Does CAPTCHA Really Work?

Tenken89, a member of the LockerGnome community, asks:

Are CAPTCHA codes effective bot deterrents, or are they just annoying?

Do you find yourself annoyed by the scrambled numbers and letters you have to decode in order to gain access to a site? This CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) code is intended to trick robots by replacing text with an image that’s difficult for a computer to decipher. Unfortunately, it can also be difficult for most humans, as well.

The problem with CAPTCHA is that is doesn’t work, at all. There are companies that make a lot of money hiring employees to read and solve the CAPTCHA puzzles for them, being presented with them one by one for solving. Once the human has solved the puzzle, the bot takes over again and the site becomes the International House of Spam. In addition, text recognition software is becoming extremely powerful, and the tricks deployed by CAPTCHA can only work for so long.

Does CAPTCHA Really Work?Because some CAPTCHA systems include a limited amount of pre-generated codes, some spam bots can actually be trained to recognize repeated codes. In addition, passing the CAPTCHA along to humans using the persuasion of pornography is another trick being deployed by spammers. By presenting CAPTCHA codes as a game, with each correct answer resulting in a model appearing in a lesser state of dress, players are in fact solving codes for spammers.

Sites depend on an absolutely smooth user experience in order to keep the attention of their users. By putting a roadblock in front of them, site administrators are essentially taking an active step to keep legitimate users out of their site. On the other hand, a site filled with spam makes for a lousy user experience, as well. Alternatives are available, including a physical security key, third-party login services such as Open ID, and others.

So, what other alternatives are currently available? Chris Pirillo posed this question to the community on Google+, and here are some of the responses:

Scott Baker – Honeypots work almost as well and are MUCH less annoying for users.

Michael Knight – I use a Yubikey for tons of stuff, and it’s really simple to integrate it into your own site/code.

Torey Lacey – I thought this was neat and by far less annoying: Ad slogan CAPTCHA codes.

Article Written by

Ryan Matthew Pierson has worked as a broadcaster, writer, and producer for media outlets ranging from local radio stations to internationally syndicated programs. His experience includes every aspect of media production. He has over a decade of experience in terrestrial radio, Internet multimedia, and commercial video production.

  • Newton Smartt

    I have trouble organizing my thoughts, so don’t take this as blunt. I’m numbering my responses.
    1. CAPTCHA does work. The problem is that it’s annoying and time consuming for users. There are many situations where spammers beat some CAPTCHA codes, but I don’t think that’s a problem with reCAPTCHA. reCAPTCHA is getting significantly more difficult to read.
    2. A honey pot can only be effective if the bot programmer is not targeting your site directly. Sites like Facebook could not effectively use these. Any implementation must rely on some client-side programming which can be duplicated.
    3. I saw a lot of users suggesting math equations. A bot programmer, with some ease, can parse those sorts of things (converting the string representation of the numbers involved and using a switch statement on the operator to determine what action needs to be applied). The solutions get more complicated as the more security features are added to this sort of thing, but I’m doubtful that a completely secure method could ever be implemented.
    4. Kind of like #3, simple questions can’t be broken by a bot. There is a limited number of possibilities so the solution of a bot programmer would be to harvest possible questions and answers. This would be an annoying process and might be secure, but, even then, these questions look highly unprofessional to me. I would be significantly less impressed with a site that used this as a solution to bots than I would be with a site using CAPTCHA. It’s a bias towards the fancy look of a CAPTCHA vs the (in my opinion) plain and somewhat unprofessional (possibly because of the rarity of this solution?) look of a question based anti-bot/spam.

    I’m very much at a loss as to a solution to bots. Right now, I do think that CAPTCHA is the closest we have to a good solution.

  • Newton Smartt

    I have trouble organizing my thoughts, so don’t take this as blunt. I’m numbering my responses.
    1. CAPTCHA does work. The problem is that it’s annoying and time consuming for users. There are many situations where spammers beat some CAPTCHA codes, but I don’t think that’s a problem with reCAPTCHA. reCAPTCHA is getting significantly more difficult to read.
    2. A honey pot can only be effective if the bot programmer is not targeting your site directly. Sites like Facebook could not effectively use these. Any implementation must rely on some client-side programming which can be duplicated.
    3. I saw a lot of users suggesting math equations. A bot programmer, with some ease, can parse those sorts of things (converting the string representation of the numbers involved and using a switch statement on the operator to determine what action needs to be applied). The solutions get more complicated as the more security features are added to this sort of thing, but I’m doubtful that a completely secure method could ever be implemented.
    4. Kind of like #3, simple questions can’t be broken by a bot. There is a limited number of possibilities so the solution of a bot programmer would be to harvest possible questions and answers. This would be an annoying process and might be secure, but, even then, these questions look highly unprofessional to me. I would be significantly less impressed with a site that used this as a solution to bots than I would be with a site using CAPTCHA. It’s a bias towards the fancy look of a CAPTCHA vs the (in my opinion) plain and somewhat unprofessional (possibly because of the rarity of this solution?) look of a question based anti-bot/spam.

    I’m very much at a loss as to a solution to bots. Right now, I do think that CAPTCHA is the closest we have to a good solution.

    • BD

      I have been using captchas on multiple websites that I work with. Not a single one works. My websites get spammed by bots everyday. The only time a captcha has worked is one that I have programmed myself and I used it on one of my websites. It kept the bots from registering accounts dead cold.