In a recent article in the UK’s Guardian How CAPTCHA was foiled: Are you a man or a mouse?, CAPTCHA was reported as being “broken” and as WordPress’s Matt Mullenweg described it “the bane of the internet”.
I couldn’t agree more. These distorted images of text designed to prevent anything but a human register for a site, leave comments on blogs and so on, are essentially flawed as they are problematic for most people to use and impossible for a screen reader user to access. To my mind they serve as a superficial rather than actual security solution and succeed in nothing but turning real people away. They really are the Internet equivalent of an unfriendly bouncer working the door.
Like the ill-fated dodo CAPTCHA seems to have really lost it’s ability to go anywhere. There are so many ways of cracking CAPTCHA, either automated or human, that they are beginning to pale as a defendable security solution for a website. In fact the only thing that I can see being argued in their defence is that they keep the numbers of spammers down even if they don’t keep them out altogether; hence why sites such as Google, Yahoo!, and Hotmail keep using them. Even this is becoming questionable however. Just as the dodo became extinct as a result of coming into contact with humans so CAPTCHA seems to be losing it’s battle with spammers especially as they are using not just automated techniques but also people in sweatshops diligently breaking CAPTCHA’s manually.
What follows CAPTCHA?
The ineffectiveness of CAPTCHA has been discussed by many people in the web industry, not just accessibility advocates (see the Links section below). This being the case why are we all still battling with CAPTCHA’s on a daily basis? The problem to me is not just that there is no accessible and usable version of CAPTCHA’s but that there is nothing that can replace CAPTCHA’s altogether. The fact that they seem to keep the volume of spam down for website owners, even if they don’t prevent spam entirely, is also a reason why so many website owners are in no hurry to remove them.
What really needs to happen is some sort of industry collaboration where issues around security and spammers are tackled collectively and an industry standard is developed that can replace CAPTCHA. By this I don’t necessarily mean an accessible alternative to CAPTCHA but a replacement of the CAPTCHA concept altogether; specifically one that does not put the burden on the user in the way that CAPTCHA does. It’s an industry problem after all so working collaboratively makes sense. Already we have solutions such as Microsoft Passport or OpenID but even these don’t seem to have replaced CAPTCHA altogether. Until we find something viable to replace CAPTCHA we may find ourselves stuck with this increasingly ineffective security measure that does nothing more that sideline real people.
So what do you think folks, is CAPTCHA going the way of the dodo?