Provide an accessible alternative if you must use a CAPTCHA

In several recent online and offline discussions on comment spam and other automated, improper use of forms, I have seen or heard people suggest using image-based CAPTCHAs (you know, those images of distorted letters and numbers) to prevent spambots and other programs from successfully submitting forms.

Requiring the user to interpret an image of distorted characters and then enter those characters into a text input field may seem like a nice idea at first. But while it does offer some protection against spam, unfortunately it is also really bad for accessibility.

The nature of graphical CAPTCHAs makes it difficult or impossible for people who are visually impaired, blind, or dyslexic to post comments (or place their order, or whatever the form is used for). Heck, they make it hard enough for people with perfect eyesight to submit the form. If you can’t see or interpret the image, you’re completely out of luck though.

American Foundation for the Blind have made a nice demonstration of the problems available in a video titled CAPTCHAs on Social Networking Sites Shut Out Blind Users. If you currently use graphical CAPTCHAs on your site I suggest you watch the video and find out what it’s like for a screen reader user to interact with them.

Using alternative text, which is the normal method for making images accessible to people who can’t see them, for CAPTCHA images is basically the same as removing any protection against spammers, so that obviously does not work.

If you simply have to make your users prove they are human, don’t use a graphical CAPTCHA with no alternative. A couple of possible alternatives are logical puzzles and audio, both of which are explained, along with other possible solutions, in the W3C Note Inaccessibility of CAPTCHA. Audio should obviously not be used as the only option either.

Something as simple as adding a checkbox that the user needs to check or uncheck also seems to work well.

Be innovative when looking for solutions to comment spam. But please, be careful with CAPTCHAs, and do not use a visual or audio CAPTCHA only. Provide alternatives.

Posted on September 4, 2007 in Accessibility

Comments

  1. As you say, defeating spam can be as simple as adding another required step in like checking a checkbox, doing some simple math or clicking a button after the user submits — all of which are totally accessible.

    They convolute the process but damn, so does a CAPTCHA.

    The problem is it is easily defeated by somebody launching a targeted attack against you. In that case it might be best to randomly change which extra-step you use.

  2. Great article. I’ve used mostly visual captcha with an audio option to avoid comment spam, but am coming to terms with its usability issues (hard to read disguised images; computer-generated audio may be difficult to interpret).

    I am planning on implementing other methods in the future such as your checkbox solution. I’ve also seen where the user is simply asked to enter a certain word into a text field. Logic problems are good, but may be inaccessible to those with cognitive disabilities.

    Also, there are a few posts about Captcha on Web Axe.

  3. For a really great resource on captchas and why they are inherently fallible, check out Security Now’s podcast #101. They talk extensively about the history, present and future of captcha technology. They go on in episode #102 to talk about accessibility in Captchas and why there’s still a problem as you put it so well.

    Thanks for contributing to the ongoing discussion and I hope we can start to see good solutions to fighting spammers.

  4. September 4, 2007 by Rommert

    I stumbled upon a nice, sort-of accessible solution a few weeks ago. It’s about the same method as the checkbox one, but instead leave it empty and accompany it with a label which says something like: “Please leave this box empty in order to post your response”

    Then check it server-side if it’s empty. Of course you could set it’s display to “none” in CSS. The checkbox could be anything, I thought the best options was a simple text input field, because they get filled in by bots 99% percent of the times. I mean, this is accessible right?

  5. You could always use www.recaptcha.net

  6. To further demonstrate your point, I don’t have any disabilities and I have a difficult time using CAPTCHAs. Frequently there’s not a clear distinction between numbers and letters, or a character is so skewed you can’t possibly tell what it is.

  7. Maybe just we can use, for example, a simple math question instead of complicated captcha? Or some checkbox with simple question like “Are You accept this message?”. This can be very usefull. For me this simple solutions works very well and it’s full accessible.

  8. September 4, 2007 by Rod Perry

    I guess another question to ask yourself is if fighting comment spam is potentially worth putting additional cognitive overhead on the end user. I can semi-understand the need for financial and high-security web sites utilizing a captcha, but a blog?

    As for logic question vs. captcha it seems at least with captchas this is more conventional then a logic question. The logic question seems to run counter to a ‘don’t make me think mentality.’ In the check box example my fear would be that users would perceive this as a subscription/offer and be scared off.

    Yes, spam is a major pain, but under the right circumstances can’t you sort through those manually? Or apply filters on the back-end to let it do the heavy lifting?

  9. I’m astygmatic, so I wear glasses, which is fine. But even with glasses I have difficulty dealing with some CAPTCHA implementations. While trying to be tricky is the idea it is always going to trick some humans, somehow.

    Even relying on someone being able to answer a simple quiz in a specific language like english could be tricky for someone not culturally aligned - language being only one part of culture.

    I recall a psychology event once where they provided an Indigenous Australian version of an IQ test and a general version (assuming anglo heritage and schooling). Some of the answers were interesting.

    I may be able to hunt something up if anyone is interested but no promises :)

    Anyway my point is any quiz could be limited. But I agree that innovative ways need to be looked at. I particularly like the simple checkbox as it meets a mental model already in users heads about what it is for. And the question could be rephrased in many ways.

    Another one I like is the invisible form field - kind of like a honeypot - so if anyone does enter content in it (say you ask for a phone number and no humans would need to provide one) then you’ve trapped a bunch of them right off the bat.

    As I understand it spammers are already figuring captchas anyway so they aren’t the bee’s knees solution at all. Its not about lacking the science to read them but about the sophistication of spammers to effectively circumvent them in the field. In the near future CAPTCHA could become irrelevant.

    Nice article Roger, I’ve got to say there needs to be a campaign of awareness about this one in particular. The thing is many people who use them simply aren’t aware they may be locking users out and just read they are the answer to all their spam issues.

  10. September 5, 2007 by hcabbos

    The invisible form field technique since I implemented it about 6 months ago on a few sites has dropped spam submissions down to zero. I highly recommend it.

  11. Often when I find a CAPTCHA, it’s when I’m in a hurry, usually logging in to my bank site. In over two years since they implemented the CAPTCHA, I’ve only experienced not being able to read the CAPTCHA once. That helps me but doesn’t help someone who is visually impaired. I agree with you that the use of a CAPTCHA is not accessible.

    For comment SPAM the invisible form field in conjunction with server code that throttles the number of links you can have in a comment has worked well for me. However, what do you do for a login page? Ask the user a math question? There has to be a better way. Asking a pre-saved question is one approach.

    Does anyone out there have any thoughts for slowing down a hacker who is attempting to login to your site?

  12. I have no disability and have excellent eye sight and I have a terrible time using CAPTCHAs. I hate those things. There was one site I used to use that I would end up having to try four or five times before I finally guessed the right code because it was too difficult to read. I can’t imagine how someone with a disability would deal with them.

  13. I have used a simple math question in a clients form. I hope it works. http://acachurch.com/index.php?content=about&about=contact

    I thought about doing the visual captcha, but about half there audience is older. So I went easy.

  14. So true Roger. I have perfect eyesight (when wearing my contacts!), and I have trouble reading CAPTCHA’s 9 times out of 10. It really is an inaccessible way of defeating spam. The best way I’ve found is to let the blog/forum/web-software owner create a database of questions to ask the user. This allows them to ask simple questions to the user, and also perhaps ask a technical question that perhaps only people registering or posting on their blog may know. For example I often do the simple math one:

    What is 2 + 3?

    And perhaps on a Nissan enthusiast forum, you could be asked to name one model of Nissan car.

    One idea I’m working on at the moment (which isn’t accessible but it serves as one alternative to CAPTCHAs), is having a rectangle, and within the left hand size of the rectangle is a small square. Then I will ask the user to simply drag the square from one side of the rectangle to the other, to detect if they’re human or not.

    The way to defeating spam is through checking for human skills, and avoiding consistency in the way that you do your checks.

  15. for my personal blog, the “Did You Pass Math?”-method works perfectly for me. And those that still get throu somehow get killed-in-action by Akismet. Additionally implemented, but nearly never used is a Simple Trackback plugin.

    before that, my blog was hit by 60.000+ spam attempts per month.

    cu, w0lf.

  16. Hmm.. judging from comments 15 and 16 here, Roger, your anti-spam method isn’t always entirely successful…

    For me the risk in including form elements and using CSS to hide them is simple - what if someone is using a browser that doesn’t support CSS (or has it switched off for some other reason?).

    You’d need to ensure that the label was sufficiently clear “don’t fill in anything in this field otherwise I’d think you’re a spammer” - and as spam bots wise up, some would probably try leaving fields with an unknown label blank.

    I’m in favour of using a relatively simple logical question or general knowledge question (ideally randomly selected from a list rather than repeatedly using the same one).

  17. Oh, I see you’ve already zapped ‘em.

    Apologies to fwolf and erm… myself, who now sit in comment numbers 15 and 16!

  18. I think captchas are only useful for sites that are specifically targeted by spam-bots, like myspace.com of sites than run on Wordpress or other CMSes used by a lot of sites.

    Small sites with custom commenting systems are only targeted by automated spam-bots. Spammers can’t spend human resources on circumventing anti-spam measures that are only used on one small site. Some small accessible measures can be taken to filter out these spam-bots.

    I use the following methods of detecting spam-messages:

    • I use ‘cryptic’ names for my varables. Don’t use things like name=email .
    • Check if data is valid (like valid email address). (not really anti-spam)
    • I add a hidden input element with the timestamp in it. When the form is submitted I check if the timestamp is recent. This way automated spambots have to revisit the page to get a more current timestamp. This is easily circumvented by a human who recognizes the hidden value is a timestamp, but automated bot are not that smart (I hope). Just in case I also added a hash of the timestamp.
    • you can check the referer that is send
    • I use JS to add a hidden variable to the form. I’ve combined this with the last option, so when there is no JS and no referer I mark it as spam. this way you don’t need JS
    • I check for spam-words and urls. 3 or more and I mark it as spam
    • I also check when the last message from that email-adres was send. If it was less than one minute ago I block it and show a nice warning since legitimate users could do so too. The same can be done with the IP adres
    • Log the IP address so you can block IP addresses of big spammers
  19. When you solve one problem, another one arises! You solved spam but have an issue with accessability. Anyways, this goes on to prove that UI professionals will never be out of job in the coming decades!

  20. Yes, it’s too bad that people use something as obtrusive for CAPTCHA to prevent spam when there are loads of things you can do on the backend to accomplish the same thing without burdening or blocking out your users.

  21. I know it’s a bit of a stupid idea but when I would want to block possible spam-bots I would user the browser-header sent to servers and then I would check it against the browscap.ini of browsers.garykeith.com.

    This can’t hinder all spam-bots but it can help to avoid those, who don’t give a fake browser-header.

  22. (dharma) When you solve one problem, another one arises! You solved spam but have an issue with accessability.

    So true, and on multiple levels. Not only are CAPTCHAs problematic for the visually impaired, many of the alternative solutions we can think of won’t work when CSS or Javascript is unavailable. Or we create cultural barriers, or cognitive barriers.

    Instead of a simple math problem or a trivia question, how about spelling out numbers? For instance, the control’s label would say “Enter these numbers: eight four seven two” and the user has to enter “8472”. The numbers will be announced correctly by the screen reader, and all that’s required is the user knows the words for those digits in the language of the page.

  23. Checkbox tricks, random variables, math questions etc. provide some protection (by obscurity), but is not a viable option for larger sites due to the fact that they’re very easy to get around.

    CAPTCHAS are by nature obtrusive. Non-obtrusive CAPTHCAS are not CAPTCHAS, and therefore doesn’t work.

  24. September 5, 2007 by Roger Johansson (Author comment)

    Keith:

    You could always use www.recaptcha.net

    As far as I can tell, recaptcha requires JavaScript. If true, that makes it a nonstarter.

    beth:

    To further demonstrate your point, I don’t have any disabilities and I have a difficult time using CAPTCHAs. Frequently there’s not a clear distinction between numbers and letters, or a character is so skewed you can’t possibly tell what it is.

    I have the same problem, and often end up having to redo the process before I’m lucky to get a picture I can read.

    Rod:

    I guess another question to ask yourself is if fighting comment spam is potentially worth putting additional cognitive overhead on the end user. I can semi-understand the need for financial and high-security web sites utilizing a captcha, but a blog?

    Yes, it’s good question to ask yourself. I wasn’t speaking of blogs in particular here though, but any site that allows visitors to post comments or submit forms.

    Tanny:

    Does anyone out there have any thoughts for slowing down a hacker who is attempting to login to your site?

    I’m not sure I follow. Do you mean using some kind of CAPTCHA in addition to the user name and password?

    JackP:

    Hmm.. judging from comments 15 and 16 here, Roger, your anti-spam method isn’t always entirely successful…

    Nope. Manually posted spam still gets through. There’s no way I can stop that completely.

  25. Hi Roger,

    I use CFFormProtect, a Coldfusion serverside validation tool, that has some very nice features. One of the smartest is that it adds a blank hidden field in the form. Most robots just rip the entire form fill in all the blanks (also the hidden fields) and post the whole shebang. But, and this is the clue, the serverside script checks that the hidden field is EMPTY and if not returns an error, which the user of the script can handle as he/she prefers.

    Furthermore it checks the time it has taken to submit the form and some other smart things. A receive a mail everytime “Commentspam has been prevented”, with an excellent dump of all the different posted variables and some CGI-information. If something was unjustly rejected as spam, I have all the info I need to manually fill in the comments afterwards.

    The last gem of this script is that it has the option to connect to the AKISMET API (@ akismet.com) to further check its database for spam related content.

    So although not many people have a Coldfusion driven blog (Ray Camden’s BlogCFC is excellent by the way), the Akismet option is available for everyone. I’ve written a little about this also on my own blog: Comment-spamming III.

  26. Roger, it’s extra scary when you’re dealing with important information like your bank account or student loan, I’m terrified it will pull one of those “three strikes you’re out” where after so many failed log in attempts it resets your account.

  27. September 6, 2007 by Anonymous

    I do want audio-captchas on my site, but until there are simple and free libraries to integrate audio-captchas, I’ll have to do without. I’m not willing to put in the hours of development it takes.

    And by simple I mean easy to install, as well as easy to program to work along with visual captchas. By free, I mean under free enough license that my customer(s) don’t have to worry about license- and copyright issues.

  28. Has anyone tried using a variation on KittenAuth? Basically, you have a grid with pictures on it and anyone wanting to pass the authorisation has to select the correct pictures from the grid. The original example uses kittens. Adding a “meew” sfx when the image is active should give you a non-visual version.

    Just a thought

  29. At the risk of tipping off any spammers who might Google this string and learn our secrets, I’ve taken to asking a simple question the user must answer by typing an answer into a text field (no dropdowns).

    “Is ice hot or cold?” is a good one.

    I suppose to could be argued that some people might have trouble answering the question, but it’s seemed to work well for my sites.

    Naturally, I give the field name a deceptive name on the source-side to disguise its true meaning from spambots.

  30. Great article! I belong also to the kind of people who don’t find CAPCHAs that fascinating. Imho the spam problem is more a trouble of a site owner and not of site visitors. So the spam protection must be as friendly to visitors as possible.

    Personally I use on my blog a great WordPress plugin, which is based on a simple java script. The spam bots are usually quite stupid, so they don’t interpret the whole page code. If a a page is called by a web browser, java script just hides the captcha field and puts in the numbers itself. So the users don’t even know that the called page is spam protected.

  31. I’m also in favour of simple questions and answers. This clearly can lead to other problems in terms of language, cognitive or cultural differences if not properly thought out. However, I think it’s the best compromise between effective anti-spam and accessibility.

    For those who use Expression Engine you may be interested in an extension we’ve put together that changes the default graphic captchas into a textual Q & A. Find out more and download it from http://www.purple-dogfish.co.uk/free-stuff/accessible-captcha

  32. What about contextual question ? something like:

    • who’s the author of this article ?
    • on the following link [the_link], who did the ##th comment ? (sample which work on your site)

    Both idea are based on the human understanding capacity and :

    1. this is easy task for people;
    2. harder for a bot;
    3. still accessible.

    Who need to avoid visual recognition for loss visibility people, orthographic recognition for dislexic, sound recognition for deaf people, etc. I think when someone post a comment on a website that mean is know it a bit so we need to use this fact to ask site-related question.

  33. Captcha by its very nature makes developers life easier by burdening the user with extra, and often confusing steps.

    When it comes to usability, the best option is no Captcha. However, Honeypot Captcha is a fantastic unobtrusive alternative which I blogged about recently.

Comments are disabled for this post (read why), but if you have spotted an error or have additional info that you think should be in this post, feel free to contact me.