I don’t like most current CAPTCHA techniques. There is nothing that frustrates me more than trying to use a web site and being presented with this:
Yes, that is an actual CAPTCHA image that I was presented with. If anyone can figure out what that one is supposed to be saying, you have better eyes than I do.
These challenges are designed – in theory – to make it harder for automated processes or “bots” to use a service by requiring something like human perception or intelligence to solve a test. The full name is Completely Automated Public Turing test to tell Computers and Humans Apart. What is a Turing Test? Wikipedia says:
The Turing test is a proposal for a test of a machine’s ability to demonstrate intelligence. It proceeds as follows: a human judge engages in a natural language conversation with one human and one machine, each of which tries to appear human. All participants are placed in isolated locations. If the judge cannot reliably tell the machine from the human, the machine is said to have passed the test. In order to test the machine’s intelligence rather than its ability to render words into audio, the conversation is limited to a text-only channel such as a computer keyboard and screen.
The general concept is that the test or challenge is designed to weed out computer bots from real humans. The problem is bots are often better at solving problems than humans are, and even if they aren’t, they have a lot more patience.
As a board owner, there is a fine line to walk here. I want my users to be able to register. I don’t want bots to be able to register. Anything that makes it harder for bots is also likely to make it harder for users. When the scales tip to where the inconvenience to my potential new users outweighs the bot protection then I have a problem. In my opinion, some CAPTCHA techniques tip the scale in that direction, especially some of the more complex image challenges. I’m going to save talking about image CAPTCHAs for another post and focus on alternate methods. I am going to pick three tests and try to propose how easy they are for humans to solve, and how susceptible I think they are to bots. Those methods are question/answer, picture or “kitten auth” method, and my own checkbox challenge.
Question / Answer
This technique was introduced during the phpBB2 days and is much easier to manage with phpBB3 since a board owner can set up custom registration fields. The basic premise is this: the board owner sets up a question on the registration page that requires an answer. The answer could be provided in the form of a drop-down list or other input control, or alternatively it could be an open text field that requires the user to enter the answer manually. The question can be related to the primary subject matter for the board or it could be a general knowledge question like what is 2 + 2 or what color is the sky. In any case, the question is supposed to be easily answered by a human and impossible to answer for a bot. Let’s look at some examples.
Finite Result Set
If the question is presented with a set of options, either via a drop down, radio grouping, or some other interface element, it reduces the risk that a human will fail the test. It also improves the success rate for bots. Let me present a simple example. The form below presents a question and a set of options.
As a typical human I should not have any trouble answering the question. I specifically left out “black” as a color choice, because some people might consider the sky at night and make that choice. I left out white (confusion with clouds) and some other colors for the same reason. My goal is to get the user to select “Blue” as the proper answer to this question. I would guess that 99.9% of humans would be able to pass this test.
Another advantage to this particular question is there’s no regional or subject-matter bias. No matter where you are on the planet, as long as you can read English you should be able to identify with this question and select the proper answer.
This challenge also fairs well for the visually impaired. A screen-scraper will be able to present this challenge and the user should be able to solve it with the information available. While the number of visually impaired people as a percentage of total users of the Internet is certainly quite small, it’s nice to consider their needs.
As a board owner I could provide a question that is more specific to my audience. Suppose that my board audience is made up of electrical engineers. I might present them with a series of color codes and ask them to identify the resistor rating. If my board audience is made up of fans of a particular music artist I might ask them to identify the first hit song for that artist. Knitters could get a question about yarn. Car enthusiasts could get a question about engine technologies. The popularity of this solution is partially based on the fact that the question can be as hard or easy as you want. As a result, the number of options are essentially infinite.
Bots versus Question / Answer Challenge
So far the question / answer challenge seems to do okay at allowing humans to register. How will it do as a bot preventative?
In my opinion, as it has been presented so far, it has a number of issues. The first issue is that there is a finite list of choices to make. The list has six entries: Red, Orange, Yellow, Green, Blue, and Purple. Most unsophisticated bots will pick the first option so it’s important that “Blue” (the correct answer) is not the first on the list. As I have to allow for a user to read the form incorrectly at least once, I should not block or ban the registration after the first failure. In fact I might allow two or three registration attempts before taking any action. With six answers and assuming a bot is smart enough to make different selections as it goes through the form, there is a 50% chance that a bot can “learn” or “guess” the right answer on the first series of registration attempts. Since there are only six answers (and the answer set does not change each time) there is a 100% chance that the bot will be able to register if six attempts are allowed.
What about a different interface choice?
This doesn’t solve the problem; it’s just a different interface choice (radio instead of drop-down control).
How about an open text box?
This interface choice presents an interesting dilemma. On the one hand, a bot can’t use brute force to solve this challenge. There are no options given so the answer must be determined by some other means. Problem solved, yes?
No. Believe it or not, I have read some articles that suggest bots are sophisticated enough to plug unknown questions into a search engine and get the answer that way. When I plug the question “What color is the sky” into Google, the top three results all mention the word “color” and the word “blue” in close proximity. A reasonably sophisticated bot could figure this out. If this particular technique (question / answer with open input field) were to become widely used on the Internet, I have no doubt that bots would very soon be able to handle this challenge as well as (or perhaps better than) humans.
Earlier I suggested that humans should be able to solve the drop-down challenge nearly 100% of the time, certainly with two attempts. With the open text field that percentage would almost certainly drop. Let me examine that a bit further.
Here are some answers that I would anticipate coming into my form if I used the open text box version of the question / answer challenge.
Q: What color is the sky?
… and so on with the variations. Hm. Do I see a problem here? When left on their own, users are going to provide a wide variety of answers that probably should be allowed but won’t be under a strict comparison to the expected answer Blue. I would expect variations in case, in spelling, and perhaps even answers with extra spaces or entire sentences like “The sky is blue.” Once the input becomes open for anything, then anything is what I expect to get. How can I certify these answers (all of which are reasonably correct) and allow the user to register? Ironically if a bot is able to get the answer correct, they will most certainly provide the expected spelling of “blue” rather than one of the variations shown above.
Fortunately there is a simple function that I can use to help solve most of these challenges. That function is called
soundex() and I will detail it next.
Introducing The soundex() Function
Whether I see the word “blue” or “blu” or even “bleu” the sound of the word is the same. That’s what the soundex() function does; it returns a code that is supposed to designate the sound aspects of the word rather than the literal word. First I will check the soundex() result for the required answer:
mysql> select soundex('blue');
| soundex('blue') |
| B400 |
Next I will check the results for some of the variations shown.
mysql> select soundex('bleu');
| soundex('bleu') |
| B400 |
mysql> select soundex('blueu');
| soundex('blueu') |
| B400 |
mysql> select soundex('blu e');
| soundex('blu e') |
| B400 |
mysql> select soundex('black');
| soundex('black') |
| B420 |
Notice in every case except for the obviously wrong answer “black” I get the code B400. I won’t go into details of how this code is derived (there is a Wiki link at the end of the post if you want those details). I will make the observation that all of the spellings – both correct and “close enough” to correct – return the same code.
Let me review how I got to this point. A question / answer challenge with a finite list of possible answers is susceptible to brute-force solving by bots or humans. The same challenge with an open text box for the answer is much harder for bots to solve, but it also reduces the success rate for humans due to input variations. I am proposing that the soundex() function could be used to reduce the number of humans rejected because of minor spelling variations, and I do believe it would work.
It also helps the bots.
If I am expecting a single word answer and the user enters “The sky is blue” instead, I still have options. I can programmatically split up the phrase into component words and then apply the soundex() function to each one. As long as the expect word “blue” is in the phrase, I can decide to let the registration attempt succeed.
Other Styles of Questions
I have seen people propose that simple math problems are a good question. There is only one answer, right? Well, it depends.
Q: What is 2 + 2?
All of these are potential answers. And this doesn’t help against bots; try plugging 2+2= into the Google search form and see what you get.
I have seen people suggest that the question be embedded within an image like this:
This doesn’t really help either. Bots have already demonstrated a high degree of success against CAPTCHA images so putting our question into an image rather than text doesn’t really buy much. It also reduces or eliminates the ability of a visually impaired user to solve the challenge.
There are several benefits and issues with the question / answer style of CAPTCHA.
- With a finite list it is very easy for the user to interact with
- With a finite list it is very easy to validate
- The question can be tailored to the board audience
- The question and related answers can be maintained via a simple administrative page
- The technique does not penalize visually impared users
- With a finite list this technique is suceptable to brute-force attacks
- Sophisticated bots might use search engines to solve the answer
- Use of a text field instead of a list control provides more protection from bots but requires more complex code and impacts the user experience
The number of advantages does outweigh the disadvantages. There are quite a few fans of this technique. There are several MODs for phpBB2 that provide this feature, and phpBB3 essentially has it built-in with the custom registration fields option. I consider this to be a preferable option to the image CAPTCHA techniques that are much more prevalent today.
Next time I want to talk about the “kitten auth” technique. I hope to have that post ready soon but have been fairly busy in real life lately so please be patient if it takes a bit longer.