Design patterns » Captcha

Good Defaults Inplace Editor

Captcha Edit

Problem summary

The application needs to verify that the data submitted originates from an actual human and not a robot.

Example

Captcha

Usage

Websites featuring the ability for visitors to comment, register as a user, or otherwise actively post content on the website are often exposed to attacks from spam-robots. The content posted by such spam-robots can be compared to spam sent by e-mail. The main purpose for the spam-robot on the web is however often to just create links to a specific website, so that website will rise in search results on for instance google.com. These spam-posts rarely have anything to do with the subject of the website, hence the spam categorization.

To avoid such spam, captchas are introduced. The whole idea is to create a way to distinguish real human beings from automated robots.

  • Use when your web application experiences attacks from malicious web-robots trying to post spam-content on your site
  • Use to protect your website from automated robots
  • Use when the capability to post content to your website is not blocked by the need to be logged in. Registration processes are included.

Solution

The most popular form of Captchas are images with letters and numbers inside. The user is then to write in a separate form field what the image reads. To prevent spammers from using OCR software to read the image, the image is manipulated in different ways, that makes it hard to interpret for computers while maintaining readability for humans.

If the user succeeds in typing what the image says, his content is posted to the website. If not, the action will be refused. It is common to allow a number of tries to enter the captcha text, as some captcha images are even unreadable to humans due to the strong image manipulation is has been exposed to.

Rationale

Captchas are short for ‘Completely Automated Public Turing test to tell Computers and Humans Apart’. The whole idea behind Captchas is to distinguish humans from computers letting the user perform an action a computer can’t. A captcha is a simple Turing test.

There is a fine line between making a captcha unrecognizable for OCR scanners and still readable for human beings. Readability for the human has to come first. Other problems with implementing captchas to protect your website include a lock-out from visually impaired users as they can’t use voice software to speak what the captcha reads.

Other forms of protection from malicious spammers are asking questions like “what is 2 + 3” or “what is two plus three” or using voice captchas,

More example images of the 'Captcha' pattern

  • Captcha
  • The Captcha used for registrering a facebook account lets you ask for another captcha in case the image is too distorted. You also have the option of listening to what the captcha reads.

    The Captcha used for registrering a facebook account lets you ask for another captcha in case the image is too distorted. You also have the option of listening to what the captcha reads.

  • A captcha is used to at the youtube.com signup form to protect the site from spam.

    A captcha is used to at the youtube.com signup form to protect the site from spam.

  • The Captcha from the Craigslist sign up form lets you hear the words printed on the Captcha image.

    The Captcha from the Craigslist sign up form lets you hear the words printed on the Captcha image.


View more images

This document is in version 1 and was last updated on Dec 25, 2008 by Anders. Edit this pattern.

You are reading the "Captcha" pattern.
Good Defaults Inplace Editor
Rated 40% positive
40.0
10 votes
This pattern was helpful This pattern is useless

Related information

Collection

Related patterns

Related links

Captcha has 5 comments

  • 10 months ago Chris 26 Aug 2008

    Perhaps what’s good practice as documented in this pattern should also be implemented in this “Post a comment” feature as well. UI-Patterns is lacking accessibility and refresh featires for your CAPTCHA.

    Just an observation =)

  • 8 months ago Anders Toxboe 11 Oct 2008

    Chris: You’ve got a good point there. But then again… you always have to compare the costs of implementing a better captcha to the potential benefits. In the case of UI-patterns.com, I believe that the potential benefits do not come close to matching the costs (time) of implementing it.

    But definitely a good point ;-)

  • about 1 month ago damasta 10 May 2009

    40 to 60 percent of youtube captchas are human unreadable themselves, serously

    also, I did the captcha on this site wrong twice too, but that’s just because I’m not wearing my contacts

  • 19 days ago Phil 11 Jun 2009

    Im a big fan of the reCAPTCHA service – it provides a nice easy way to use robust captchas on your website. They also have an accessibility feature where partially sighted people can listen to an audio version of the captcha.

    While its fine to use a simple captcha on a comment form it might be wiser to use a more complex captcha on something like a login form to prevent brute force attacks. Some good rules for captcha design can be found at

    http://www.idontplaydarts.com/2009/06/breaking-a-captcha-rules-for-good-design/

  • less than a minute ago online gambling forum 1 Jul 2009

    Has anyone here tried to leave a comment with success. It’s nearly impossible. I refreshed the screen over 20 times to read the captcha. It always comes up as invalid. Try and let me know.My users are able to comment fine, but the Captcha images are kinda hard to read. There are others out there that are easier to read and still have the same effect, so maybe we could get ours updated.

Post a comment

Required
Required
Will not be published
simple_captcha.jpg
Required
Type the code from the image