CAPTCHA Best Practices

(Security Beginner's No-Nonsense Introduction)

21. 7. 2006, by Matej Šarić


I don't need to tell you about spam - you already know all you ever wanted to know about it. Actually, I bet you know much more than you ever wanted to. What you really want is to know less about it, and fast.

Chances are, if you're serious about trying to unlearn as much as possible about spam, you're using CAPTCHA protection on your website.

So, here's a little checklist you might find helpful if you're a CAPTCHA beginner:

  1. Consider the trade-offs
  2. Always provide alternatives
  3. Don't expect absolute security
  4. Ensure 'good enough' security

Consider the Trade-offs

The Problem

CAPTCHAs are very good at one thing: They prevent postings. Mostly they do it to the automated unwanted ones, but sometimes also to the wanted manual ones.

Neither annoying users with three CAPTCHAs per page, nor letting spam annoy them instead is very good. And it's up to you to carefully weight all the options to find that uncanny combination of two evils that yields the least evil result.

Ultimately, it's a question of Security vs. Usability: Which pages/scenarios are really worth protecting? Which are just annoying your visitors (and sending them off to some friendlier site instead)?

The Solution

At best, users learn to tolerate the CAPTCHA. Never abuse their tolerance, and use CAPTCHA as rarely as possible - i.e. only when you're sure it's needed. While you are using CAPTCHA to stop spambots, the reason you are trying to stop spambots in the first place is to make your site more usable, readable and enjoyable for your users.

So, for each "postable" part of your website:

  1. make sure it works perfectly smooth for the regular, legitimate users first
  2. using CAPTCHA, make sure it works hellishly rough for the would-be spammers, without affecting 1)

Always Provide Alternatives

The Problem

The letter "T" in the acronym "CAPTCHA" stands for "Turing Test", which is an old way of saying it is meant to tell computers and people apart. It does that by giving them a problem to solve - one that is most often visual in nature.

That makes it hard (if not impossible) to solve for people who have less-than-perfect vision, who are colorblind, or even completely blind. Furthermore, as CAPTCHA-breaking algorithms get better, modern CAPTCHA tests get harder and harder, making them rather challenging to read even for people with perfect vision.

The Solution

Just make sure all users (who could possibly have any problem whatsoever reading your CAPTCHA) have an alternative way of accessing whichever resource you are protecting. The point is to give all people a fair chance.

You could provide alternative CAPTCHA test versions which don't use distorted text (like sound CAPTCHAs, textual puzzles etc.). You should provide an email address which users can use to contact the administrator to manually allow them access.

Don't Expect Absolute Security

The Problem

Absolute, 100% security is a fiction. This applies to all aspects of computer security equally (CAPTCHA included). What's even stranger, that's nothing to panic about. Nothing to worry about, either. But it sure is something to think about.

Starting with this: With enough time, effort, resources and knowledge, any security measure can be broken. That's probably the first axiom of security. But that doesn't mean that any security measure will be broken.

The Solution

The idea is not to make it impossible to attack your website, but to make it very hard, inefficient, and generally just not worth it. All you have to (and can) accomplish is the state when you can honestly say that on your website, crime doesn't pay.

Only doing things that pay off applies to you as much it does to the would-be-spammers. You can't and don't want to protect everything. Those parts that you can and want to protect, you can't protect perfectly. Learn to deal with it.

Ensure 'Good Enough' Security

The Problem

The basic CAPTCHA idea is to come up with a test that a) most humans can pass b) most current technology level spambots can not pass. Now quickly - tell me, who (humans) or what (spambots) is more likely to get significantly better at reading heavily distorted text in the next 5 years?

So, does it make sense to improve security by making the CAPTCHA text more and more distorted?

The Solution

Use easily readable CAPTCHA rendering algorithms. Use a number of different ones. Switch them randomly. Add random variations to each one.

While switching rendering algorithms and adding variations won't stop each and every spambot attack, it will make automated OCR breaking very close to impossible. Current level AI just can't deal with that much randomness. Use this approach and attackers will have to a) give up b) come up with something better.


(Also Known As: Stay No-Nonsense)

Truly enjoying all the benefits of CAPTCHA, while avoiding most of the problems, is not simple. Reading this and applying it can help you get started on the right track. Just remember, you also have to continue following it.