CAPTCHAs. You’ve run into them. You’ve failed to complete them properly and you’ve probably blamed yourself. It’s a normal reaction to blame yourself if something goes awry with a computer. But should you? Why place the burden of figuring out CAPTCHAs on yourself or your users? The short of it is that you shouldn’t. The long answer is a little more complicated. Regardless, people who build websites should reduce anything that could hinder a user. If a user has to re-enter a CAPTCHA code over and over because they can’t figure it out is that really helping your site’s goals?

What are CAPTCHAs?

CAPTCHA stands for Completely Automated Public Turing Test to Tell Computers and Humans Apart, which is quite a mouth full. CAPTCHAs are typically seen as obscured letters and numbers in an image. Some help read books and some just frustrate users. There are quite a few types of CAPTCHAs, but the one most commonly seen is the scrambled text version. Others include math questions, simple questions such as: “is fire hot or cold?” and image selection CAPTCHAs; where the user is required to find images of something (like a cat for example) out of other images.'s CAPTCHA

Why they are used

CAPTCHAs are used to prevent robots from submitting forms and creating accounts, spamming and various other things. In some cases robots can cause some problems. Take for example a robot signing up for thousands of Gmail accounts. While it might not cause much stress on Gmail’s servers it would create lots of email accounts that could be used for spamming people. Another case is spammers creating accounts on forums and then spam the forum. CAPTCHAs help prevent robots from using websites and webapps.

The Bad

There are some downsides to using CAPTCHAs that I have already alluded to. CAPTCHAs aren’t always 100 percent effective against robots. There are tools out there that allow for robots to read and extract the text of images then rendering a CAPTCHA useless.

We also have to consider folks who are blind or have cognitive disabilities. Now you may say that the audio CAPTCHAs solve the blind user dilemma and it just might, but have you ever tired to listen to one of them? I’ve tired and never been quite able to understand them, and I like to think I have pretty good hearing. As for the folks with cognitive disabilities, they may have problems understanding what it is you are asking them to do with a CAPTCHA.

CAPTCHAs assume by their very nature that all users are computers unless the user proves otherwise.

So let us consider an elderly person with poor vision and poor hearing. Using a CAPTCHA, even with an audio component, will effectively eliminate them as a user. CAPTCHAs can be hard for people with 20/20 vision to understand.


There is another fundamental problem with CAPTCHAs and the crux of this article. CAPTCHAs assume by their very nature that all users are computers unless the user proves otherwise. Why should I have to prove to a computer that I’m a human? That seems a little backwards, shouldn’t computers assume that their users are human until the user does something that is indicative of a computer?

The Good

So I’ve basically said that CAPTCHAs are evil and never should be used. Well, like with all things, moderation is the key. The use of CAPTCHAs as a deterrent to spammers should be considered a last resort. There are other ways to prevent robots from using your sites excessively. Though if you must use a CAPTCHA to help with spam fighting, I suggest using reCAPTCHA or a simple question CAPTCHA.


The use CAPTCHAs as a deterrent to spammers should be considered a last resort.

reCAPTCHA works out most of the problems I’ve described. As you can see reCAPTCHA is fairly easy to read. In fact, the images are taken from scans of books that computers couldn’t figure out. The line is added to create some additional obscurity but over all it is easy for humans. They also provide an audio alternative, which when compared to others doesn’t do a bad job. The icing for reCAPTCHA is that by using them the user types tiny parts of books into computers so that others can then read books electronically. The bad part is that reCAPTCHA is still a CAPTCHA and assumes that your users are computers unless they prove otherwise.

What you can do

So now that you aren’t going to use CAPTCHAs what are your options? We all know spam isn’t going away any time soon and CAPTCHAs have done a good job so far but have problems.

Hidden input

The way most robots input data into form fields is they scrape the page, gather up the inputs names, match and place data in the values of those fields.

<input type="hidden" name="email" value="{some random string}" />

Some robots don’t read the type of input but rather just read the name and then change the values. So you can have your system check to make sure it isn’t changed. Now this isn’t 100 percent effective so you’ll want to use this in conjunction with other preventive measures.

Quick submit

Humans are slow even with the aid of computers, but robots don’t have the the human factor and can submit forms pretty quickly. Another method to combat spam robots is to keep track of how quickly your forms get submitted. You can do this by storing IP addresses and the last time a user from that IP address submitted the form.

You may want to be careful with this method, as some offices/schools use one or two IP addresses and could register false positives.

Direct/form submission

You also want to make sure that your form handler scripts can’t be accessed directly. If they are you’ll want to check the referrer and make sure the submission is coming from a page on your site.


There are other methods to help with preventing robots from using your forms but these should get you started. No method is 100 percent perfect, but theses should create enough hoops for robots to jump though that they will move on to an easier target.

CAPTCHAs should be used sparingly if at all. Treat people as humans and robots as computers.

Join the conversation Permalink