WebAIM - Web Accessibility In Mind

E-mail List Archives

Thread: CAPTCHA

for

Number of posts in this thread: 11 (In chronological order)

From: Tim Harshbarger
Date: Wed, Nov 05 2014 4:55AM
Subject: CAPTCHA
No previous message | Next message →

I appreciate this potential CAPTCHA solution being shared. I also think it is important to understand what the potential shortcomings of any particular solution might be. In this case, it sounds like this solution doesn't address the needs of users who are deaf-blind. Is that correct?

I think that brings up an interesting question that might be useful to discuss here for the edification of everyone.

Are there accessibility solutions for CAPTCHA's that work specifically well for users who are deaf-blind? Are there solutions that be combined with other accessibility solutions to try to improve the accessibility/usability disaster that CAPTCHAs seem to create? What kind of real world success have people had trying to solve the CAPTCHA accessibility problem? How many different ways can we solve this kind of problem?

I understand that there is good information on why CAPTCHA's shouldn't be used at all. Unfortunately, I suspect many accessibility advocates and experts run into the situation where we can't persuade people to drop CAPTCHA. So, when we are stuck with a bad situation, what can we do to make the best out of it?

Any thoughts?


From: Birkir R. Gunnarsson
Date: Wed, Nov 05 2014 5:09AM
Subject: Re: CAPTCHA
← Previous message | Next message →

Greetings all!

Speaking for myself, I certainly appreciate all efforts in this space,
so if people misconstrued my wondering aloud about the remaining
challenges, that was not my intension.
My main point is that CAPTCHAs are one of the most difficult problems
to solve in accessibility and I value any attempt at doing so.

Being over-analytical is not always a good thing.

Cheers
-B


On 11/5/14, Tim Harshbarger < = EMAIL ADDRESS REMOVED = > wrote:
> I appreciate this potential CAPTCHA solution being shared. I also think it
> is important to understand what the potential shortcomings of any particular
> solution might be. In this case, it sounds like this solution doesn't
> address the needs of users who are deaf-blind. Is that correct?
>
> I think that brings up an interesting question that might be useful to
> discuss here for the edification of everyone.
>
> Are there accessibility solutions for CAPTCHA's that work specifically well
> for users who are deaf-blind? Are there solutions that be combined with
> other accessibility solutions to try to improve the accessibility/usability
> disaster that CAPTCHAs seem to create? What kind of real world success have
> people had trying to solve the CAPTCHA accessibility problem? How many
> different ways can we solve this kind of problem?
>
> I understand that there is good information on why CAPTCHA's shouldn't be
> used at all. Unfortunately, I suspect many accessibility advocates and
> experts run into the situation where we can't persuade people to drop
> CAPTCHA. So, when we are stuck with a bad situation, what can we do to make
> the best out of it?
>
> Any thoughts?
>
>
>

From: Mallory van Achterberg
Date: Wed, Nov 05 2014 6:27AM
Subject: Re: CAPTCHA
← Previous message | Next message →

> On 11/5/14, Tim Harshbarger < = EMAIL ADDRESS REMOVED = > wrote:
> > Are there accessibility solutions for CAPTCHA's that work specifically well
> > for users who are deaf-blind? Are there solutions that be combined with
> > other accessibility solutions to try to improve the accessibility/usability
> > disaster that CAPTCHAs seem to create? What kind of real world success have
> > people had trying to solve the CAPTCHA accessibility problem? How many
> > different ways can we solve this kind of problem?

The "best" ways I have found are unfortunate for many webmasters
because the "best" solution seems to be a combination of many
things: honeypots *and* timers *and* IP-range-blocking *and*
human moderation at some level.

I think it was Karl Groves who posted a whole list of his arsenal...
http://www.karlgroves.com/2012/04/03/captcha-less-security/

Which, the questions then remain:
- These have been effective for Karl, but would they work equally
well for larger or higher-traffic sites?
- How to bundle all these things into a single simple implementation
(the reason anyone uses CAPTCHA at all is because it's a single
programmatic thing one can add to a form)... if it's not easy or
takes more resources, it won't be implemented (much)

The largest question in my mind is, how do we separate legitimation
from human-ness? Spammers are humans and illigitimate, scripts and
bots are not human and sometimes legitimate. This is where CAPTCHA
fails, on top of incidentally blocking real and legitimate humans
who miss something which, honestly, is not uniquely human or necessary
to define "human".
Multi-auth might be one way, though then we're imposing hardware
limitations (for example, my phone can't recieve SMS, and I'm not
the sole weirdo, and email validation can be subject to filters and
SMTP issues).

_mallory

From: Sailesh Panchang
Date: Wed, Nov 05 2014 6:53AM
Subject: Re: CAPTCHA
← Previous message | Next message →

Please remember the informative guidance in the first para of WCAG 2.0:
"Although these guidelines cover a wide range of issues, they are not
able to address the needs of people with all types, degrees, and
combinations of disability."
A similar statement was present in WCAG 1.
So one tries to do the best and push accessible solutions as best as
one can in the circs. of the context / environment.
Regards,
Sailesh


On 11/5/14, Mallory van Achterberg < = EMAIL ADDRESS REMOVED = > wrote:
>> On 11/5/14, Tim Harshbarger < = EMAIL ADDRESS REMOVED = > wrote:
>> > Are there accessibility solutions for CAPTCHA's that work specifically
>> > well
>> > for users who are deaf-blind? Are there solutions that be combined
>> > with
>> > other accessibility solutions to try to improve the
>> > accessibility/usability
>> > disaster that CAPTCHAs seem to create? What kind of real world success
>> > have
>> > people had trying to solve the CAPTCHA accessibility problem? How many
>> > different ways can we solve this kind of problem?
>
> The "best" ways I have found are unfortunate for many webmasters
> because the "best" solution seems to be a combination of many
> things: honeypots *and* timers *and* IP-range-blocking *and*
> human moderation at some level.
>
> I think it was Karl Groves who posted a whole list of his arsenal...
> http://www.karlgroves.com/2012/04/03/captcha-less-security/
>
> Which, the questions then remain:
> - These have been effective for Karl, but would they work equally
> well for larger or higher-traffic sites?
> - How to bundle all these things into a single simple implementation
> (the reason anyone uses CAPTCHA at all is because it's a single
> programmatic thing one can add to a form)... if it's not easy or
> takes more resources, it won't be implemented (much)
>
> The largest question in my mind is, how do we separate legitimation
> from human-ness? Spammers are humans and illigitimate, scripts and
> bots are not human and sometimes legitimate. This is where CAPTCHA
> fails, on top of incidentally blocking real and legitimate humans
> who miss something which, honestly, is not uniquely human or necessary
> to define "human".
> Multi-auth might be one way, though then we're imposing hardware
> limitations (for example, my phone can't recieve SMS, and I'm not
> the sole weirdo, and email validation can be subject to filters and
> SMTP issues).
>
> _mallory
> > > >

From: Andrews, David B (DEED)
Date: Wed, Nov 05 2014 9:12AM
Subject: Re: CAPTCHA
← Previous message | Next message →

Well, many of the solutions out there are not accessible to deaf-blind persons. In particular anything using audio.

The systems that involve text, that is they ask a question to which you type in a response, such as what is two plus two? Would be accessible.

Dave



From: deborah.kaplan
Date: Wed, Nov 05 2014 9:33AM
Subject: Re: CAPTCHA
← Previous message | Next message →

Anything simple and straightforward enough to not have cognitive accessibility problems can honestly be solved by computer. Simple arithmetic questions written in English can be trivially parsed by a spambot. The only reason these work now is that they are so rare that it is not worth the spammers' while to defeat them, but if we ever succeed in convincing people these systems should be widespread, it's easy enough to write code that beats them.

It's like how park rangers have discovered that there is no kind of trashcan simple enough for humans that is too complicated for bears. Except in this case "bears" means "spammers."

Ultimately we need to make the various other solutions (e.g. honeypot, etc.) easy enough to implement that people stop using capture altogether, because there simply is not an accessible solution.

Deborah Kaplan

On Wed, 5 Nov 2014, Andrews, David B (DEED) wrote:

> The systems that involve text, that is they ask a question to which you type in a response, such as what is two plus two? Would be accessible.

From: Bourne, Sarah (ITD)
Date: Thu, Nov 06 2014 7:47AM
Subject: Re: CAPTCHA
← Previous message | Next message →

Here is one of my favorite articles about CAPTCHAs, which was called to mind by Deborah's trashcan example:
Captchas: The Bear Proof Trash Can Problem
http://innocuous.org/articles/2010/11/21/captchas-the-bear-proof-trash-can-problem/


Sarah E. Bourne
Director of IT Accessibility
Massachusetts Office of Information Technology
Commonwealth of Massachusetts
1 Ashburton Pl. rm 1601 Boston MA 02108
617-626-4502
= EMAIL ADDRESS REMOVED =
http://www.mass.gov/itd

From: Don Mauck
Date: Thu, Nov 06 2014 8:00AM
Subject: Re: CAPTCHA
← Previous message | Next message →

Sarah --
That is a great article, thanks for sharing.

From: Stefan Sollinger
Date: Thu, Nov 06 2014 3:19PM
Subject: Re: CAPTCHA
← Previous message | Next message →

Hi Sarah,

I haven't seen this article before but it's a fantastic description of the
problem.

Here are a few other resources about CAPTCHAs that I have collected over
the years. I think some have been mentioned before. Most are from Karl
Groves, he seems one of the very few people who keep the balance between
benefit and problem on this, without automatically declaring all CAPTCHAs
to be evil.

CAPTCHA-less security approaches – alternatives to using CAPTCHA:
http://www.karlgroves.com/2012/04/03/captcha-less-security/

and this is a follow-up article to the above:
http://www.karlgroves.com/2013/08/07/eating-my-own-dog-food-botsmasher-web-service/

Long list of resources about breaking CAPTCHAs, to show CAPTCHA isn't as
secure as some people like to think:
http://www.karlgroves.com/2013/02/09/list-of-resources-breaking-captcha/

Spam-free accessible forms
http://webaim.org/blog/spam_free_accessible_forms/

List of lots of resources about CAPTCHA:
http://www.a11ybuzz.com/topic/captcha

And finally, this is a joke website making fun of CAPTCHAs:
http://crapcha.com/

--
Stefan Sollinger

From: Mallory van Achterberg
Date: Fri, Nov 07 2014 1:26AM
Subject: Re: CAPTCHA
← Previous message | Next message →

On Thu, Nov 06, 2014 at 10:19:39PM +0000, Stefan Sollinger wrote:
>
> And finally, this is a joke website making fun of CAPTCHAs:
> http://crapcha.com/
>

A guy wanted to make a CAPTCHA that was "fun" and hoped inborn
knowledge of human hands would be a solution. He posted it to
Sitepoint Forums: http://community.sitepoint.com/t/hand-gesture-captcha/42570

I think he was going for the cognitive aspect of it, but every
response there has as much if not more trouble than traditional
CAPTCHAs.

I suspect there are a lot of smart people still spending time
trying to make these bear-proof tests (or, how about pill
bottles that arthritic people have to ask their toddlers to open
for them), and I think that's a shame. I'd love it if these
smart people were driven to think *outside* CAPTCHA, to the
real problem underneath.

_mallory

From: Tim Harshbarger
Date: Fri, Nov 07 2014 4:40AM
Subject: Re: CAPTCHA
← Previous message | No next message

Mallory,

That is a good point which leads to another question.

How do we draw the interest of people, who may have the skills we might not possess or the time to investigate solutions for such questions, so we can work collaboratively together to come up with new accessibility solutions?

It is great when there is a person with the interest, knowledge, and skill to solve a problem, but often interest, knowledge, and skill aren't possessed by the same person and then how do you build a team of people who combine to have all those things?