Posted on by & filed under Kaizen-UX.

Quick Win

Instead of using image based CAPTCHA ask the users questions related to the content they are interacting with. This is more fun than trying to decipher one or two usually meaningless words or even a totally random string of characters. If you want no brainer questions, ask what the given article is about or what your site is selling. If it’s a contact form, you can ask something related to contacting the site’s owner. Like “In which city in the United Kingdom is the warehouse of this web shop located?” A question like this can reinforce that the shipping will be fast, because the goods are shipped from mainland UK, not Hong Kong for instance.

What Needs To Be Solved?

anti-bot-measure-quiz

Users hate CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart). Website owners accepted it, as a good(ish) solution to reducing the amount of spam they are getting through web forms. It is one of the most annoying things that stayed on the web for over a decade.

A CAPTCHA is not accessible at all, it effectively stops users with poor eyesight from using the given form. Not to mention those using screen readers.

Nowadays they can be easily broken, unless they are overly complicated, thus making them a nightmare even for users without disabilities. There are “services” that offer hundreds of CAPTCHA breakings for as low as five dollars. They mostly employ humans, usually in Southeast Asia, to break the CAPTCHAS at a blazing speed. This could not be circumvented by any image or simple math question.

But the best argument against CAPTCHAs is that computers are better at solving them than humans. Kumar Chellapilla, Kevin Larson, Patrice Y. Simard and Mary Czerwinski wrote a paper about this in 2005, so we can safely assume that in the past 9 years the CAPTCHAs defeated their own purpose. There is even a petition to kill CAPTCHAs, which reached over 3000 signatures.

textCAPTCHA and similar services

http://textcaptcha.com/ provides textual CAPTCHAs based on simple logic questions. Over 180 million questions and counting. This is a very handy solution for generic purposes. The solution itself is very elegant. Whenever you need to prevent bots filling a form, you ask for a simple question, as in you need to make a request to the textcaptcha server. It will return an XML response containing a randomly selected question and answer pair. Because of the huge pool, hardcoding the answers into bots will not work. To provide better usability multiple answers may be returned if several responses are acceptable. For example if the question was: “How many stars are in the solar system?” “1” and “one” are both acceptable.

Now my main issue with similar solutions is, that they are totally disconnected from the topic. I mean if I’m writing a blog post about the Ruby on Rails framework, why does the CAPTCHA asks the user about the number of stars in the solar system? While the users are thinking on a meaningful comment, they will be distracted by a totally irrelevant question. Not to mention some questions can be trickier for non-native English speakers. From this perspective the old CAPTCHA can be better.

Moreover textCAPTCHA will not prevent human link spammers to force themselves through the form. Only a part of the comment/contact form spam is from bots. A good chunk is from link spammers, who try to fill the form plausibly, while sneaking in a few links. Comments like “Nice post about CAPTCHAs. Totally love it. Referred to it in my whitepaper at: http://buycheapviagranow.com/cheap-cialis.html”.

CAPTCHA replacement that increases involvement

The solution I think is the best in case of smaller websites or less popular web applications is to ask questions about the article/site itself. In some cases this can blend into the interface seamlessly. For example, if you have a shoe store, and ask for reviews, you could ask about the color of the shoe they purchased. If they type in a valid color for the said shoe, they are most likely non-bot users.

If you create a website for a roadshow, you can ask something like: “Name a city where the roadshow stops:” The valid answers are obvious to you, and anyone slightly interested in the road show. (It should be on the site and easy to find for each visitor.)

I prefer adding an explanation to most form fields, because this increases the conversion rate of forms in my experience. So I would add something like “Please reply to the question above. This will prove, that you have read the article. Thank you!” below the input.

Drawbacks of relevant question based CAPTCHA replacement

First of all, it needs extra work, to find the appropriate questions and each possible answer. That can be a tremendous job for larger sites. Moreover it works only if the spammers don’t specifically target your site. This will be the case for most small and mid-range sites.

I would not recommend this for Amazon, unless they create a spider that automagically gathers question/answer pairs from a given webpage. CAPTCHA, even if hated by most, is a well-known landmark in today’s web. None will stare puzzled at an image based CAPTCHA in 2014. On the other hand relevant question based CAPTCHA replacement is quite a new concept, so if you implement such a thing people might wonder what it is, and if it bites.

Futuresight

say-no-to-captcha
I hope that CAPTCHAs will be gone, and gone for good. Everyone hates the UX disaster they are, but no better solution got widespread acceptance. It is yet to be seen if the relevant question based CAPTCHA replacement will be successful. To achieve that, we will need a name for it. RQBCR is such an ugly acronym, I would prefer something like MOX, but that is a nuclear fuel according to Wikipedia, but for now that is the least concerning matter in the anti-CAPTCHA campaign.

5 Responses to “Relevant question based CAPTCHA replacement”

  1. Robert Cartman

    I made a little honeypot trap for the spammers. It’s simply a textarea hidden with CSS and on form submit a script checks if it is empty or not. Since normal users shouldn’t see it, only the spambots are able to write anything into that textarea and if they do so they find themself redirected to google.com 🙂
    I tried a lot of CAPTCHA, IP/email filter, and other solutions before, but that simple honeypot proven the most effective.

    Reply
    • W. Szabó Péter

      Great example, thanks a lot. Unfortunately that can be brute forced by simply submitting the form times the number of fields, each time leaving one field empty, starting with the last one obviously. 🙂 Or you could use Mechanize and Nokogiri and a bit of smart thinking to find honeypots and spam without brute force. But, then again, honeypot can be a life saver, and it is very user friendly. (Compared to CAPTCHA everything is.)

      Reply
  2. Marjorie Davidson-Smith

    I have been trying to contact an online company about a copyright issue for yonks. I simply cannot get the answer to their captcha questions!! They ask :1) are you a bot? 2)are you human? 3) do you like spam? I have tried every answer I can think of and they are all wrong!! I say – the sooner captcha goes in the bin, the better!

    Reply

Leave a Reply