WebAIM - Web Accessibility In Mind

E-mail List Archives

RE: CAPTCHAS [was] Re:? I don't even know whatsubjectheading to put for this question :)

for

From: Moore, Michael
Date: Sep 21, 2006 7:30AM

Captcha's are actually pretty useless, at least in my own opinion. They
are suppose to be a type of Turing Test, but actually can be defeated by
automated means. Methods of defeating them are probably improving in the
spamming community. For one example see http://sam.zoy.org/pwntcha/.
Using an auditory substitute does not guarantee either accessibility or
the inability to defeat the captcha using an automated system. Finally,
if you wanted to defeat captcha to create a large number of accounts to
use for spamming, you could probably contract it out and pay a few folks
to create the accounts for a couple of days. The international labor
market would make this a rather inexpensive proposition, possibly as low
as $0.01 US per 1000. Don't quote me on the price, I haven't actually
solicited a bid for the service.

In general, I don't really feel that Turing Tests are a good method of
providing site security. Each method that I have seen has both security
problems and accessibility issues. By the time you have provided enough
alternatives to deal with all of the potential accessibility issues, and
still managed to maximize the security, you have likely already blow
both your project budget and your project time line. If you really need
the type of security that you hope to get from a captcha, using email
responses, or another even more secure method of account creation
probably more effect both for accessibility and security. If your just
trying to prevent comment spam on your blog use a filter or moderate the
comments.

That's my two cents anyway.

Mike