Alternatives to CAPTCHAs

The following information is courtesy of Baldeep Birak from his project (CAPTCHA SAM) at Portsmouth University. The content on this page has been copied from his report (pages 67-68). Additional content can be found at his website. Before you read the rest of this page we would like to clarify that we are not against the use of CAPTCHAs, but that you should think about whether you really need one. The findings below may help you decide whether the use of one or more of these alternatives would help keep your website more accessible to a wider audience.

The system used on Wordpress called "hashcash" (Back 2007) makes use of JavaScript on the userís browser to tell whether if the initial page load was carried out by a human or a bot. This system uses JavaScript on the client and server end to work this out. If a bot loaded the web page then this would not verify with the system. Additionally this would also be a problem in Firefox, Opera and Safari where the user can turn off JavaScript with ease.

The idea of "honeypots" (Batchelder 2008) is to attract a bot to add data into hidden fields on a form. The idea here is that a human cannot see hidden fields so only enters in information in the fields they can see. A bot would enter data into all fields and by validating the form entry on the hidden fields the administrator of the website can combat a percentage of spam on their blogs, forums or other input systems. There are multiple methods to hide text boxes on forms including: html, JavaScript and CSS.

Switching form fields
The other option is to switch the order of field entries or even make the user enter one detail in one text box and another detail in the other. A good example of this would be where a name is entered in an email text box and an email is entered in the name textbox. What makes this a good switch is that it makes it easier to validate the data by looking for the "@" symbol.

The following paragraph has been taken from the same report (pages 59-60). This CAPTCHA is called tppCAPTCHA (PHP Pro 2006) and uses ASCII text to show characters and numbers to the user. ASCII art has been around for many years, but this type of CAPTCHA is new to most and one we believe will be heard by many over the next few years.

There are some good and bad points for all of these alternatives. The "hashcash" system relies on the user to have JavaScript enabled and more and more people are turning this off as a result of how it is used on certain websites. The idea of switching data entry on a form would be confusing to the user of the website. Unless a human read a notice somewhere on the website of what to do, they may be considered as a spammer by the system. The other option of changing two of the text box names with make the prevention only half as good as an spam attacker would just fill the information in the correct order by using the name of the text boxes.

The use of "honeypots" is a great idea to use and was used in this project. This would only work well as long as the browser supports JavaScript and / or CSS, otherwise the html option of hiding text boxes (that is easier to detect) would have to be used. This brings us to another problem of "playback bots" where a human analyses the website and creates the script that avoids these traps. So where W3C say "techniques are as effective as CAPTCHA, without causing the human interaction step that causes usability and accessibility issues" would make this statement false. These alternatives found by us have flaws and in the article W3C do not provide such alternatives. If there are some good systems out there, please show them to us so we can use them.