> Using an auditory substitute does not guarantee either accessibility or
> the inability to defeat the captcha using an automated system. Finally,
> if you wanted to defeat captcha to create a large number of accounts to
> use for spamming, you could probably contract it out and pay a few folks
> to create the accounts for a couple of days. The international labor
> market would make this a rather inexpensive proposition, possibly as low
> as $0.01 US per 1000. Don't quote me on the price, I haven't actually
> solicited a bid for the service.
>
> In general, I don't really feel that Turing Tests are a good method of
> providing site security. Each method that I have seen has both security
> problems and accessibility issues. By the time you have provided enough
> alternatives to deal with all of the potential accessibility issues, and
> still managed to maximize the security, you have likely already blow
> both your project budget and your project time line. If you really need
> the type of security that you hope to get from a captcha, using email
> responses, or another even more secure method of account creation
> probably more effect both for accessibility and security. If your just
> trying to prevent comment spam on your blog use a filter or moderate the
> comments.
>
> That's my two cents anyway.
>
> Mike
>
>