I've noticed recently (more and more) that reCAPTCHA is getting really hard to solve. Really hard. Actually, it's frequently impossible. Google either needs to fix it or website owners need to stop using it.
I've used reCAPTCHA on various websites for a long time, and I never noticed any problems with it. In fact, I used to think that it was a pretty cool technology, because it has the side effect of helping to digitize old books and newspapers so that people can read them online. That's a great cause, and it's a very clever application of technology.
Earlier this week I was looking at a website for a DC area food bank, and in order to contribute money, you have to fill out a reCAPTCHA. I struggled several times with the reCAPTCHA. It took me several minutes of searching for a reCAPTCHA that was readable and and I still got it wrong several times before I could complete my donation.
Big freaking deal right? So I had to wait a few minutes on the internet. First world problem. Nothing to see here.
Except this: I'm 29 years old and I have excellent vision. I'm also a computer geek and I've known about reCAPTCHA for years now. If it's difficult for me, I can't imagine how bad it is for people with less than perfect vision, or people who are intimidated by technology and can't understand why they are being forced to jump through a virtual hoop just to do something simple online.
I was so annoyed that I sent an e-mail to the food bank to let them know that could be deterring online donations with this preposterously bad CAPTCHA. I quickly forgot about the whole thing, until…
Today I was trying to sign up for Atlassian BitBucket and wouldn't you know it? They have a reCAPTCHA to prevent spam. Given my experience just days before with the food bank, I had the presence of mind to take screen captures of this site. Let's take a look.
Ok, the first one is tough. The first word looks like hatyetr, maybe? The second word might be rate, but it's clipped by it's bounding box and it could be rote or roto or… anything. Rather than waste time straining my eyes further, I opted for a new CAPTCHA. Next.
OK, this is absurd. It's just the whitespace in between two lines of text. I paused for a second while I choked down an expletive. Next.
Finally! This one looks pretty solvable. I don't remember exactly what I typed, but it was something like aeherip face. WRONG. Next.
Side note: when you submit an incorrect CAPTCHA, usually the page refreshes, which means if you've typed in a password, then that information is cleared out and you have to retype it before attempting another CAPTCHA. Anyway, I typed in my new password. Then I typed it again in the "confirm password" field.
Back to the main story…
I nailed this one: saileri are. Only 4 CAPTCHAs and typing my password 4 times to get registered.
Atlassian makes a lot of great products. As a developer, I really like most of them. But this reCAPTCHA sign up system is awful, particularly since it is coupled with the password creation. If one or the other fails, you have to redo both of them, which only compounds the opportunity to make mistakes.
Atlassian didn't build reCAPTCHA. They are just using it as a service, I know. But it's still their responsibility to evaluate and vet 3rd party services that they incorporate into their products.
I'm not alone in thinking that CAPTCHAs are terrible:
So lots of people hate it and studies show that most users are tripped up by it. What are the alternatives?
Well, there aren't any great alternatives. Some research has been done to use image recognition, such as showing 3 pictures of a cat and 1 picture of a dog, and asking the user which picture is different. This has not been widely commercialized, however, and I suspect the reason for that is that computer technology is rapidly progressing to the point where a computer can easily distinguish a cat from a dog, which will just put us back where we started.
Ultimately, CAPTCHAs may be unavoidable in certain circumstances with today's technology. But many sites ought to be able to get away without it by designing the rules of their system in such a way that disincentives spam. For example, using Bayesian filtering, a reputation system, and/or rate limiting to prevent users from spamming each other.
In Atlassian's case, I was registering with my Google OpenID, which means Atlassian should probably just trust that Google has already vetted me. The same consideration can be applied to many OpenID providers. (Although, ultimately, those providers are probably also using CAPTCHAs.)
There may also be security through obscurity -- although it pains me to use that phrase. Spam is a business with razor thin margins; if you can create just a small amount of cost to the spammer, then you break his business model. Therefore, if your small site uses a proprietary CAPTCHA that is dissimilar to reCAPTCHA and other well-known CAPTCHAs, then a spammer doesn't have any financial incentive to invest resources trying to crack it.
Finally, if you run a charity: get rid of the CAPTCHA on the donation page and take the damn money!