WebAIM - Web Accessibility In Mind

E-mail List Archives

Re: reCAPTCHA

for

From: Rick Hill
Date: Jun 1, 2012 12:59PM

These other techniques mentioned so far (like those proposed by Jared) work well.

If you have a need for something like a CAPTCHA in addition, I have long advocated for a logic Turing test vs CAPTCHA. Since CAPTCHA's (visual or audio) are basically pattern recognition tests, the more sophisticated computer algorithms become at pattern recognition (like speech recognition and OCR), the CAPTCHA tools must present more difficult to recognize patterns until finally, humans can't read/understand them (but the computers can). In a Turing test, the user is presented with simple, text-based question questions that rquire cognition to interpret and undersatnd. Doesn't mean a computer couldn't be taught to interpret the questions (look at Jeopardy!). But it is effective for blocking most bad bots, is understanable by most all users (it is text after all and as long as the questions stay simple, shouldn't impose an issue for most folks with cognitive disabilities), and best of all, would use a simple text based database or even array to maintain. (where as CAPTCHA requires a vetted database of scanned images and audio). So, you could house the functionality locally on your servers. However, there is a t least one central service http://textcaptcha.com/

Example questions:

What is the sum of 2 plus 5?
Which is bigger, an ant or a whale?

More on the these and other techniques can be found at http://coding.smashingmagazine.com/2011/03/04/in-search-of-the-perfect-captcha/

There isn't a perfect solution. Probably best to to determine how important spam protection is for the given data/audience, weigh that against the impact on users, and determine what resources you have available to implement a given solution. The result is the "perfect" solution" for your need.
–––––––––––––––––––––––––––––––––––––––
Rick Hill, Web CMS Administrator
University Communications, UC Davis
(530) 752-9612
http://cms.ucdavis.edu
–––––––––––––––––––––––––––––––––––––––
Web CMS assistance at <EMAIL REMOVED> <mailto: <EMAIL REMOVED> >
–––––––––––––––––––––––––––––––––––––––


From: Stella Mudd < <EMAIL REMOVED> <mailto: <EMAIL REMOVED> >>
Reply-To: WebAIM Discussion List < <EMAIL REMOVED> <mailto: <EMAIL REMOVED> >>
Date: Friday, June 1, 2012 11:34 AM
To: WebAIM Discussion List < <EMAIL REMOVED> <mailto: <EMAIL REMOVED> >>
Subject: Re: [WebAIM] reCAPTCHA

This is all great info. I'm going to begin compiling a list of effective
techniques for various security needs. I have procured the domain name
www.nocaptcha.org where I would like to provide this information and a
whole lot more. If anyone is interested in pitching in or helping to get
some funding to provide something special in terms of design, info,
examples, consulting, etc., I'm up for any suggestions. Shoot me an
e-mail. Cheers.

-Stella

On Fri, Jun 1, 2012 at 11:09 AM, Jared Smith < <EMAIL REMOVED> <mailto: <EMAIL REMOVED> >> wrote:

On Fri, Jun 1, 2012 at 12:03 PM, J. B-Vincent wrote:
> Here's a longish article about strategies for CAPTCHA-free spambot
protection from yesterday's Etre newsletter.

We have a list of similar and more extensive recommendations on our
site at http://webaim.org/blog/spam_free_accessible_forms/

For our forms, we do three simple things:
1. A short "naughty word" list. Form data containing these words are
not submitted.
2. A honeypot - a hidden (also to screen reader users) text field
after the submit button. If it contains content, the message is not
submitted.
3. Basic time detection. We log the time the form is opened and the
time it is submitted. If the difference is less than 3 seconds or more
than 40 minutes, it is not submitted.

These three things have cut the automated spam on our online forms
from several thousand per month to 2-3 per month, most of which are
probably human spammers.

Jared