Are CAPTCHAs Doomed?

Written by Brett Callow on April 15, 2009

In a recent post at TheEmailAdmin, I grumbled briefly about how annoying CAPTCHAs can sometimes be. Scratch that. It’s not a case of “sometimes” – I find them to be annoying all the time! The problem I have is that I usually cannot read the things. Maybe I’m stupid, but it’s often the case that I simply cannot tell whether a particular sqiggly-wiggly line is supposed to be a “2″ or a “Z” or an “8″ or a ‘B’. Unfortunately, the bad guys seem to have no such problems and routinely break CAPTCHAs – see, for example, the post Microsoft’s CAPTCHA Cracked Again.

This leads to the question: are CAPTCHAs doomed? I suspect that the answer is, yup, there is very little doubt that CAPTCHAs will become a thing of the past. Here’s why:

1. I seriously doubt that it will be possible to devise a CAPTCHA that cannot be broken. Yup, people are working on CAPTCHAs which they claim will be much more difficult to break, but I don’t think that they’ll succeed. Where there’s a will there’s a way and, given enough inentive, the bad guys will almost certainly be able to find a back door.

2. CAPTCHAs are a major inconvenience (to humans, at least). They waste people’s time – and time is money. I suspect that many people do as I do when faced with a hard to read CAPTCH and simply give up (who wants to spend 15 minutes struggling with a CAPTCHA simply to be able to comment on a blog post?). And then there’s the issue of the problems that they present to people with visual impairment. Yup, I know that there are workarounds – audio CAPTCHAs, for example – but they are still inconvenient (and can, of course, be broken as easily as other CAPTCHAs).

So, if CAPTCHAs will not work, how can abuse/spam be blocked? The answer, I suspect, is that it cannot. Not completely, anway. As with email spam, the best that we can probably hope for is to be able to bring about a substantial reduction. And there’s a couple of ways that this could realistically be done.

Quotas would seem to be a cheap and effective method of combating spam. Instead of permitting social networkers to send an unlimited number of messages to other users, why not impose a cap? The cap could be reviewed once people have, over a period of time, established that they are a real, valid user.

Using spam filters would also seem to be a viable solution. Why not automatically block sent comments and messages that are tagged as spam? The solution may not be perfect (no filter can block 100% of spam) but, to my mind, it’s certainly a lot better than a CAPTCHA.

These are not, of course, the only ways of solving the problem. In some situations, using email validation and/or simple moderation may be highly effective.

What do you think? Is the CAPTCHA in terminal decline? And, if so, what’s the best solution?

About Brett Callow

Brett Callow is a technical consultant and writer based in the West Coast of Vancouver Island. Brett has worked with Microsoft Corporation and other leading international technology companies, has authored numerous white papers, articles, training packages and has been extensively involved in creating domains and content for a number of industry-standard certifcation examinations.
  • (required)
  • (required)