Accueil > Mozilla > Is the purpose of captchas to test your visual capabilities?

Is the purpose of captchas to test your visual capabilities?

While looking at Hendrix, I saw this captcha on the submission form:

captcha

captcha

I really have no idea what the second word is (10H? 101l?). And from what my doctor says, my eyes are working perfectly well. The audio alternative doesn’t work on Linux, so I cannot use it as a workaround. I really think such captchas are a bad user experience, especially for those with some disabilities (and in this case, even for those without disabilities).

As an alternative, why not suggesting something more simple? For instance: "How many triangles are not red in the figure below?"

alternative captcha

alternative captcha

Unless the reader never went to school, he knows what a triangle is, and which color "red" is. I doubt a robot could easily parse the question (but I may be wrong).

Am I missing something?

About these ads
Catégories:Mozilla
  1. Soymilk
    22 septembre 2008 à 9:38  

    The purpose of REcaptcha is to get many humans to help convert scanned text to actual text when the OCR is unable to

  2. Pat
    22 septembre 2008 à 9:46  

    I think you are missing something. The set of possible answers much be huge for the captcha to be effective.

    I assume the variation in your captcha would be to change the number of shapes, change the color and the shape being asked about. So in your case, the set of possible answers is 0 to 10 (assuming you put a bit more shapes in the image)

    Someone could code a bot to brake your captcha very easilly. Just guessing a random number would give the bot about 10% chance of guessing correctly on each try. This would break you captcha in seconds, especially with a few bots guessing from different IPS.

  3. Ben
    22 septembre 2008 à 9:47  

    The reason you can’t read the second word is because the computer’s OCR didn’t know what the word was either. See http://recaptcha.net/learnmore.html where it says:

    But if a computer can’t read such a CAPTCHA, how does the system know the correct answer to the puzzle? Here’s how: Each new word that cannot be read correctly by OCR is given to a user in conjunction with another word for which the answer is already known. The user is then asked to read both words. If they solve the one for which the answer is known, the system assumes their answer is correct for the new one.

    So the OCR encountered the second word and rightfully so, couldn’t make it out.

    Also, if you think of the language understanding that goes into voice recognition and/or natural language understanding (ex. Ask.com) systems, you’ll realize that a robot could realistically parse the alternative captcha with little trouble.

  4. 22 septembre 2008 à 9:47  

    i can’t remember where exactly, but some place hast started using captchas that have six letters, not obfuscated at all, and half of them are red, and it just says "type the three red letters." I don’t know how well it’s working, but it seems good.

    I also like the ones on people’s personal blogs that say "what is my name" or "what is the name of this blog" or etc.

    Main point is, it seems like, especially since robots have gotten to the point of being able to crack google captchas in under a minute, the next logical step is to make the question the hard part to parse. A la hitchhiker’s guide to the galaxy.

  5. Simon
    22 septembre 2008 à 9:48  

    Seems like a good idea to me. I also like the idea I’ve seen elsewhere of using CSS to take scattered text fragments and assemble them into an easily human-readable captcha. A captcha-breaker would need to incorporate a good HTML engine to be effective…

  6. hansen
    22 septembre 2008 à 9:48  

    Great idea. There are other similiar ideas with pictures of animals.

    Like the cats+dog pictures, where you might mistake a dog for a cat sometimes – and vice versa.
    People who are colorblind, will have issues with the colors.

    No matter what, your solution is better than the regular captcha!

  7. Baka_toroi
    22 septembre 2008 à 9:50  

    The CAPTCHA you are seeing there is sourced from old books. So, when OCR software can’t detect properly the words in the scanned pages on those books, it sends them to the CAPTCHA you are seeing on the screen. One of the words is known by the server-side system, the other is not. So, when you are solving those CAPTCHAS, you’re also helping to "restore" books.

    On the other hand, the solution you are proposing is lacking, at best. Apart from the fact that a bot could solve that CAPTCHA just by guessing (Once every 6 times it will be guessing right), the bots could also have a database of common questions, such as the one you are suggesting. It won’t be long before all the possibilities are exhausted and the bots could also make a request to a central server if it can’t answer the question.

    BTW, what’s a triangle?

  8. John
    22 septembre 2008 à 9:53  

    > Am I missing something?

    Unfortunately, yes. The reason captcha’s like this don’t work is that there is a relatively low number of combinations of pictures and questions possible. It would just take someone going through all the combinations once and program them into the bot.

  9. Pete
    22 septembre 2008 à 9:53  

    You are missing something. The reCaptcha program is an effort to digitize books. Two words are shown to the user, and one will be a word that was unrecognizable by the OCR. You technically only need to match the word that is auto-generated (in this case, BELAIS).

    I’m still not sure if this is a worthwhile goal, but it is at least trying to provide service where people are using captchas already. Your case of "IOM" here is by far the worst I have seen.

  10. Sean Middleditch
    22 septembre 2008 à 10:07  

    1 out of every 5 men is color blind. not sure on stats for women. point being that color is a bad thing to use.

    still doesn’t solve the issue for visually impaired users, either.

  11. 22 septembre 2008 à 10:10  

    Yes, you’re missing something… Colorbind people!

  12. christastisch
    22 septembre 2008 à 10:16  

    > Am I missing something?

    There are people out there who are color blind ;) Captchas are ALLWAYS a bad idea. Things like akismet work better.

  13. Robert O'Callahan
    22 septembre 2008 à 10:20  

    That sounds easy to automate, to me.

    One thing you need to consider is that guessable CAPTCHAs are no good. A 1 in 10 chance of being right makes it easy for botfarms to win.

  14. 22 septembre 2008 à 10:26  

    If I understand how reCAPTCHA works correctly, you only need to get the first word correct in order to solve it. If you get the second one correct too, it helps OCRs somewhere to digitize books. If you cannot read either words, you can always click on the refresh icon, it will present another set of words.

    More info at: http://recaptcha.net/learnmore.html

    Your alternative may not work very well with the color-blind.

    /Mahesh.

  15. 22 septembre 2008 à 10:29  

    colour blindness?

  16. 22 septembre 2008 à 10:31  

    Colorblind people will have a problem with your suggestion.

    (As for the reCaptcha thing: if even you could’t decipher the second word, just type something. It should work, since it only checks one of the two words.)

  17. jm one
    22 septembre 2008 à 10:36  

    yes. You are missing out colorblinds.
    Okay some capchas of today render them out already.
    Like todays captchas AND this one render out people who are blind or visually impared to a degree where screenreaders are their only chance to use the net.

  18. 22 septembre 2008 à 10:39  

    Well said, I 100% agree. Have you seen the one with the cats? Horrible. I like your alternative, clean and easy.

    This is the one with the cats:

    http://depressedprogrammer.files.wordpress.com/2008/04/worstcaptchaever.jpg

  19. 22 septembre 2008 à 10:50  

    I agree, captchas should not test your visual capabilities – at all. Instead of shapes and colors why not provide human readable questions like "Is the pope Jewish?". That way blind, low vision and deaf-blind users could solve those darned things too!

  20. Exec
    22 septembre 2008 à 10:50  

    Colorblind people would probably not like it… or blind people for that matter.
    Still, it would be a good alternative given the choice.

    As for robots… clues given
    1. "How many"
    2. "triangles"
    3. "not red"

    I’d guess the hardest part would be "in the figure below", depending on context.

  21. lpsolit
    22 septembre 2008 à 10:59  

    Your comments are all very interesting.

    I didn’t know the second word being unreadable was intentional. My reaction was "I cannot read the 2nd word; I give up". Note that that’s a good way to avoid too many bug reports (assuming some other reporters have the same reaction as me). :-D

    About my alternate "captcha", it’s more a proof of concept than something which can be implemented as is. Nothing is perfect, especially not my example. :) We also have to think if a hacker really wants to spent too much time cracking websites such as Hendrix where the benefit of submitting wrong reports is rather low (no profit/money there) or if such a proof of concept would be enough to avoid automatic submissions (even if it wouldn’t prevent a hacker who really wants to attack Hendrix from doing so).

    I admit I forgot about colorblind people; shame on me. ;)

  22. lpsolit
    22 septembre 2008 à 11:13  

    @simon: I like the idea of using CSS. Some letters could be hidden, red on red background (making them invisible, for both colorblind people and people with no disabilities), or even use transparency to add masks so that only some letters appear, etc… Not sure how this would work, and if it would be efficient or not. Some people probably already thought about that.

  23. Asrail
    23 septembre 2008 à 4:35  

    The bot can easily take a screenshot of the page, so CSS wouldn’t help much. That’s different from parsing pages to find emails.

    Simple inference machines can easily answer questions like:
    "Is the pope jowel?"
    or
    "What is the capital of Guatemala?"

    Easier than a lot of humans.

  24. 23 septembre 2008 à 5:13  

    I think the problem with CSS here is, again, the limited possibilities. There is only so many combinations of features you can implement. If you make an open source version of it and, say, have people use it as a wordpress plugin, a spammer will eventually look at your code and put all of these possibilities into his bot software.

    For a captcha to be effective, it must not be generated from a limited amount of "bricks", or it will always fail, once one of the "bad guys" actually takes a closer look at it.

  25. 23 septembre 2008 à 5:27  

    Yes. The purpose of a captcha is not to test your visual ability, but to pose a question that is hard/impossible for current computer systems, but easyish for a human. Since humans have advanced visual processors, we are capable of solving very hard visual problems that are still out of reach for computer systems.

    Also, the space of possible answers must be huge to prevent brute-force attacks.

    Your proposed captcha provides neither of the two necessary conditions.

    Might I suggest hitting the little refresh button on recaptcha? It will give you a new one. Another thing – recaptcha is also cool b/c it translates scanned books to digital form.

  26. Richard
    23 septembre 2008 à 8:29  

    Gez Lemon wrote an interesting article on the accessibility of CAPTCHAs a while ago. Not sure his solution is practical but it’s worth a read.

    http://juicystudio.com/article/accessibility-of-captcha.php

  27. Nick
    23 septembre 2008 à 9:52  

    I think this illustrates the problem with recaptcha. Nobody should have to know "it’s ok to get the second word wrong" in order to post a comment. Noble goal or not, it doubles the amount of work a user has to do. And it stops people from getting through who assume they have to get the captcha right.

  28. Philip Taylor
    23 septembre 2008 à 12:09  

    I had a forum using some standard guess-the-word CAPTCHA system, and it suffered several spam registrations and posts a day.

    I added a single checkbox (labelled "I am a human") to the registration form, and it has been 100% effective at blocking spam for about two years.

    It seems to me like a simple economic matter: if the value of breaking the CAPTCHA is greater than the cost of doing so, it will be broken. So you can increase the cost, e.g. ask the user to read ever-more-unreadable words; or you can decrease the value, e.g. only use that CAPTCHA system on a single small site.

    The latter approach is much easier to design and implement, and much more user-friendly. Use a checkbox, or ask "what is 5 + 9?", or ask "how many triangles are not red?" – the complexity doesn’t actually matter as long as it’s unique to your site. Those are all pretty trivial to crack, but nobody is going to bother cracking them if it only lets them spam one blog.

    But once a million blogs are using the same CAPTCHA system, the value of cracking it will increase hugely; so when you’ve made a simple effective CAPTCHA system, just make sure nobody else starts using the same one.

  29. James
    23 septembre 2008 à 1:13  

    You also missed the "load another captcha, this one is too hard" button, it’s the two arrows, above the audio and ? buttons.

  30. 23 septembre 2008 à 10:39  

    In the case of hendrix, we had the checkbox thing first, and then added a math question after the spammers started getting past the checkbox. Eventually the spammers started getting past the math question, too, so we added the captcha. For some reason, Hendrix seems to be enough of a spammer target that they do specifically target it, even though it’s "only one blog".

    Submitting that form posts to a newsgroup which is archived by Google Groups. Since Google never deletes anything unless it’s a DMCA violation (even if it’s spam), successfully getting past our form gets their spam permanently archived on Google Groups, where lots of people will potentially see it for months, if not years, to come.

  31. 24 septembre 2008 à 8:28  

    I definitely agree that simpler CAPTCHAs would be really nice to have. :-)

    Like many others pointed out, the less popular your site is, the simpler CAPTCHA you can have. Of course, it would be ideal to figure out something that is extremely simple to humans but impossible for computers to figure out, but which has some vast number of possible questions/answers.

    -Max

  32. 14 octobre 2008 à 3:48  

    Even if these captchas have their advantages I also had a similar experience as you described it above – I wasn’t able to read these words. So I started to ask myself if I am the only one who has problems in reading such captchas sometimes and with your experience I know the answer now.

  33. lk
    14 juin 2009 à 3:19  

    What if you are colorblind? Then you can’t tell which is red

  34. Frédéric Buclin
    14 juin 2009 à 11:29  

    @lk: yes, we discussed about colorblind people several times in these comments. Read above. :)

  35. M
    12 octobre 2009 à 3:44  

    Hello,
    I was doing a "captcha survival guide" on my blog and i come out with some ideas, and when browsing triangle and geometric stuff i found your blog. I "stoled" your geometric image :-)

    and added some other ideas:

    http://www.cocooa.com/115/2009/captcha-guida-di-sopravvivenza.html

    the guide is short and in Italian, but i m sure the images are self explicative ( feel free to ask if you want, i d be happy tohave feedback)

    ciao

    M

  1. No trackbacks yet.

Laisser un commentaire

Entrez vos coordonnées ci-dessous ou cliquez sur une icône pour vous connecter:

Logo WordPress.com

Vous commentez à l'aide de votre compte WordPress.com. Déconnexion / Changer )

Image Twitter

Vous commentez à l'aide de votre compte Twitter. Déconnexion / Changer )

Photo Facebook

Vous commentez à l'aide de votre compte Facebook. Déconnexion / Changer )

Photo Google+

Vous commentez à l'aide de votre compte Google+. Déconnexion / Changer )

Connexion à %s

Suivre

Recevez les nouvelles publications par mail.