I have never been a fan of the CAPTCHA as the concept pushes the burden of proof onto the user when I think we should be doing more to technically assess whether a user is a human or not. There is also the not inconsequential accessibility issue involved with CAPTCHA, if the user has poor or no eyesight, cognitive disabilities, or even just a user agent which displays unexpectedly the CAPTCHA can render the web site or application inaccessible.

But there are of course increasingly times when some kind of Turing test is required, so what are the alternatives?

  1. Logical gatekeeper

    The form comes with a question similar to the CAPTCHA, but instead of a hard to decipher image a simple logical question is asked such as “Is ice hot or cold?” or “How do you spell BLUE?” which requires the user to type an answer. Or a multiple choice question using a select box for the user to pick the right answer. This method delivers most or all of the benefits of the CAPTCHA while easing the burden on the user and being more accessible. The image below offers an example from zeldman.com
    image of comment form from zeldman.com

  2. Session variable / GET request detection

    This is an unobtrusive alternative to CAPTCHA use, but it can be used to filter out spam-bots. The idea is that you put something in session when a GET request is made and when a form is submitted you check the session for that variable.

    This can filter out stupid bots that submit request directly to POST without getting a page with the form. Of course this system can be fooled by creating a bot that acts like a web browser so would be best used with other safeguards active as well.

  3. False form elements

    Again this is an unobtrusive alternative to the CAPTCHA, but a method to reduce both bot attacks and user difficulty. The idea here is to include a dummy form element on the page that any bot will fill in but a human will leave (see example and details). The dummy element should have a real enough name to attract a bot but should be hidden from a user. Thus when the form is submitted you check to see if the hidden fields have been filled in and if so assume a bot is at work.

  4. Counting key presses

    This method is also unobtrusive and relies on the fact that users actually enter information into the form while a bot will just provide data. Essentially the form will count the users key presses and compare them to the data being entered (see example). Thereby figuring out if the user is a human entering data, or a bot.

Other considerations

There is quite a lot being written on the web regarding Turing tests including a paper by the W3C on the inaccessibility of CAPTCHA and even some truly inventive if not particularly useful variations.

Personally I think the best solution is a mix. Use an unobtrusive solution (such as the false form field method) and if that solution suggests a robot, then use a CAPTCHA, or the logic question variation above.

Technorati Tags: , ,