I Hate CAPTCHA...
March 26, 2005 | 
40 Comments
…and Ticketmaster too.
For those of you who don’t know the acronym, CAPTCHA are those visual letter tests some applications and sites use to make sure you’re an actual human. And they’re a royal pain in the ass, aside from all the obvious accessibility problems.
The Wikipedia has a good, detailed, definition if you want to know more.
Seriously there has to be a better way to verify someone’s humanity. I just spent an hour trying to get Weezer tickets and I think I may have missed out because of the CAPTCHA. Seriously, some of them boil down to educated guesses, what the hell is that? The tickets went so damn fast, every mistake cost me.
CAPTCHA is a lame solution
I’m (almost) perfectly sighted and I couldn’t pass the damn test quite a few times and it may have effected my ability to actually get tickets. They take my credit card, isn’t that enough to verify that I am who I say I am? There has to be a better way.
For the life of me, I can’t see how CAPTCHA solves anything. I’d imagine that it’s still hackable and really it just creates an barrier to everyone who comes across it.
Ticketmaster in general
Anyway, while I’m at it, what the heck is the deal with all the service charges? My last transaction with Ticketmaster cost me over 20 bucks. And it’s extra to print my own tickets???? WTF? Seriously, just roll those costs into the price of the ticket! I’d feel much better about paying $60 a ticket rather than $42 + a bunch of bullshit extras.
I sure hope the artist gets a good chunk of that…wishful thinking, I know.
Filed under: IA and Usability
Comments
1. Rimantas said:
I agree with you on this one.
Be it CAPTCHA, or any other “human test” it just complicates things for average user, and hardly complicates anything for spammer. CAPTCHAS can be defeated by OCRing (which gives as more and more complicated ones to the degree that humans cannot solve them), or by other humans willing to get access to some porno site.
I wonder, how does this affects conversion rate.
No increase, that’s for sure.
Posted on March 26, 2005 10:15 AM | #
2. Scott said:
You’re right on the money about Ticketmaster more or less nickle and diming people for service charges. Especially printing your own tickets! That’s such a crock.
Ticketmaster really have a monopoly on the market so there’s not much people can do unless bands can start selling their own tickets and without annoying service charges. Wishful thinking I think at this point since most already still have enough problems with legal downloading of their music.
I know I’m starting to lose interest in the big rock shows because I can’t stand Ticketmaster, the cost of a single ticket is way out of hand and I don’t feel like I’m getting my money’s worth most of the time. For club shows, you spend $10 - $25 average, get a good show and can often get the tickets right from the club or some of the small record stores, and with no service charges. Much better!
Posted on March 26, 2005 10:22 AM | #
3. Jeff Smith said:
I wholeheartedly agree with you Keith. I spent the better part of an hour the other evening trying to buy tickets for a Motorhead concert as well as a Queens of the Stone Age show. The first issue was with the CAPTCHA system, it’s the worst security measure I ever came across. Like you said, isn’t using my credit card enough? Why don’t they just start using the 3 or 4 numbers from the back of the card as an added measure like a lot of other vendors? Then I can’t count how many times I got 404 errors just before the last step of the transaction. Extremely frustrating.
Mind you this is ticketmaster.ca that I’m dealing with, but I’m sure they use the exact same systems as ticketmaster.com. Almost makes me want to just drive the 25 minutes to the box office just to buy the tickets in person and save the frustration.
Posted on March 26, 2005 10:24 AM | #
4. Peter said:
A better solution is a simple mathematics test, for an example go here:
http://www.hudzilla.org/phpbook/read.php/16_1_0
Scroll all the way down to see it. I think something like this is a lot more user-friendly than the “guess the characters” CAPTCHA. Of course, a computer program can be written to pass this test, but making it a little more complex would make that very hard.
Posted on March 26, 2005 10:43 AM | #
5. Jeroen Mulder said:
Peter, wow, that’s a very interesting solution. Is there more information on this?
Posted on March 26, 2005 10:57 AM | #
6. paul haine said:
Jeroen, Eric Meyer made a Wordpress plugin that acts in a similar way:
http://meyerweb.com/eric/tools/wordpress/wp-gatekeeper.html
I’ve been using a self-hacked variation of this technique for my comment forms and since implementing it I’ve received a grand total of zero comment spam.
Posted on March 26, 2005 11:53 AM | #
7. andrew said:
Agreed w/ the Ticketmaster fees. Absolutely ridiculous. I was about to purchase some tickets last night, only to find that the service charge was 30% of the price of the ticket itself… for EACH TICKET. I’ll purchase at the door, thank you.
Kinda makes you wonder what’s going to happen to Ask Jeeves now that the parent company of Ticketmaster has bought them out. Not that they were anything but a crappy search engine prior to the sale, but who knows… perhaps they can make it suck even more by adding CAPTCHAs & service charges into the web search mix!
Posted on March 26, 2005 12:15 PM | #
8. David Chen said:
I haven’t ever used it, since I rarely go to events that require tickets, but there’s a site called Brown Paper Tickets that is trying to compete with TicketMaster and tries to be much more fair. They have a “Ticket Buyer’s Bill of Rights” in their Philosophy section that addresses many evils TicketMaster gets away with. I don’t know if they use CAPTCHAs, though, and how best to encourage more events to use this service.
Posted on March 26, 2005 12:24 PM | #
9. Jeremy Flint said:
I try to go directly to the ticket office as much as I can. Mainly it is to avoid the ridiculous Ticketmaster service charges, but also because you can usually pick seats that are better than what the Ticketmaster site offers.
But when it is a show that sells out super fast, like Weezer or the upcoming Black Crowes shows in NYC, you have to use the site.
You would think that if you actually created a Ticketmaster account and had a credit card on file with them they would bypass the CAPTCHA.
BTW, if you click the “Can’t See The Word” link below the CAPTCHA image, it opens a popup window with a link that lets you continue on without having to guess the letters. Not really easier…but may save some time if the word is hard to read.
The curvy letters are the hardest for me.
Posted on March 26, 2005 04:45 PM | #
10. Philippe said:
I’m with you on the CAPTCHA thingie. They are an imperial pain. The other day we hit upon one that neither of us at the studio could read. We even tried on another monitor. No Luck. I then hit upon the idea (we’re running OS X): Command-Option-Control 8 ! This inverts the screen to high contrast white on black when you have “Full Keyboard Access” turned on. Then my partner could discover the code.
Posted on March 26, 2005 07:13 PM | #
11. chuck said:
Weezer!? Say it ain’t so! :) Weezer rules.
Posted on March 26, 2005 07:53 PM | #
12. Sean Voisen said:
Say it ain’t so …
Your drug is a heartbreaker.
My love is a life taker.
Sorry, had to be said.
Posted on March 26, 2005 08:36 PM | #
13. max said:
I see nothing wrong with CAPTCHAs.
Look at it this way: if they weren’t there, not only would people dumber than you not be incapable of figuring them out, but some script kiddie and each of his friends wouldn’t be able to scam out 100 tickets more than the average user (I’m exaggerating, they probably don’t have the credit card numbers of that many friends that want tickets… but other places where captchas are used don’t need a card).
The OCR software (neural net type ai, I think?) that’s needed to crack captchas isn’t at all widely available. On top of this, the software that was used to demonstrate this bypass targetted dictionary word captchas. There are 309 million possible 6 letter combinations (words), OCR relies on the fact that the english language uses only a tiny fraction of them: about 15 thousand. ( http://www.esclub.gr/games/wordox/6.html http://www.javascriptkit.com/script/script2/countwords.shtml )
The math question is simply not good enough for any practical use. Granted, it serves well enough at blogs, because the time it would take to code something that cracks it (30 minutes) is enough to keep your average jackass from going at it. But bypassing it IS trivial: it would take me drastically longer to write the code that worked with loading and submitting the page than the code that matched “one” to 1.
Posted on March 26, 2005 10:11 PM | #
14. Peter said:
Max:
As I said, the math question can be made more complex. I am not sure what the code behind the question is, but it might be worth asking the author of Practical PHP Programming how he managed to implement this test. Of course you could also look at Eric Meyer’s solution, the link is posted above.
By the way, Eric Meyer’s solution is a lot more complex than the math question already. I think it’s a good choice.
Posted on March 26, 2005 10:46 PM | #
15. Michael Heilemann said:
I couldn’t agree more Keith. CAPTHA’s are the bane of the universe just now, the ultimate bad solution to antispam.
I’ve made it my business to not post comments to sites that use CAPTCH’s unless I absolutely have to.
Posted on March 26, 2005 11:40 PM | #
16. Daniel Färber said:
I don’t understand your reasons against CAPTCHAs. Of course there are badly done versions, but in general I consider them as a very good way to avoid spam on the one hand and not to restrict usability too much on the other hand.
And I think the effort of programming a spam bot that is able to read the characters of a CAPTCHA image is quite big – even if the characters are very legible for humans.
Posted on March 27, 2005 09:56 AM | #
17. max said:
Peter, first, I’ll agree with you that for blogs and similar, where, really, nobody is going to put fourth the effort to crack even the simplest of protective measures, captchas are probably unneccisary. You could put a red border around a span of text, and then ask “what word is in the red box?”, and that would work just as well.
(Note though, that if even a moderately amateur programmer went into a jealous rage at our gracious host for actually getting tickets (had that occured), then only a captcha would stand up to 2 hours of hard toil.)
For a larger site that’s a much bigger target (that doesn’t want to hire people to make up questions all day) a captcha is really the only solution. Granted, it’d take someone (or somemany) very detirmined to catalogue all those possible answers that Eric’s solution requires.
Making the math question more complex would doubtlessly make it harder for a human to answer it. If you’re interested in the implementation:
The simplest code that may be behind that question (and so likely what he would be using) is two arrays (or a map) that links numbers to words. Two numbers are chosen at random, as are their corresponding words. The two numbers are added, and the result is stored. From looking at the code, it appears that the result is hashed using md5 (and I hope, a private salt value that makes it different from other md5s). Regardless, it’s hashed (‘encrypted’) and sent to the user. When the user submits the answer, the program hashes that answer, and compares the two hashes (they should be the same).
Sorry for how large this response (and the last one) is, by the way. Summary: small sites really don’t need captchas, but larger ones do. And users hate to see captchas for actions that they have to do more than once.
Posted on March 27, 2005 12:48 PM | #
18. Justin Perkins said:
Max, how do you see a CAPTCHA if you have limited vision or no vision at all? What happens if you have images turned off or are using a browser that doesn’t support images?
I think using CAPTCHAs is an easy management decision to make because it solves the problem from their (management) perspective. However, from a standards perspective it is a giant step backwards 10 years.
People need to seriously think about this problem and develop a standard method for accurately detecting a real person is on the other end. The first solution (in this case, CAPTCHAs) is not always the best solution, as history can clearly show.
Eric Meyer’s solution is a great one. The “math challenge” is decent, but I still think it presents some accessibility problems.
I think service charges are terrible too Keith. It’s just a f*cked up business strategy to charge the consumer just a little bit more, because you can. It’s like charging 40 cents extra for gasoline in the middle of nowhere, there ain’t nothing you can do but pay the cost. I just got back from a road trip, so that one is fresh in my mind, but there are examples of this “service fee” everywhere.
Posted on March 27, 2005 05:38 PM | #
19. max said:
Justin, how do you get through airport if you have a metal plate somewhere? “With greater difficulty”. Does that mean that we should abolish metal detectors? I don’t believe so.
Accessability is a worthy ideal, but it just isn’t as important as preventing malicious programs from destroying your site. Look what spam did for usenet, and what it did for email.
You need to be able to tell the difference between a human and a program. If you can find a good way to do it without distorted text captchas, then great. But for now, and pardon me, many of you need to stop complaining about something without taking the time to understand why it’s there. If there wasn’t a captcha at ticketmaster, you’d be complaining about the site being down (or higher prices) because of a) all the people refreshing the crap out of it, and b) script kiddies running what would amount to a minor DOS attack (times each abuser involved, which would be a lot, since reselling tickets is profitable).
Posted on March 27, 2005 06:49 PM | #
20. Justin Perkins said:
Accessibility problems block a percentage of visitors, for a business this means lost customers. CAPTCHAs are an accessibiity problem.
Nice analogy, but the airport is not as concerned with getting people through the security checkpoint (in a hassle-free manner) as they are with finding dangerous passengers, hence the unavoidable hassle of getting onto a plane. I’d like to think that a business concerned with a good user experience would try to minize “hassles” whenever possible and CAPTCHAs are one such hassle that should be corrected.
Don’t get me wrong, the non-human interaction with a web form is not anything to shake a stick at. Nor is it just a “script kiddie” problem.
> If you can find a good way to do it without distorted text captchas, then great.
That’s the idea: find a good, accessible alternative to CAPTCHAs.
Posted on March 27, 2005 08:38 PM | #
21. max said:
Of course, but the math problem, or the “create questions faster than an attacker can answer them” are not the alternatives that you are looking for.
For the analogy, I think that a business is more concerned about not having its services damaged (to the point where all users are inconvenienced) than it is about not inconveniencing a small percentage.
And just to note, I never suggested that captchas are not an accessability problem, or that they weren’t a pain. Just that they were a neccisary pain.
Posted on March 27, 2005 09:37 PM | #
22. Peter said:
Certainly an interesting discussion here. I must agree, Max, that for large sites it would be impractical to have to come up with new questions all the time, but as you said, for small sites it may be worth it.
Eric Meyer’s solution might also be good, but the problem is that many users who do not speak English well might not be able to correctly answer the question(s).
I do agree with the point that CAPTCHA’s (in one form or another, not only the distorted-text images are CAPTCHA’s) are necessary. It is a pity that they have some accessibility problems, but hey, some things are more important than others and you can’t always have everything.
Posted on March 27, 2005 10:51 PM | #
23. Cameron said:
I’ve found this dicussion especially interesting as i’ve just finished a CAPTCHA module for a site i’m working on and during it’s implementation started reading up on the accessibility impacts such a device may have.
A bit of background, i’m working on a site that allows registered users to upload files (which will be publicly viewable) onto our server. While we have filesize/filetype filters in place, I felt the CAPTCHA could be a good way of preventing automated processes misusing the service, however after reading this (and other articles) i’m not so sure.
Starting to think I should limit the amount of uploads a single user can make within a certain timeperiod, and also tie this into ip addresses. I don’t think there’s any way of entirely preventing abuse of online services, merely making it tough enough to put all but the most determined of abusers off. Good to see this being discussed though, it’s an important subject.
Posted on March 28, 2005 01:28 AM | #
24. Cameron said:
Forgot to mention there’s a good article on the w3c about problems with and possible alternatives to CAPTCHA’s - “Inaccessibility of Visually-Oriented Anti-Robot Tests”.
Posted on March 28, 2005 01:34 AM | #
25. Adam Michela said:
Haha. This post is hilarious. Oh yeah, I agree. ;)
Posted on March 28, 2005 07:16 AM | #
26. Darrel said:
CAPTCHAs, for the most part, are completely useless. If the data is truly important, than someone will hire a human for $5 an hour to bypass them.
They are also increasingly defeatable via automated software.
And they all introduce some level of accessibility issues. Even the ‘simple math’ ones as suggested offer a hurdle to anyone with cognitive disabilities.
In the end, there’s usually a better way than using the captcha.
As for TM prices, they just had a show on the radio about that. The reason there are so many service fees is that’s where TM’s profit comes from. They COULD just raise the price of the tickets, and have the ticket owners then give TM a cut, but then the ticket owners are paying much more in taxes.
Posted on March 28, 2005 09:58 AM | #
27. Ulysses Ronquillo said:
OMG! I read this and I started laughing. I used to have CAPTCHA on my blog prior to WordPress 1.5. I had to modify it to make it readable. I would be upset too if I miss out on Weezer tickets. LOL.
Posted on March 28, 2005 09:59 AM | #
28. Justin Perkins said:
Thanks for the link Cameron, very good read. I am a bit confused now as to the meaning of the word CAPTCHA though.
I am wondering if CAPTCHA is a generic term to describe the method of testing for a human (any method, beit image, logic test, math question, etc..) or a more specific term to describe the using of an image to test for a human (what I originally thought). Couldn’t a “Completely Automated Public Turing test to Tell Computers and Humans Apart” (CAPTCHA) be any form of logic test, since a Turing test is a test for intelligence not specifically relating to image recognition?
Posted on March 28, 2005 11:48 AM | #
29. max said:
Any sort of test qualifies. This site has the “must preview” that acts as a captcha. It’s just that distorted text is the common one, and people don’t want to say “distorted text captcha” all the time.
Darrel, unless you know something that I don’t (quite possible) then you’re wrong about captchas being ‘increasingly defeatable’. See post 13, third paragraph (counting the first line). Random text captchas, as in the ones that humans can barely read, effectively block automated programs.
And I don’t exactly see how hiring a human would solve anything. You’d need about 10000 humans to be able to hit the rate that a program that sits across several ips would easily be able to achieve. And I don’t think that that’s a very legal job anyway: “work from home! bypass security measures for 5/h!”
And let me point out that captchas didn’t cause our host to lose out on tickets. All people trying to get some were equally disadvantaged. I think that it was just an appropriate time to point out that they’re a pain to fill out.
Posted on March 28, 2005 12:07 PM | #
30. Justin Perkins said:
Max, Darrel was simply summarizing the W3C document, both the stated items you questioned (CAPTCHAs being increasingly defeatable and hiring a human to do the job) are taken word-for-word from the document.
Go read it, it’s interesting.
Posted on March 28, 2005 12:21 PM | #
31. max said:
Hmm, I believe you’re referring to:
“For example, spammers can pay a programmer to aggregate these images and feed them one by one to a human operator, who could easily verify hundreds of them each hour.”
correct? I still strongly disagree with Darrel’s point that “CAPTCHAs, for the most part, are completely useless”, and I stick to what I said in the first half of paragraph 3, post 29.
I don’t mean to be disagreeable, but nobody has shown that (random char) captchas are crackable, or that a better solution exists.
I think that they’re a pretty clever solution, actually. If you didn’t have them, money would move from large websites/you into the pockets of isps/spammers (respectively).
Posted on March 28, 2005 05:12 PM | #
32. Cameron said:
FWIW, the following site has quite a list of defeated image CAPTCHA’s. Handy even just to know which software to avoid :)
Pwntcha
Posted on March 29, 2005 03:35 AM | #
33. max said:
Good site Cameron, thanks for the link.
While looking at the site, I had a great idea. What if you distort the text, and then you turn it into a stereogram? Foolproof!
(I’m kidding, of course.)
Posted on March 29, 2005 09:12 AM | #
34. masukomi said:
I think there’s a vital distinction that isn’t being made here. BAD CAPTCHA’s suck but there’s no reason they have to be that bad. because if you’re up against hackers with costom OCR software it doesn’t matter how bad you make them. I implemented them on my blog and I guarantee you you can read all of them and I’ve had 1 comment spam since implpmenting them.
Posted on April 7, 2005 03:48 PM | #
35. rasraf said:
I think a much better solution would be simple questions that would be difficult for a computer program to answer, but easy for people to read and understand.
Why not capitalize on the major thing that humans excel at and computers are terrible at?
Something like:
Q. What part of your body do you write with?
A. hand
Q. A person’s female child is called their ____.
A. daughter
By varying the wording it could be made very difficult for automated programs, but trivial for people.
Or possibly even better, use images and have people interpret the image. Like have various pictures of a boy playing with some kind of animal.
Ask, what kind of animal is the boy playing with?
The key is interpretation versus processing. Computers are not good at interpreting. Humans are excellent at it.
Posted on April 8, 2005 10:23 AM | #
36. Justin Shepard said:
The above post is an excellent idea (perhaps the best I’ve heard so far), but the inherent problem is this:
What about people who don’t speak English, or those whose English is not as great as that of a native speaker? I understand the possibility of offering these phrases in many languages, but creating multi-language questions may be more of a headache than it seems (Google Language Tools be damned).
And, to restate the previous comment, what about people with images turned off? The visually impaired?
Personally, I’m not so sure if the current and suggested CAPTCHA methods are even the right path.
Usability always gets in the way. =)
Posted on April 12, 2005 07:05 PM | #
37. Tevil said:
WOW!
Most of this info was way over my head. Interesting but over my head.
How about we go back to the good old fashion way of getting tickets. If you want them really bad then you will be sleeping in the parking lot of the ticket vendor the night before.
Some of my best memories come from those times.
Posted on May 9, 2005 10:09 PM | #
38. Pablo Ximenes said:
Hi every one!
I do some research on computer security, specially on CAPTHCAs. I am currently working in the development of a new form of CAPTCHA based only on text. I found this discussion here very interesting and I would like to contrributing by stating that creating a Human Interactive Proof (HIP) in the text domain isn’t trivial at all.
First of all let me say that every kinf of test that can tell a human and a computer apart, it’s completely public, and automated (with little/no human intervention) is a CAPTCHA.
There are visual captchas, audio captchas, liguistic captchas, etc, etc, etc…
I undeerstand that many people heree aren’t very familiar with some concepts, so I suggest reading this very intereesting article on text based captchas:
http://bergmair.cjb.net/pub/towhiptext-proc.www/
I also read a comment here suggesting a kind of captcha with images of things (not only text). Well, The captcha project (creators of the CAPTCHA concept) have one running version of thi kind of captcha:
http://gs264.sp.cs.cmu.edu/cgi-bin/esp-pix
cheers.
Posted on June 15, 2005 01:31 PM | #
39. WhosAsking said:
To whoever said you could hire a programmer for $5/hour to break CAPTCHAs, spammers have demonstrated a cheaper way to get someone to do the dirty work for them. And it can work for just about any CAPTCHA in existence because it uses the one things CAPTCHAs depends on: actual human intervention.
All you need is a porn server or something else decidedly tempting.
When the unsuspecting visitor makes a request for free stuff, the server can then make an attempt to break a CAPTCHA. It makes the attempt innocuously like any ordinary web client, but it downloads the necessary CAPTCHA and data locally (so no offsite addressing)…and then passes it along to the user, challenging him/her to solve the CAPTCHA in order to obtain the goods.
The user solves the CAPTCHA, the web server passes along the results. If the CAPTCHA is passed, the user gets the reward (so does the server, though).
It’s a human proxy, and the actual attempt can be made to look exactly like any ordinary person making the attempt, so there’s no way for the CAPTCHA to distinguish between this and a real attempt. It would be only moderately difficult to implement the proxy but mostly automatic once implemented.
—
Now, as for accessibility problems, we have to consider one significant detail: the web (and in fact computers screens in general) are visual media. It’s very difficult and at times impossible to properly translate something visual (like a picture) to sound or Braille. It’s a very difficult puzzle that requires a lot of thinking–because the very nature of the problem almost necessitates some kind of sacrifice. For example, how is a blind person supposed to be able to participate in something like this: a discussion board?
Posted on August 11, 2005 09:32 PM | #
40. Pablo Ximenes said:
Hi…
This techinique you stated may be useful, but almost all captcha implementations use some type of time limit: if the capthca is not solve within X seconds, it becames invalid and even a right answer won’t do.
About visually impaired people using captchas, tehre are audio captchas as an alternative to visual ones. Hotmail implements this sort of captcha.
I assossiation to that, I am working in a new form of CAPTCHA tha uses only TEXT to perform the test.
A text based CAPTCHA would do the the trick for people that can’t see very well, because they are easily rtanslated into braile and can be “read” oout loud for reading software (commonly used by blind people).
Check out my last publication in web page to get more info about my proposal.
Posted on September 22, 2005 05:30 PM | #
Comments are now closed