CAPTCHA is bad for accessibility

It shouldn’t really come as a surprise to anyone that by using CAPTCHA (Completely Automated Public Turing test to Tell Computers and Humans Apart) to limit comment spam on a blog, you are making it difficult or impossible for several groups of disabled people to post comments. The affected groups include people that are blind, have low vision, and those that have a learning disability such as dyslexia. The W3C explains the problems with CAPTCHA and examines some potential solutions in the Working Group Note Inaccessibility of CAPTCHA.

For anyone who is not familiar with the term CAPTCHA, it refers to using a bitmap image to verify that the user is human and not a computer program. CAPTCHAs are commonly encountered in comment forms on weblogs and in forms used to register for online services, and usually consist of an image containing distorted text which needs to be interpreted and entered into an input field in the form. Posting a comment or completing registration requires first verifying the text in the image.

This obviously makes it impossible for a person who can’t see or understand the image to post comments. Including the text in the image’s alt attribute is not an option since that would completely defeat the purpose of the CAPTCHA, which for blogs is preventing robots from posting comment spam. The robots could easily be modified to find and use the alternative text.

Besides having accessibility issues, the use of CAPTCHA in my opinion suffers from usability problems and should be avoided. There are other ways of preventing comment spam that do not affect accessibility.

Posted on December 3, 2005 in Accessibility, Quicklinks

Comments

  1. December 3, 2005 by Anonymous

    I was wondering whether you could please expand on the “There are other ways of preventing comment spam that do not affect accessibility” part? I would love to drop captchas, but so far I’m not aware of any other alternative that is as much effective.

  2. One way might be to have a set of questions on subjects with widely known answers and request the answer from the question pool at random and then parse the answers. It would be entirely text based and so should be easily accessible, provided the questions chosen were appropriate for the widest possible audience and still fool a bot. Not without its flaws but one possible alternative.

  3. Actually, forcing a preview before submission of comments is a decent way of helping prevent comment spam…and it doesn’t break accessibility. (I just noticed that’s what this blog does. ;))

  4. CAPTCHA is effective for blocking spam…and that’s probably the appeal for most people who’ve adopted it. So what are the improved and accessible alternatives that will work just as well?

  5. There are alternatives in that W3C article mentioned in the article. Read it, it`s interesting at least.

  6. December 3, 2005 by Roger Johansson (Author comment)

    Hmm. I wonder if revealing the tactics I use here will lead to spammers finding workarounds. I hardly get any spam at all, and the few spammy comments that do slip through in a week are manually submitted. Before I started using my current prevention methods I had to take care of tens of spammy comments every day. Let me think about it a little.

  7. On my blogs commentors have to manually enter a name — mine :-) — before they can leave a comment. I know it’s not the best way and I’m open to other solutions that don’t have accessibility issues.

  8. December 3, 2005 by Roger Johansson (Author comment)

    Ok, I’ve done some thinking. I’m not going to reveal everything I do to prevent comment spam. What I will say is that I use multiple layers of defence.

    Besides, all links in comments get a rel=”nofollow” attribute, I delete any spam that does get through as soon as I see it, and blacklist all URLs in spam comments.

  9. There’s something wrong with an acronym “Completely Automated Public Turing test to Tell Computers and Humans Apart” when the CAPTCHA actually requires you to type and interpret some kind of obfuscated image. It’s not completely automated at all!

  10. One way to prevent comment spam—or all spam as a matter of fact—is to make a universal law that dictates that “all spammers who are caught will have both thumbs removed without anasthetic while being laughed at in a public square. They will also have the words ‘nobody wants my fetid crap’ tattooed on their foreheads.” I think that would be an effective countermeasure don’t you? Let’s start a petition to the U.N. ;-)

  11. Amrit’s method with the additional field only works until a spammer comes along who’s built a spam bot which uses custom profiles for sites that don’t conform to the normal fields.

    I use a number of methods for blocking comment spam, including a lot of custom regex and keyword filters, several domain blacklists and referer checking on the comment form and all those tricks combined have worked very well.

    I would never use a CAPTCHA myself because of the usability problems (and being dyslexic, I seem to have an even harder time than others figuring out what the distorted letters are really supposed to be) and I’ve been looking for alternatives myself.

    I’ve wanted to experiment with using multiple and automatically rotating between methods (a coworker said that wouldn’t last long, but when I said you make the intervals random and maybe use one method for days or even weeks before rotating started laughing at how infuriating that would be to try and hack) but it just hasn’t been practical.

    With that in mind something I haven’t seem much experiments with changing the names of the input field values.

    I had some success with swaping the email and name fields (you do so both on the form and on the server side script), which when an automated spam bot comes across dutifully puts a fake name in the field with the value “name” and it causes an error because it’s not a properly formatted email address.

    This works until a spammer decides to put an email into both or creates a custom profile for that domain. But what if the fields were named “spoon” or “monkey” and the nonsense words were randomly changed?

    Some spammer would eventually figure out just too look at the text labels for the fields (since you couldn’t change the label sitting in front of the box on the actual rendered page (if you came to a form with the name “spoon:” in front a text field, you’d think WTF?) but what if you add in another hidden field which doesn’t have any visible clues what it means. both the name and values could be regularly changed and only the “combination of the hour” will get accepted (the software of course having a grace period when the combo changes so legitimate users don’t get bounced). Serve up a variable number of hidden fields which with the seemingly random combinations and counts of hidden fields are a cipher that gets harder to break with each new layer.

    If well designed then all this complexity in the form doesn’t add much for your servers load besides a little math and looking up the submitted values again the list of currently accepted hidden field codes, but for the spammer starts getting very expensive as more and more comments fail to get through compared to the amount of load its taking their server doing the form filling and submitting.

    You don’t need to find a fool proof method so much as make it too expensive to be worth their effort to try.

  12. I’m starting to see some sites using alternatives to CAPTCHAS, like sound spelling the letters out loud. Not that it completely solves the problem… but it’s a sign that people are starting to think about accessibility. Right?

  13. CAPTCHAS are only a stop gap anyway. I’ve heard that they can already be bypassed by smart spammers if they so desire. If not then its just around the corner as there are a lot of very smart people with black hats looking to win that war as well. Reliance on any single anti-spamming method as a forever cure will always be an error of security judgement. There’s a constant struggle for ways to block and ways to unblock these floodgates. Look at CAPTCHAS at best as a temporary fix. I’ve never liked them simply because they’re a pain for me the user and god forbid I was visually handicapped.

    I’m not sure of my facts at this point but I’m sure not long ago similar feelings on CAPTCHAs were aired concerning somewhere big like Amazon or eBay or somewhere large. Now how fair is using CAPTCHAs on the people who can’t get past them even if they are an effective anti spamming tool? I’d suggest being a barrier to disabled users might define them as ineffective anti spamming tools…

    But my very main criticism of them is several times I’ve mistaken a 9 for a g and had to do it all again so as a user my hair goes up on end when I see one. Like frames and table layouts I think they’ve had their day.

  14. From my archives…

    Patrick Lauke put up on Accessify - W3C on inaccessibility of CAPTCHAs

    Access Matters - Did CAPTCHAs Catch Ya?

  15. December 4, 2005 by Roger Johansson (Author comment)

    andr3: Audio CAPTCHAs may appear a good idea at first, but they are no better than images. In fact, they are probably worse and will affect even more people in a negative way than image CAPTCHAs. From the W3C Note:

    Hotmail’s sound output, which is itself distorted to avoid the same programmatic abuse, was unintelligible to all four test subjects, all of whom had “good hearing”. Users who are deaf-blind, don’t have or use a sound card, work in noisy environments, or don’t have required sound plugins are likewise left in the lurch. Since this content is auditory in nature, users often have to write down the code before entering it, which is very inconvenient.

  16. Roger,

    Thanks for clearing that up. Yes, MSN Passport was one of the places I spotted audio CAPTCHAs.

    Well, it seems that there is no way of using CAPTCHAs and keeping it accessible, doesn’t it? And even though they aren’t really required for stopping spam in blogs, it gets quite different when it comes to services like GMail. Each registered account will eventually put further stress on the infrastructure, so it’s a real need to have way to control the access by machines…

    I wonder if we can use biometrics to solve this problem in the future? It will probably be more bits and bytes that can easily be forged, anyway. shrugs I got nothing.

  17. December 4, 2005 by Roger Johansson (Author comment)

    I suppose one way could be letting the user choose which method they would like to use to prove they are human. You could use an image CAPTCHA by default, and next to it have a text that says something like “Having problems figuring out the text in this image? Try an audio version/logic puzzle/some other CAPTCHA instead.”

    Just an idea. I don’t know how well that would work.

  18. What do people think of the Wordpress Hashcash Javascript solution? (http://elliottback.com/wp/archives/2005/10/23/wordpress-hashcash-30-beta/)

  19. I love the wp-hashcash plugin. I’ve had zero (!) comment spam since I installed it.

  20. December 4, 2005 by Roger Johansson (Author comment)

    Hashcash looks neat, but requires that your browser has JavaScript enabled and can do XMLHttpRequest. Unless a fallback for people with JavaScript off / no XMLHttpRequest is provided, that disqualifies it.

  21. I’ve been really happy with the WordPress plugin that Eric Meyer wrote called WP-Gatekeeper. It is totally accessible…but then what else would you expect from him?

    P.S. I always have to remember that I can’t use my regular email address when I comment here. Roger screens all comments that have my state’s name in them. I live in Austin, and my fair state has a card game named after it. P.P.S. Dang, I have to remember to turn off my Firewall too. If at first you comment doesn’t submit, try, try again!

  22. December 4, 2005 by Roger Johansson (Author comment)

    goodwitch: Sorry about that. You should now be able to mention Texas in comments :-). The firewall thing I didn’t know about. Perhaps it is changing your referer header?

  23. December 5, 2005 by nufan

    First of all, I have to agree with the people saying that CAPTCHA’s are bad for accessibility and usability.

    But there are a couple of things that you can do, if you really need to use it.

    1) Ignore certain characters … e.g. iIl1oO09g to prevent confusion.
    2) or simply don’t use uppercase letters
    3) Give the user a chance to get a new CAPTCHA challenge … simply put a link next to it that says something like “try another one” … limit this function to 5 times if necessary.
    4) Use/make a CAPTCHA with a complexity that matches what it is protecting. Even though CAPTCHA’s can be hacked, most robots will find easyer victims … so don’t distort the image more than you have to.

    This, ofcourse, will NOT help those who can’t see the image! But it will atleast help the ones who can.

  24. I use WP-Gatekeeper which has been blocking 100% of all spam alone, until I upgraded to the latest version. Unfortunately, the old version I was using still had the bug that was blocking all legitimate trackbacks too. Since then, I started getting about 1-2 spam every 1-2 days, which was mostly trackback spam, but still some comment spam. For those, I have the black list of words and they all end up in the moderation queue anyway.

  25. http://www.htmldog.com/ptg/archives/000098.php

  26. You want inaccessible? How about a CAPTCHA that only works in IE?

    At a federal government agency, no less!

  27. There could be simple question CAPTCHA just text based but requiring input of human - e.g. Q: what is the thing you type on? A: keyboard

  28. December 7, 2005 by Roger Johansson (Author comment)

    nufan: Giving users a second (or third) chance of passing the CAPTCHA is a good idea no matter which method you use.

    Michael: I like the tiny textarea that you’re supposed to enter up 1024 characters in on that page.

    dusoft: I’ve seen captchas like that, and they should be accessible to a much larger number of people than those based on images. There’s still the problem of checking for spelling and synonyms though.

  29. As I’m writing a brief article on captchas and accessibility, this is interesting. It seems like one captchas that provides an accessible solution for one group causes issues for another group. For example, audio captchas may be a solution for those using screen readers, but not for those who are deaf-blind. Multiple-choice questions may be a solution for those who are deaf-blind, assuming the question is not cultural or socioeconomic bias, but it may not be a solution for those with cognitive impairments or low literacy skills. As Roger suggested, is the best current solution to provide a variety of captchas, until a more “ideal” solution is developed???

Comments are disabled for this post (read why), but if you have spotted an error or have additional info that you think should be in this post, feel free to contact me.