E-mail List Archives

RE: CAPTCHAS [was] Re:? I don't even know whatsubjectheading to put for this question :)


From: Moore, Michael
Date: Sep 21, 2006 7:30AM

Captcha's are actually pretty useless, at least in my own opinion. They
are suppose to be a type of Turing Test, but actually can be defeated by
automated means. Methods of defeating them are probably improving in the
spamming community. For one example see http://sam.zoy.org/pwntcha/.
Using an auditory substitute does not guarantee either accessibility or
the inability to defeat the captcha using an automated system. Finally,
if you wanted to defeat captcha to create a large number of accounts to
use for spamming, you could probably contract it out and pay a few folks
to create the accounts for a couple of days. The international labor
market would make this a rather inexpensive proposition, possibly as low
as $0.01 US per 1000. Don't quote me on the price, I haven't actually
solicited a bid for the service.

In general, I don't really feel that Turing Tests are a good method of
providing site security. Each method that I have seen has both security
problems and accessibility issues. By the time you have provided enough
alternatives to deal with all of the potential accessibility issues, and
still managed to maximize the security, you have likely already blow
both your project budget and your project time line. If you really need
the type of security that you hope to get from a captcha, using email
responses, or another even more secure method of account creation
probably more effect both for accessibility and security. If your just
trying to prevent comment spam on your blog use a filter or moderate the

That's my two cents anyway.


-----Original Message-----
[mailto: <EMAIL REMOVED> ] On Behalf Of Darrel Austin
Sent: Wednesday, September 20, 2006 5:32 PM
To: WebAIM Discussion List
Subject: Re: CAPTCHAS [was] Re:? [WebAIM] I don't even know what
subjectheading to put for this question :)

On Sep 20, 2006, at 1:02 PM, Christian Heilmann wrote:

>> We have found that we have a need for it in one area of our site.

Do you REALLY need it?

These are not only often accessible, but usually hard to use and just
plain annoying.

I was helping my father set up a Flickr account the other month and
between the two of us, we had to guess at 4 separate captchas before we
finally got it right.

Just be sure that IF you are using them you have run out of all other
options. Annoying the end-user should always be a last resort.


Address list
messages to <EMAIL REMOVED>