WebAIM - Web Accessibility In Mind

E-mail List Archives

Re: CAPTCHA Question

for

From: Nelson-Brooks, Carolyn
Date: Apr 6, 2010 12:57PM

Yea!!! I'm all for burying CAPTCHA IN ANY COFFIN!


-----Original Message-----
From: <EMAIL REMOVED>
[mailto: <EMAIL REMOVED> ] On Behalf Of John Foliot
Sent: Friday, April 02, 2010 11:38 AM
To: 'WebAIM Discussion List'
Subject: Re: [WebAIM] CAPTCHA Question

Moore,Michael wrote:
>
> Personally I would like to see visual and audio captcha eliminated
> entirely.

Hi All,

Last week, while attending CSUN, I more than once brought up the topic
of
CAPTCHA, laughingly saying that we should solve the problem by Sunday.
(I
was fuzzy on *which* Sunday, but it got the discussion rolling...)

In seriousness though, to eliminate CAPTCHA, an alternative must be
presented to replace the need for CAPTCHA - to thwart spam-bots. I
chatted
up the idea of using OpenID (http://openid.net/) as a replacement for
CAPTCHA, and overall the reception I received was generally positive.
Increasingly, we are all gathering up at least one OpenID 'key', which
can
be used to log into a myriad of sites already: OpenId keys/providers
include Google (Gmail, GoogleDocs, etc.), Yahoo!, Flickr, MySpace,
Facebook, WordPress, AOL, Verisign and Six Apart to name but a few.
Given
this impressive list of high-profile providers, penetration of OpenID
keys
*should* be pretty good already (although getting stats on this is
virtually impossible).

Those of us who've spent any time looking at the CAPTCHA issue know that
as far as security is concerned, CAPTCHAs are the equivalent to those
cheap little locks we can buy for our suitcases - they keep the cases
closed, but not much more; one swift knock with a hammer and they are
done. CAPTCHA's can be deciphered by low-wage humans in locations such
as
India, China and parts of Africa, and 'cracked' CAPTCHAs are now being
provided by bots as well
(http://arstechnica.com/security/news/2008/04/gone-in-60-seconds-spambot
-c
racks-livehotmail-captcha.ars)

I believe that what we need to do is 'encourage' sites that are using
CAPTCHAs to *also* provide access to the _whatever_ using EITHER the
CAPTCHA or an OpenID. The key here is to get some critical mass behind
the idea, to have everyday site owners start to ask themselves if using
something other than, or in tandem with, CAPTCHA is something that they
should consider. If enough people ask, they will begin to consider it
seriously. (I hopefully planted this idea in the minds of some well
placed
Googlers, Google being the current folks behind the reCAPTCHA service)

I want to follow up on this more, but currently am swamped with other
stuff that is more pressing. However, if somebody wants to run with the
ball, that would be cool. If you are too busy to do much, consider as a
minimum that the next time you encounter a CAPTCHA that you take the 30
seconds it will take to email (or use the form/comment box) to ask the
site owner who forced you through that hell to consider offering OpenID
sign-in _along with_ the CAPTCHA. Every tidal wave starts with the
first
drop of water, so collectively we need to do this together.

Tweet the idea, pass this email on to friends, relatives, colleagues and
anyone else you can think of.

Let's bury CAPTCHAs in the same coffin as IE6 - we can do it!

JF