Captcha is Broken

Captcha is broken – now what? The Guardian. I was quoted in today’s Guardian, which consistently has some of the best tech coverage around.

24 thoughts on “Captcha is Broken

  1. I’ve been working on improvements to Andy Skelton’s Quiz plugin. Basically you make a custom question for each post, when you write it.

    I like the idea of this a lot because it means that not only do you have to have human comprehension, but you have to have actually read the post. Slows down (hugely) the “captcha farm” spammers, and thins down frivolous comments to boot. 🙂

  2. I hate Captcha with a passion. I have five sites and none will ever use it. I use Akismet and comment moderation and that pretty much solves everything without and hassles for my users or me.

  3. The problem lies in usability vs. vulnerability. You want to make it as easy as possible for users while making it as hard as possible for spam bots. Captchas were never easy for users, and apparently now they’re easy for bots. Group sourcing filtering isn’t necessarily the answer either as you have to worry about bots being in the group. Now what? That is indeed the question.

  4. It was about time for someone to call captcha a bane. Sometimes it takes me 2-3 reloads to figure out what the captcha is displaying just to register to a service..

  5. “Just because something came from a real human being doesn’t mean it isn’t spam, which is why content-based solutions like Akismet are the only long-term solution to the spam problem.”

    Excellent quote. That pretty much dismisses all alternatives given in the article.

  6. My first thought was, ‘not only is it broken, it’s also really annoying.’

    Very interesting it starts with a Matt quote and ends with a Matt quote.
    Obviously, someone has a good handle on how to fix captcha…

  7. That article is disappointing in it doesn’t even mention reCAPTCHA. Maybe, they decided that reCAPTCHA got enough play in the news mid-month.

    I can’t stand craptcha, but if someone really, really, really feels they must use it, reCAPTCHA seems like the way to go. You are both helping a great cause and there are accessibility options.

  8. ‘are you mouse or man’ or girl?
    The guardian for the intellectual man (Niel’s comment) come on fellows – at least demonstrate in your language that you are aware that women can write spam bots, spam, and be intellectuals.

  9. Comment spam is a serious problem. There are 4 defences Captcha (proactive), filters like Akismet (reactive), admin moderation (reactive) and reader flagging (reactive). The problem with Akismet is that it is not transparent. How do we know it doesn’t harbor a bias in the guise of secret algorithms.

  10. ‘ companies such as Microsoft are not abandoning the system. “We are updating our Captcha system to be both more readable for customers but more difficult to break through” ‘

    Why waste more time and technology on something that, eventually is going to fall again.
    Matt’s quote in the closing part in the article really defines what needs to be done ultimately for a spam free web.

  11. Just because something came from a real human being doesn’t mean it isn’t spam, which is why content-based solutions like Akismet are the only long-term solution to the spam problem.

    And unfortunately, it is also true that just because Akismet (or any content filter) says something is spam doesn’t mean it is spam. A valid message marked as spam by a filter isn’t a good user experience either.

    Sure, we can review comments marked as spam, but if I’m going to review 100% of the filtered comments for false-positives, why have a filter at all?

    I’m no fan of captchas either, but silently discarding a valid message that doesn’t pass a filter is an even poorer experience for that user and unacceptable to my application.

  12. Your final quote is dead on. The focus should not be on whether the viewer is human or not, but rather we should focus on the content/data, which is where the spam actually is.

  13. Moderating comments is the only sure way to avoid automated spam. I moderate comments on my blog and part of the moderation process is investigating the URL provided by the poster. Content which at first seems OK is often revealed to be spam when I look at the poster’s web page.