Captchas are evil and need to go away

Plenty of things annoy me in the online world. Twitter spam bots make me shake my head. Shady Facebook applications get under my skin. But nothing makes my fist clench quite like Captchas.
I’ve been “proving I’m human” for around 10 years now, yet every site I visit still assumes I’m a computer hellbent on world domination.

I would be more tolerant of Captchas if they actually solved a problem, but they don’t. There are a slew of Captcha bypass services out there that any half-brained spammer already utilizes. Most of these services work by relaying the Captcha image to a human in a foreign country, typically India or Bangladesh (One blogger has even called Captcha solving “India’s booming business.“) The going rate can be as low as $2.00 for 1000 cracked Captchas. Other bypass tools work by purchasing millions of Captcha images and matching one of them up with the image the user is served by a website. You don’t have to be a programming expert to use these tools either. Just search Google.

The fact that there is now a burgeoning Captcha bypass industry that employs thousands of people should be a clear signal that the technology is ineffective.

While black hats and the like spend pennies to bypass hundreds of Captchas quickly, the rest of us are left to suffer. The only people that Captchas frustrate are honest Internet users who have better things to do with their time than decipher a mash-up of letters and numbers. The people they were designed to stop don’t seem to mind them at all.

It turns out, though, that things don’t have to be like this. It isn’t 2000 anymore and there are plenty of better solutions than using Captchas to protect a website from spam. Using fields hidden by CSS is a great way to prevent spam without the website user even noticing. Other less annoying solutions like “Uncheck this box if you are a human” are even preferable to Captchas as well.

Facebook Comments and other comment systems that allow users to sign in through OAuth, OpenID or other open standards for authorization can stop anonymous spam at least. As I’ve written before, however, I don’t see these as being good long term solutions because anonymous conversations are too valuable. People are less likely to comment and share when their remarks are tied to a personal account.

Regardless of which method of spam control a website chooses to employ, they need to remember that the burden of spam protection should fall on their shoulders, not on their users and readers. A proper spam protection system should make it easier for well-intentioned humans to comment and more difficult for the evildoers, not vice-versa.

Captchas are very much part of the problem, not the solution. There is no logical defense for Captchas still being prominent in 2011.

  • Getting stuck fighting against spammers is such a pain! Captcha is simply an easy and cost effective way that users have found cuts out a significant portion of spamming.

    I am surprised that there isn’t a way that systems can use the same techniques that block spam emails in blocking spam comments. ReCaptcha was taken over by google. But if they instead focused on creating a filtering API system like they do with emails that you send your comments to and they spit back the comment with a rating based on their spam tests, it would seem that they could not only offer a great service for websites, but also get what they want…which is more information passing through their servers. Maybe there is a startup that does this already, but I haven’t seen it as of yet.

    I know Akismet does a good job doing something similar, but they still miss some spam here and there.