The CAPTCHA Alternatives    December 9, 2006    48

Most people know what CAPTCHA is and if they don’t then I am sure that they have seen one. Furthermore, I am sure that everyone has been molested by bad CAPTCHA. Once I tried to register at a forum and it took me 8 times to get the CAPTCHA right – 8 times! I had to register at that forum, but if I didn’t after couple of tries I would just presume that the CAPTCHA isn’t working and I would have closed the browser.

Of course CAPTCHA is very useful and it can help you reduce spam, false/automatic registrations, etc. But at the same time is a big accessibility and usability problem – which means that your site or web app can lose precious visitors/users. In fact inaccessibility is such a big problem that there’s W3C document outlining CAPTCHA problems and possible solutions.

All this means that there are plenty of people searching for an alternative way to tell computers and humans apart. Here are some of the proposed alternatives and fixes…

Photo/Image CAPTCHA

The main problem with ordinary CAPTCHA is that text needs to be distorted or otherwise made somewhat unreadable to be able to fool OCR programs. The idea behind the photo CAPTCHA is that user is presented with several photos and he needs to select those that have, for example, kittens on them. This is great idea as it is easy for humans to perform such task, but virtually impossible for a computer.

As far as I know KittenAuth is the first system implementing this. Among others there is also HumanAuth a PHP script based on KittenAuth idea which claims to be conforms to certain accessibility standards.

The downside of this solution is that usually user have to have JavaScript turned on in order for verifications to use. Also, if not executed properly bots might be able to make a map images names with photo content and “know” which image should be selected.

Animated CAPTCHA

This is purely technical solution which obscures the letters on CAPTCHA image not by distorting them. Instead it makes an animated GIF that has a lot of noise on it and where letters are never all shown in a same frame.

You can see PHP implementation of animated CAPTCHAin action or you can download the code and try it yourself.

Sound CAPTCHA

Sound based CAPTCHA has the same idea as visual one, unfortunately this means it also have same problems. In order to filter out voice recognition bots sound sample must be distorted, which also have same negative effect on humans as with visual solution.

Multiple choice questions

Some sites use “complete the sentence” solution. They present a sentence to the user and he has to complete it with one of the options given in drop-down menu.

I like to read a _______ when I relax.

Drop-down would contain, for example: t-shirt, book, chair, hat. You could have a set of questions and answers and show them at random.

Problem with this solution is you have a limited set of possible answers (4 in my example), so theoretically every 4th random answer should be correct. That opens the system to brute force attack. Another problem is that you have to build a database of questions & answers, which leaves you with a limited set (even if you define couple hundred questions). In turn that means someone can easily make a note of all questions and correct answers.

Session variable / GET request detection

This isn’t CAPTCHA alternative per se, but it can be used to filter out spam-bots. The idea is that you put something in session when a GET request is made and when a form is submitted you check the session for that variable.

This can filter out stupid bots that submit request directly to POST without getting a page with the form. Of course this system can be easily fooled by creating a bot that acts like a web browser.

Dummy form elements

Again not a direct CAPTCHA alternative, but it can help with spam-bots.

The goal here is to add dummy form elements that can trick bots into filling them and hide those from users with CSS. Additionally, dummy elements should be named suggestively to fool the bots – for example, subject, name, URL… Then when form is submitted you check if any of these fields have filled and if so you have caught a bot.

You can read more about this solution in Form Spam: Increasing the Attacker’s work function.

Of course, this is far from perfect, but it just might help you reduce spam considerably by eliminating generic bots. Also a big plus for this method is that its unobtrusive and that users don’t even know it’s there.

48 Comments

Melanie August 17th, 2014 at 2:05 am

Lol, I used an image captcha for my site.

Anonymous December 10th, 2011 at 9:09 pm

test test

Anonymous July 4th, 2011 at 12:48 am

a good alternative to captcha is http://keypic.com

Toby June 13th, 2011 at 11:32 pm

Nice one….

Phil May 20th, 2011 at 6:13 pm

I love captchas!

Lenny December 3rd, 2010 at 4:54 pm

I through together this quick proof of concept for using Flickr API to create a CAPTCHA alternative. As I said it’s just a proof of concept it uses jQuery to fetch random Flickr images via JSON and you have to guess what the picture is. You can see the details and see it in action here…

http://itslennysfault.com/flickr-api-with-jquery-json

yedy July 29th, 2010 at 12:20 am

hola

V Gautam June 22nd, 2010 at 11:13 pm

Neville’s idea is good as it does hurt spammers economically, which is a huge driving factor. We have created a technology that detects presence of humans based upon the anonymous behavioral data collected during user interaction, transparently and at real time. Most bots come with no behavioral data or with minimal or repetitive data hence get caught. Check it out at http://www.pramana.com, lower end products are offered at no cost.

il May 20th, 2010 at 6:56 pm

nice post

Ben April 28th, 2010 at 8:45 pm

Another option would be to convert your form to a flash embedded object. Since flash is proprietary and bots dont have access to the source code, it would take a swf decompiler to fill out that form, also, the Rich Internet Application solution makes it look nicer too.
The only problem with that is that it obviously won’t run on Apple products like the iPhone/iPad

Slobodan Kovacevic November 9th, 2009 at 2:15 pm

But the mouse release won’t work when user submits form using something else (for example, presses enter, space on submit button, etc.)

Jos Blomsma November 9th, 2009 at 2:03 pm

I always use a little javascript to check wheter a button is ‘clicked’ (mouse-release). That seems to work, simple solution. I really don’t like captcha.

Anonymous September 8th, 2009 at 9:54 am

iuyuiyui

abraham May 21st, 2009 at 11:19 pm

One aspect of spam protection that is not mentioned here come to mind. We need to demand that businesses behave or else we don’t visit their website, buy their products or services.

Pete Williams February 10th, 2009 at 11:34 am

Good post, I’ve also had some thoughts on how we can avoid CAPTCHA, posted on my blog: http://petewilliams.info/blog/2009/02/why-captcha-sucks-and-what-to-do-about-it/

dick January 20th, 2009 at 5:59 pm

nothing is 100% safe, that’s the real life

M. Theado October 6th, 2008 at 11:50 pm

lol. Anyone find it amusing that the bots are actually pointing out some viable ideas without realizing it? Neville’s idea is a good one. For my little forum, we used to get Metric tons of spam. After quickly some PHP for the reg page, we haven’t seen any at all. It’s a good solution for now, but it would prove ineffectual if implemented en masse.

Tyler May 15th, 2008 at 12:45 am

How about a form that asks you to conjugate a word. Like you are given an infinitive like “To Run” and you are asking for past tense. So the answer would be “ran”

Just do it using current captcha models. Actually.. that wont work. Plug your spambot into a thesaurus and it would be compromised.

carl codling October 23rd, 2007 at 12:06 am

I should mention also that I am creating a session var on the form page, assigning it a random value and posting it to the processing script so that I can check for validity.

carl codling October 22nd, 2007 at 11:00 pm

I like your thinking Neville! (cmnt. 17).
I’m working on an ajax comments form for my site, I know it’s not ideal from an accessability point of view but noscript users will be advised to send comments through the site email system.
My thinking is, and this is only an assuption, that the spambots won’t be able to download or execute the javascript and hence the form won’t submit. The javascript file will be further protected using php .
Another method is to check the referer headers using php but this again is flawed as they can be spoofed very easily

Streetdaddy March 21st, 2007 at 1:36 am

It would seem that the best solution is to pile all the spammers into a rocket and fire it into the sun…

Neville Newey February 25th, 2007 at 4:41 pm

I am surprised no-one has mentioned a variation on the session idea where you record the time the form was loaded. Then on the post you calculate the time difference and if its less than say 5 seconds you ignore it as spam. Of course spam bots could easily adjust for this by building in a delay, but imagine if we all did this forcing all spam bots to work more slowly we could reduce the total amount of spam for everyone. Since implementing such a system about a week ago I have not had a single item of spam get through.

Jon December 18th, 2006 at 3:36 pm

David, the problem with java applets is that they require that horrible java runtime enviroment to load into the OS which (on my XP laptop) takes 20 seconds :(

David Schneider-Joseph December 15th, 2006 at 2:11 am

basti,
Keep in mind that the “WP HashCash plugin” is mis-named. It does not use Hashcash at all. It simply requires a single hash using JavaScript, and it relies on the fact that most spambots don’t have a JavaScript engine. In other words: security through obscurity.
As far as using Java: unfortunately, Java is so far the best solution I have been able to come up with. While it can theoretically be done in JavaScript, my own tests have shown JavaScript to be about 500 times slower than Java for this purpose. This puts legitimate users at a huge disadvantage to spammers, who can write their own minting engine in C if they choose to. Java is only about 10 times slower than C, so it’s not a huge difference.

Basti December 13th, 2006 at 9:52 am

A lot of discussion about this post is happening on Reddit at:

http://programming.reddit.com/info/ujbj/comments

I will post some of my replies here too, for all non-reddit users to see.

—————————

mikeatlas said:

Perhaps you could expand on how CAPTCHAs can present serious problems for the blind or hearing impaired.

For example, Google’s CAPTCHA image offers an audio alternative for every CAPTCHA image they generate.

basti said:

Problem with ordinary CAPTCHA system (with or without an audio alternative) is that it’s very intrusive for the user and that it requires check to be obfuscated – and this present a problem to any user not just blind and hearing impaired.

In case of visual CAPTCHA text is distorted, sometimes even to that extent that I cannot read it – I can only imagine how it’s for someone with serious sight problem.

Similarly, audio CAPTCHA also needs to be distorted, which produces the same problem.

Now, the point is to find some non-intrusive solution. It’s a quite a challenge, especially if you try to find one that can be used by both blind and hearing impaired.

So far, the best solution accessibility wise is one with multiple choice question which relies on human intelligence to pass the check.

Also, all technical solutions (those that don’t require user action) should be also seriously considered – for example Hashcash, dummy form elements, heuristics, etc. They are completely transparent to user and hence are don’t have accessibility problems.

—————————

frankus said:

That still leaves the question of what to do for hearing impaired individuals. Maybe you could have a randomly-generated sound sequence, with questions like “did you hear a bird chirp?” and “did you hear a dog bark?” and “was there a siren in the background?”

basti said:

This last idea for sound CAPTCHA is really good (although I think you wanted to say that this solution is for blind). You could have person talking in normal voice (i.e. not distorted) and ask questions like that and in background you could randomly add some distinctive sound (siren, barking…). Then you could present them with choice to select what they heard.

—————————

DavidSJ said:

Don’t forget WebHashcash! (http://davidsj.com/webhashcash/)

basti said:

Seems like a good implementation of HashCash. I like the fact that it can be used for anything, i.e. it’s not specific like WP HashCash plugin. But I really don’t like the use of Java applet – isn’t there some other way to do this?

—————————

csi95 said:

The fact is, it’s almost impossible to come up with a 100% effective solution that’s still accessible. You point out a number of good tricks to defeat CAPTCHA. It’s the old Castle and Siege problem. With enough determination, even the most secure Castle can be breached.

The solution that I believe gives the best bang for the buck is a question and answer entry. The Multiple Choice option they list has it’s downfall in the limited choices. Using an empty text box instead opens up infinite possibilities.

For example, ask a question like “What animal is considered Man’s Best Friend?” or “What city is home to the Eiffel Tower?”. A human can easily answer these questions with ‘dog’ or ‘paris’, but it would be much more difficult for a bot to create an accurate answer.

Several things can be done to make the questions more difficult.

1. Have a large database of questions. 250 questions, for example.
2. Display the questions as images, not text. That would require the bot to OCR the image just to get a hint at what the answer might be.
3. Rotate new questions in regularly.
4. Most Importantly — Lock out users with more than 5 bad attempts. If you are entering a Userid along with the CAPTCHA, lock that account. If not, lock that IP Address. This will either stop a bot from guessing thousands of times, or at least slow them down.

Again, nothing is perfect, but using an approach like this does give you a good mix of security and accessibility.

basti said:

Castle and Siege problem is exactly what we are up against here. With enough determination any security measure can be bypassed. It’s just a case of raising “amount” of determination needed to breach it. If you make it hard enough it would increase cost and at one point it won’t be profitable any more to have bots doing whatever they do.

I like approach you suggested. I especially like step 2 as it would increase amount of work needed to pass the protection.

Basti December 13th, 2006 at 9:06 am

@Jon – I’ve forgot about Hashcash, but I recall that I read some very bad user experiences with it (to be more precise with WP plugin that uses Hashcash). Perhaps these problems have been fixed in latest versions. Anyone interested in it can take a look at: http://elliottback.com/wp/archives/2005/10/23/wordpress-hashcash-30-beta/ and try it out (let us know how it went). Generally, I think this might be a good idea.

@Frank – that sounds interesting. So basically, they are tagging parts of the image and asking you what part of image is tagged with certain number. Correct?

@Anonymous – neither of proposed CAPTCHA alternatives is 100% effective. Even current CAPTCHA is not 100% effective.

@Andrew – this is my point exactly. The idea is to increase work needed to bypass the CAPTCHA or some alternative. If you use a slightly different system then bots would have to be specially programmed for your site.

@Eric – randomize field names? Then you’d need to put something in session to know how you randomized it, but now that I come to think of it bot wouldn’t be able to differentiate fields based on name. Still, bot could use field position in HTML to determine what is what – but again that would require bot customization.

@Alex Graveley – Google is developing a CAPTCHA alternative? That sounds interesting. Do you have any more information about this?

subcorpus December 13th, 2006 at 1:14 am

nice article …
i use captcha on my blog …
it reduced the amount of spam … but it didn’t get rid of all …
i still get a lot … :(
may be i need to try an alternative here …
thanks for the tips and heads-up …

Alex Graveley December 12th, 2006 at 10:05 pm

There is one pretty fool proof solution that I hope is being developed right now by Google using data from The Google Image Labeler Game.

Google could open this up right now as a service basically mimicking an image description multiple choice CAPTCHA, except without the fatal flaw of having a small set of images.

The algorithm is really easy too. Take an image with strong word identification by users. Then display the image and that word plus three randomly chosen words that have never been guessed for that particular image by people.

This would basically end the need for CAPTCHA, and be generally accessible. It would even be localizable.

Eric December 12th, 2006 at 9:41 pm

You can also randomize field names to confuse a bot.

Andrew December 12th, 2006 at 9:24 pm

I think it’s more a matter of “use different ones” then they are easier to work around.

Consider a Forum, pretty much all sites using vbulletin use the same captcha. So, I write a bot that targets vbulletin sites, and can bypass its captcha.

Now if every vbulletin site had different checks, my job would be considerably harder if I wanted to attack vbulletin sites.

Anonymous December 12th, 2006 at 9:02 pm

All of these methods are basically pretty easy to work
around. Using them just means that all bots will
have to have a better design, especially if all
sites started using these.

Frank December 12th, 2006 at 8:39 pm

I saw a really innovative CAPTCHA (can’t find a URL at present) involving small images of 3D scenes including everyday objects like a flower in a pot and a person, with little numbers next to various parts of the scene.

You would have to enter the numbers, say, next to the person’s hat and the flower’s leaf.

Still a problem for the visually impaired, but trivial for humans to recognize and still quite difficult for machines

Jon December 12th, 2006 at 8:34 pm

What about hashcash. I’ve seen a wordpress plugin for it, but would really like a javascript tutorial so I can implement it myself.

Basti December 12th, 2006 at 6:45 pm

@Jim – Actually, I’ve registered yesterday on a site that required me to calculate simple sum. Problem with this is that while it can stop generic bots it’s very easy to create a custom one to bypass it.

On the other hand, most of the methods mentioned here don’t stop bots completely – but if you increase amount of work needed to bypass the protection it’s likely that you’ll see a drop in bot spam, registrations or whatever.

Jim Jones December 12th, 2006 at 6:41 pm

I’ve recently seen more usage of the multiple choice CAPTCHA. As a derivative, I’ve also seen sites that will have you answer a simple computation problem.

Jim
http://www.runfatboy.net – Exercise for the rest of us.

Basti December 12th, 2006 at 6:38 pm

Good point. :)

We don’t have CAPTCHA because our spam filter catches most of the spam comments or we don’t get enough of comments. :)

Word Press plugin Spam Carma uses somekind of heuristics to detect comment spam (and it does it well).

Heuristics is one of the CAPTCHA alternatives that I decided not to mention in post because it’s focused on blog / email spam. You would have hard time trying to apply it to, for example, a registration form with only email and password.

Bob December 12th, 2006 at 6:29 pm

no captcha on this blog? ;-)

Add a Comment