ZURBlog is where we discuss product design, business and strategy.

Aiden Bordner says

While I'm inclined to agree with this from a fundamental standpoint on the adversity between business requirements and security requirements, I think this perspective is limited to a lens of giving one of those requirement sets priority.

If you think about the amount of PII you request at a user registration, it's the same issue of balance: if your system has functionality requirements to be competitive that rely on robust location awareness (e.g., Facebook) you must satisfy those requirements with a user model that includes a strong location reference, such as a zipcode. Conversely, if your ultimate need is simply numbers of users and precise location identification isn't a strong requirement (e.g., MySpace) location can be an optional, open-text field where a user can be less obligated to provide personal data, reducing the ask and increasing the ease of the experience.

Similarly, if your system and/or business has the propensity to be overwhelmed by automated systems that critically reduce the quality of the experience for real users (think Ticketmaster) a captcha is a perfectly suitable solution that recognizes the balance of business priorities with system priorities.

Moreover, I think our forefathers would agree based on the proliferation of Captchas in existing products to solve this need. Your classic Nielsen/Tufte heuristic evaluators would dictate you don't violate convention and confuse the user. The question isn't the number of "clicks" (or fields in the reg form) but how much the user is required to think or give to convert. In that vein, the spam filter on this blog represents an uncommon interaction for me, and required a second or two of interface scanning to determine how I was supposed to respond. (On an unrelated note, it's also a far less secure interaction than a Captcha and likely wouldn't work on a site where economic gain can be made from spamming the system like Ticketmaster).

That said, I feel Captchas are fairly embedded in the modern user conventions for web applications, and provide a much more limited barrier than they provide benefit to the gestalt experience for the active user population.

However, in an ideal world, I agree with the sentiment. My $0.02 :)

David Sanchez says

Mark, thanks for the post, interesting point of view, but you fail to address the major advantage of using Turing test and benefits for any serious online business. Unless you have a better solution for online fraud (powered by ID Theft and there are many) and endless web bots parsing every exploitable web form or web service, captcha’s are here to stay. I think you need to disambiguate the term user which in technology terms is utterly meaningless when placed side by side a human or software are the same when accessing the infrastructure, the same TCP/IP protocol and interface.

I am actually support dynamic challenging Turing tests based on the DEMO graphics of a particular website. I doubt very much the captchas are responsible for “cart” abandonment or revenue loss. And as algorithm and technologies get more complex, we can be sure there will be other authentication technologies on the way. CAPTCHA’s are one of the best tools against spammers.

Marnen Laibow-Koser says

Hmm. Interesting post, and I'm going to have to think about the issue some more. But at first blush, I think suitability depends on the nature of the captcha. Personally, as a user, I find some captchas annoying, but most are fine. As a Web application developer, I've never needed to implement one -- not sure why, but we've never had a problem that captchas would solve. Perhaps I just don't work on the right sort of sites.

I find it particularly ironic that your comment system for your blog -- even this very post -- has a captcha of sorts -- the box in which you have to type a letter to filter comment spam. Granted, it's not a "canonical" image-based captcha, but it is extra work of the sort that you claim the user shouldn't have to perform. I don't mind an extra 2 keystrokes, but I think the fact that it's there at all is interesting, to say the least.

Cavan Riley says

I've never had to build a site that considers these problems, nor do I have much knowledge of how spam bots work. However, I would imagine that spam bots attempt to fill out all questions in a form because they are unaware which fields are required. So, couldn't you then have a question that is visually hidden to the users filling out the form. Thus, the only thing that would answer the question would be something reading the code.

Just a thought. Doubt it's that simple.

Cavan Riley says

If you get around to trying it out, make sure you send me an email and let me know how the tests go. Even if it fails miserably, I'm curious of the outcome.

Brenton says

I'm working on a survey system now that dynamically arranges/shows questions to ensure the user only sees what he needs to fill out. On the server-side, I need to check that the submitted values form a valid path through the survey before I persist them.

The idea of the CAPTCHA is to test if the respondent is human. Why not shift the burden and instead test if the respondent is a friendly robot, e.g. a real browser ostensibly powered by a human? Cavan's solution should do this, but its not the only way. In my app, the form is built as the user progresses through the survey. If the responses are out-of-sequence or too many values are submitted, I know the client-side JavaScript didn't execute, the data is invalid, and the results should not be persisted.

Web design is all about usability - we must understand the path the user will take and optimize it as much as possible for a friendly experience. If you're working on a closed-source, low-visibility form, you can implicitly test if a real user followed the expected path versus a hopefully less-discerning spambot that shotgun-blasts your form with nonsense.

Patrick Hutchinson says

There is a great Rails plugin called Negative Captcha that does this. There are some articles about the pattern as well if you google "negative captcha."

Pablo Impallari says

I love the simplicity of this captcha (Scroll to the end of the form) http://www.letterheadfonts.com/contact/ordering/form.php

Please type these numbers: 123 into this box: ____

federal street associates hedge fund says

refreshing and very informative. myself wish there were more blogs like it. Sincerly

bottle old wine says

Hello You How can start this work please tell me myself have a website aswell.

television commercials says

meself am excited already as meself know you always have pretty cool stuff. Bye

nfl odds spread says

you couldnt agree more, myself, but not everyone is as clever as you seem to be. Or as you seem to be! HA! :-p Talk Later

wireless adapters says

Nice writing style. Whats yer opinion on soft? Goodbye

condolences says

you couldnt agree more, myself, but not everyone is as clever as you seem to be. Or as you seem to be! HA! :-p i a blog owner too. Talk Later

electrical says

Me like your site design. Looking forward to reading more down teh road. Cu Soon

printers row lit fest 2010 says

Wow! thank you! my homie always wanted to write in my site something like that. Can my homie take part of your post to my blog? yours truly a blog owner too.