Death to Captchas
Sun, Nov. 6th, 2011 11:18 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
sasha_feather posting in ![[community profile]](https://www.dreamwidth.org/img/silk/identity/community.png){kind=small}
access_fandomJohn Foliot: Not the Blog Post I was going to write today
Warning for moving images and migraine triggers. The post is about a 3-D moving Captcha.
So that you don't have to click the link, I've cut and pasted the article below. There are hyperlinks in the post that do not appear here.
This was not the blog post I was going to write today. That post was going to be about my experiences this past week at the W3C Technical Plenary (TPAC). That one still needs to be written, but as is often the case, my blog writing is usually triggered by something I am confronted with on the web, and something I need to just get out there.
In other words, another JF rant.
Today, I am setting my sights squarely on what has got to be one of the most stupid and evil things I’ve encountered on the web in a very long time: 4D Captchas. Seriously?
The user-pain inflicted by CAPTCHAs on persons with disabilities are well known and documented. Not only are CAPTCHAs impossible to decipher for non-visual users (the entire premise of CAPTCHAS is that you can see something that a computer cannot), but they also are difficult-to-impossible for users with cognitive disabilities, low-vision users, your Mom, my Dad and very often you and me. Their usefulness in adding any level of security has been shown to be negligible (the Vappic 4D blog post confirms that current 2D CAPTCHAs are being cracked for $0.80 per thousand), and the pain-to-value proposition to your users is often too high: there is one thing to set some form of door-check to your site, but a huge sign that screams go stuff yourself is hardly a smooth business move. To be actively seeking to try and harden CAPTCHAs is a mind-boggling waste of effort that will only add more pain to end users, and will be as easy to crack as “save image as animated GIF, decipher, and then enter against the input” – oh sure, it might drive the price of CAPTCHA cracking from 1000 for eighty cents to 1000 for a buck-five but so what, this is not going to stop CAPTCHA crackers from doing this work: these are usually poorly paid Third-world workers who are thankful for the work and the 2 or 3 dollars a day they get for doing this.
Let’s be perfectly clear: we need to do everything we can to discourage site owners from using CAPTCHAs. There are many other solutions users can deploy besides using CAPTCHAs to keep blog-spam to a minimum (the most common use-case), and if you really are going to subject your users to the pain of filling out a CAPTCHA to simply post a comment on your blog, you may as well just not bother seeking comment feedback. At Stanford, where I work, most web developers on campus know that if you use a CAPTCHA on your site I will personally walk over to your office and smack you – quite literally (OK, maybe not, but I’m on record for saying that). Sadly, on the web this doesn’t scale.
But let’s use the scale of the web to tell VAPPIC 4D to shelve this lousy idea, and now. The developer of this little bit of misery (an ex-Google employee no less – he should know better) has posted his email address (tomn@vappic.com) and so one thing you can do is write this guy and give him some appropriate type of feedback on this project: I’m not advocating an email equivalent of a DOS attack, but hearing from tens or hundreds or even thousands of end users encouraging him to go pursue another type of project might get his attention. (So feel free to pass this idea on)
Death to CAPTCHAs – do your part.
Warning for moving images and migraine triggers. The post is about a 3-D moving Captcha.
So that you don't have to click the link, I've cut and pasted the article below. There are hyperlinks in the post that do not appear here.
This was not the blog post I was going to write today. That post was going to be about my experiences this past week at the W3C Technical Plenary (TPAC). That one still needs to be written, but as is often the case, my blog writing is usually triggered by something I am confronted with on the web, and something I need to just get out there.
In other words, another JF rant.
Today, I am setting my sights squarely on what has got to be one of the most stupid and evil things I’ve encountered on the web in a very long time: 4D Captchas. Seriously?
The user-pain inflicted by CAPTCHAs on persons with disabilities are well known and documented. Not only are CAPTCHAs impossible to decipher for non-visual users (the entire premise of CAPTCHAS is that you can see something that a computer cannot), but they also are difficult-to-impossible for users with cognitive disabilities, low-vision users, your Mom, my Dad and very often you and me. Their usefulness in adding any level of security has been shown to be negligible (the Vappic 4D blog post confirms that current 2D CAPTCHAs are being cracked for $0.80 per thousand), and the pain-to-value proposition to your users is often too high: there is one thing to set some form of door-check to your site, but a huge sign that screams go stuff yourself is hardly a smooth business move. To be actively seeking to try and harden CAPTCHAs is a mind-boggling waste of effort that will only add more pain to end users, and will be as easy to crack as “save image as animated GIF, decipher, and then enter against the input” – oh sure, it might drive the price of CAPTCHA cracking from 1000 for eighty cents to 1000 for a buck-five but so what, this is not going to stop CAPTCHA crackers from doing this work: these are usually poorly paid Third-world workers who are thankful for the work and the 2 or 3 dollars a day they get for doing this.
Let’s be perfectly clear: we need to do everything we can to discourage site owners from using CAPTCHAs. There are many other solutions users can deploy besides using CAPTCHAs to keep blog-spam to a minimum (the most common use-case), and if you really are going to subject your users to the pain of filling out a CAPTCHA to simply post a comment on your blog, you may as well just not bother seeking comment feedback. At Stanford, where I work, most web developers on campus know that if you use a CAPTCHA on your site I will personally walk over to your office and smack you – quite literally (OK, maybe not, but I’m on record for saying that). Sadly, on the web this doesn’t scale.
But let’s use the scale of the web to tell VAPPIC 4D to shelve this lousy idea, and now. The developer of this little bit of misery (an ex-Google employee no less – he should know better) has posted his email address (tomn@vappic.com) and so one thing you can do is write this guy and give him some appropriate type of feedback on this project: I’m not advocating an email equivalent of a DOS attack, but hearing from tens or hundreds or even thousands of end users encouraging him to go pursue another type of project might get his attention. (So feel free to pass this idea on)
Death to CAPTCHAs – do your part.
(no subject)
Date: 2011-11-06 06:51 pm (UTC)From the example of the new kind on the blog post, I could read exactly one letter. When I clicked through the link, I did get one where I could read everything. I think. After staring at it for about 20 seconds.
(no subject)
Date: 2011-11-06 07:17 pm (UTC)And I agree with
(I do appreciate that Foliot's article is the first result in Google, though, even before the actual Vappic site.)
(no subject)
Date: 2011-11-06 08:18 pm (UTC)IDGI. Make CAPTCHA even harder to read?! Oh jeez. That is just ridiculous. I know there have been times when after a couple of minutes, I've just given up on whatever I was doing just cause I couldn't read any of the friggin CATCHAs.
(no subject)
Date: 2011-11-06 09:36 pm (UTC)I don't have migraine or other sorts of visual triggers, and I can read most existing captchas, but that horrible moving 3d/4d whateverthefuckingfuck is aaauuuuuughh I think it melted my brain. I certainly didn't want to look at it. Or even see it out of the corner of my BLEEDING EYES.
(no subject)
Date: 2011-11-06 10:17 pm (UTC)(no subject)
Date: 2011-11-06 11:16 pm (UTC)(no subject)
Date: 2011-11-06 11:57 pm (UTC)This guy comes from Google. The image above is the kind of CAPTCHA Google thinks is useful for any purpose other than destroying people's will to engage with their "services." I just don't even know what to think of the idea of making even more difficult CAPTCHAs. There's gotta be a better way of human verification.
(no subject)
Date: 2011-11-07 05:03 pm (UTC)(no subject)
Date: 2011-11-07 12:15 am (UTC)comment one of two.
Date: 2011-11-07 01:48 am (UTC)Comment one, from Mimi, subject "Users with disabilities or just less-than-perfect vision":
In the interests of users with many different disabilities and also
without disabilities but with eyes older than 18 years old...please do
not pursue this project. I am 41, a web developer and have perfect
vision for my age, and if I were ever presented with anything remotely
resembling this by some website who wanted me to fill out a form, my
reaction would be to leave that site permanently before having to
spend my valuable time, and ruin my vision squinting, trying to
decipher such a thing. Anyone would need VERY astute and clear vision
to decipher these and the reality is that we are not all teenagers.
Even if you don't care to figure in the whole issue of blind users who
use screen readers to access the web (and I really really DO hope you
care about this population!), loss of visual acuity is just a normal
part of aging. This thing is torture. As far as usability and user
experience go, this is definitely a step backwards for the web.
Sorry. :o/
As a web developer I would deal with spam before I subjected my users
to this -- although I don't believe it will come to that, because
there are accessible measures to deal with spam.
My 2 cents!
Response, from David Jeske:
> Even if you don't care to figure in the whole issue of blind users who
> use screen readers to access the web
Our design space is making a visual-captcha which is harder for computers
to break than current approaches, and hopefully make them answerable by
humans with increased accuracy. Unfortunately, current static image letter
distortion techniques are increasingly being broken by savvy attackers.
It is customary for sites to have an audio-captcha option for blind or
visual impaired users.
> loss of visual acuity is just a normal part of aging.
Thanks for your comments.... So far the respondents are split about whether
they have trouble with the vappic captchas. Some find it easier to answer
them with accuracy than static distorted letters, while others, like
yourself, find it straining or disorienting to concentrate on them.
This only the very first public experiment of the concept, so in future
iterations we'll try to eliminate (or at least minimize) eyestrain when
answering them.
Thanks again for taking part in the survey and providing your feedback. I
hope in the future we can demonstrate something you'll find a better
balance of protection and usability.
Re: comment one of two.
Date: 2011-11-14 10:28 pm (UTC)comment two of two.
Date: 2011-11-07 01:50 am (UTC)please don't do this! I could only look at a few before my head
started to swim and I felt sick. Especially the ones where the
background also tilted at the same time as the thing was spinning, or
where the background spots were the same as the pattern on the
letters... I think I was able to completely solve one captcha and pick
out a few letters from one or two others. I have audio processing
issues and so also have trouble with the garbled audio alternatives. I
think these are just an awful idea all around. Further, there are
plenty of people who have disabled animation on their computers AND
don't have working speakers. What are they supposed to do?
Response, from David Jeske:
> I could only look at a few before my head started to swim and I felt sick.
> Especially the ones where the background also tilted at the same time as
> the thing was spinning,
We've heard this same reaction from about a third of respondents. Our goal
was to create sequences that required human-level 3d perception to
decipher, making them much harder for attackers to break with computer
software. In some ways the disorientation is an unexpected side effect of
that technique. Future iterations will work to minimize or eliminate it.
> Further, there are plenty of people who have disabled animation on their
> computers AND
> don't have working speakers. What are they supposed to do?
As this is a research project, our goal is not to address deployment
issues. This is a topic for the website deploying an animated captcha to
decide. It's worth noting we are not the only group experimenting with
animated captcha.
Thanks for taking part in the survey and sharing your comments!
Developer's Contact Info
Date: 2011-11-07 05:16 am (UTC)tomn@vappic.com
and that would be the place to write with your concerns.
(no subject)
Date: 2011-11-07 12:49 pm (UTC)Their logic seems convoluted.
(no subject)
Date: 2011-11-07 04:41 pm (UTC)The conclusion of the paper is that captchas provide an economic but not technological block to spammers; they make it more costly so that only spammers with a high likelihood of profit from spamming will continue to do it. Which means that all the spam comes from a smaller percentage of people, but doesn't particularly lower the spam ratio, so.
(no subject)
Date: 2011-11-07 04:27 pm (UTC)And I can't write to the guy to complain on his website, because you have to solve his horrific "draw this picture" in order to give him a comment on it.
Let me just reemphasize that. Here is a form for "comment on the utility of my CAPTCHA," and you have to solve the CAPTCHA in order to comment. This, boys and girls, is incompetent design in action. I am sure that later on the designer will comment that none of the people on his form had any problem with it, so it must be fine.
ETA: managed to find an accessible comment form, and sent the motioncaptcha guy feedback.