Captchas are evil and need to go away

Plenty of things annoy me in the online world. Twitter spam bots make me shake my head. Shady Facebook applications get under my skin. But nothing makes my fist clench quite like Captchas.
I’ve been “proving I’m human” for around 10 years now, yet every site I visit still assumes I’m a computer hellbent on world domination.

I would be more tolerant of Captchas if they actually solved a problem, but they don’t. There are a slew of Captcha bypass services out there that any half-brained spammer already utilizes. Most of these services work by relaying the Captcha image to a human in a foreign country, typically India or Bangladesh (One blogger has even called Captcha solving “India’s booming business.“) The going rate can be as low as $2.00 for 1000 cracked Captchas. Other bypass tools work by purchasing millions of Captcha images and matching one of them up with the image the user is served by a website. You don’t have to be a programming expert to use these tools either. Just search Google.

The fact that there is now a burgeoning Captcha bypass industry that employs thousands of people should be a clear signal that the technology is ineffective.

While black hats and the like spend pennies to bypass hundreds of Captchas quickly, the rest of us are left to suffer. The only people that Captchas frustrate are honest Internet users who have better things to do with their time than decipher a mash-up of letters and numbers. The people they were designed to stop don’t seem to mind them at all.

It turns out, though, that things don’t have to be like this. It isn’t 2000 anymore and there are plenty of better solutions than using Captchas to protect a website from spam. Using fields hidden by CSS is a great way to prevent spam without the website user even noticing. Other less annoying solutions like “Uncheck this box if you are a human” are even preferable to Captchas as well.

Facebook Comments and other comment systems that allow users to sign in through OAuth, OpenID or other open standards for authorization can stop anonymous spam at least. As I’ve written before, however, I don’t see these as being good long term solutions because anonymous conversations are too valuable. People are less likely to comment and share when their remarks are tied to a personal account.

Regardless of which method of spam control a website chooses to employ, they need to remember that the burden of spam protection should fall on their shoulders, not on their users and readers. A proper spam protection system should make it easier for well-intentioned humans to comment and more difficult for the evildoers, not vice-versa.

Captchas are very much part of the problem, not the solution. There is no logical defense for Captchas still being prominent in 2011.