Captchas are those annoying "What does this garbled text say?" puzzles that you have to solve before you're allowed to sign up for something online. (Read more about Captchas in March's Scientific American.) They’re designed to thwart spammers whose automated software bots would otherwise pollute the Web site with phony sign-ups.

But Captchas are sometimes so difficult that even humans can't solve them. And although they're no longer sufficient to stop spammers' increasingly sophisticated bots, they're 100 percent effective in keeping out blind people.

Various people have come up with alternatives to the hated Captcha. Each has its charms—and its drawbacks. For example:

Task Puzzles, Image Puzzles
In a world of tablets and touch-screen phones, a typing puzzle is extra clumsy. In a task puzzle, you're asked to do something, like "Tap here if you're human." In theory, a software bot can't do that. Unfortunately, non-English speakers won't know how to respond, either.

Some sites now offer image puzzles: "Draw a circle around the photo of a lighthouse." Great—unless you're blind.

The Audio Captcha
You hear a garbled, scratchy recording of someone saying a word, and you're supposed to type in what it says. But the same problems apply: sometimes it's hard for even a human to understand the word, and of course deaf people are left out.

The Math Puzzle
Instead of trying to interpret a garbled-looking word, you're asked to solve a simple math problem like "What's 3 + 3?" Both blind people and seeing people could solve this one.

The trick here, of course, is finding puzzles that are simple enough for everyone to solve, regardless of education level—and still hard enough to stop automated software bots. "What's 3 + 3?" won't stop many determined spammer bots.

The Trivia Puzzle
Another proposal: Ask a pitifully easy question like, "What color is the sky?" This kind of blockade is great if you're an English speaker and a perfect speller. Otherwise, it might keep out innocent bystanders as well as bots.

Text-Message Verification
When you try to sign up for a Google Voice account, you're asked for your cell phone number. When you click "Connect," your phone dings, and you're asked to type in a two-digit code that the Web site is displaying. Fast, easy and foolproof—unless, of course, you don't have a cell phone or you're blind or you don't live in the United States.

The Confirmation-Page Trick
Once you've filled in your sign-up information, you click "Okay"—and you arrive at a final confirmation page, where a message says, "Click 'Confirm' if this information is correct." This non-puzzle puzzle works very well, because software bots aren't expecting the additional step. Unfortunately, if yours is a popular site (such as Yahoo or Google), it won't take long for the spammers to catch on.

The Timing Trick
If you're a real person, it might take you a couple of minutes to fill in the fields of a Web form; if you're a software bot, you can fill it in instantly. A Web site's code can measure the time it takes you to fill in the form, and gauge your humanness that way.

Unless, of course, you use a Web browser (such as Safari or Firefox) that offers a one-click "Fill in my standard information button," which would make the site conclude that you, in fact, are a software bot.

The Hidden-Field Scam
The Web site's creator makes a tempting-sounding text box labeled something like "E-mail address"—and then makes it invisible, using CSS (cascading style sheets) coding. Humans will never see that box, and will leave it empty; software bots will fill it in.

13 Comments

1. 1. Forsythkid 08:56 AM 2/28/12

   How about if we just shoot hackers whenever we find them. Problem solved.

   Reply | Report Abuse | Link to this

2. 2. sparcboy in reply to Forsythkid 01:35 PM 2/28/12

   That's a little drastic don't you think?
   
   I was thinking more along the lines of something more simple and proportionate, like cutting off their hands.

   Reply | Report Abuse | Link to this

3. 3. letxequalx 06:16 PM 2/28/12

   How about a captcha that triggers with suspicious traffic load instead of all the time?
   

   Reply | Report Abuse | Link to this

4. 4. cccampbell38 07:05 PM 2/28/12

   The solution to many internet problems might be to create the ability to trace any post to the person who originally posted it; name address, and phone number. I have no idea if this could be possible but we who do nothing to be ashamed of online would probably not mind and those who do abuse the internet might become a bit more hesitant.
   
   After all, cell phone use can be tracked and few complain about that. Yeah, I know, some cell phone users still do some incredibly stupid stuff but at least if it's criminal they stand a pretty good chance of getting caught.

   Reply | Report Abuse | Link to this

5. 5. noz1992 in reply to cccampbell38 05:15 PM 2/29/12

   But there are legitimate reasons for anonymity. What if you're a whistle-blower, or you live in a repressive country? Or if you're posting something controversial or "blasphemous" that might anger a lot of people or have other repercussions. Anonymity can literally be a matter of life and death. And then sometimes you just want a little privacy online, or you want the freedom to adopt multiple identities. The ability to act anonymously is vitally important to a free society because it is vitally important to free speech and privacy.

   Reply | Report Abuse | Link to this

6. 6. northernguy 01:08 AM 3/2/12

   Using a screening method that doesn't work well for non-english speakers doesn't seem like it would be much of a problem for sites that have content that is entirely English.
   
   For that matter how would a non-english speaker understand the instructions associated with captcha's.

   Reply | Report Abuse | Link to this

7. 7. cccampbell38 in reply to noz1992 08:58 AM 3/2/12

   You are right, of course. Could the Arab Spring have occurred without anonymity? I don't know. On the other side there are so many instances of personal attacks, bullying, spreading lies, libel, defamation, and the sometimes overwhelming burden of spam ans phishing. How much damage do these things do and do they put the freedom of the web itself in jeopardy?
   
   How do we find a way to curtail the misuse of anonymity for harm and still allow the uses that you outline?

   Reply | Report Abuse | Link to this

8. 8. northernguy in reply to northernguy 05:14 PM 3/3/12

   I forgot to mention that the only site that uses captchas that I can navigate is Scientic American.

   Reply | Report Abuse | Link to this

9. 9. ConfidentTech 01:53 PM 10/2/12

   Here's another approach not mentioned in the article: http://www.confidenttechnologies.com/Confident_CAPTCHA_Demo
   
   It's a picture-based approach. Bots typically don't have the intelligence to be able to determine the semantic meaning of the subject matter of each photo. (e.g. "That's a picture of a house versus a picture of a boat", etc.). it takes just a few seconds for people to solve because you are simply asked to click on a few pictures. There's an audio option for the visually impaired and support for foreign languages for non-English speakers.

   Reply | Report Abuse | Link to this

10. 10. rdgtalk 11:36 PM 12/15/12

    Seems to me that, in about 12 lines of js, you could do the following:
    
    1) set up a key listener
    2) once any key is pressed, set a global boolean to true
    3) turn off your key listener after #2 is accomplished (if you wish)
    4) script the form to only be submitted if the global variable is true.
    
    Any holes in this technique?
    
    Ron

    Reply | Report Abuse | Link to this

11. 11. Giulia 08:12 AM 1/15/13

    Captchas are too much annoying and inefficient; there's a good alternative technology called 'keypic', which does not make users verify their not being spammers. users don't pass any tests at all. and by the way, keypic won't cost you anything, just download a plugin you need, and that's it.

    Reply | Report Abuse | Link to this

12. 12. edgarw in reply to rdgtalk 10:57 PM 1/21/13

    Yes, there are holes in your technique but it may be a good first step though. Not all bots are sent from the form itself. The data can be remotely sent. Remote bot posts can be easily stopped by comparing the source and destination IP address, that is until they find a way to circumvent that too.
    
    To fight bots, it is best to use a combination of methods but you should avoid any user verification such as Captcha, picture methods and puzzles. IP verification, honey pots and imaginative JS tricks can stop most bot attacks on small to medium web pages. For larger websites, it is best to use an external service that can stop offensive comments as well as advertising, phishing etc.

    Reply | Report Abuse | Link to this

13. 13. edgarw in reply to Giulia 11:13 PM 1/21/13

    Thanks for the information in Keypick Giulia. It looks like an effective way to stop bots attacks. It is funded by advertising using a small image to replace the annoying Captcha field.

    Reply | Report Abuse | Link to this