My definitive guide to why CAPTCHA sucks

Paul Boag

CAPTCHA is one of the most damaging and unnecessary user interface elements. Those that use CAPTCHA cannot claim to be user centric in their approach.

My wife had forgotten her password. It was hardly surprising. The mobile app wanted upper case characters, numbers and punctuation. Why that was necessary was beyond me. In fact why they didn’t make use of Touch ID is even more confusing. But that isn’t the topic of this post.

Even with the best system in the world people will forget their passwords. My problem was with what happened next. In order for them to email her a new password she had to complete a CAPTCHA field. This was horrendous for all kinds of reasons.

Why CAPTCHA sucks

Like many CAPTCHAs this one was impossible to read. Also until I pointed it out my wife didn’t realise she could reload an alternative one. The alternative was no better. Neither was the third or fourth.

Any company that uses CAPTCHA cannot claim to be user centric.
Any company that uses CAPTCHA cannot claim to be user centric.

We switched to the audio version in the hopes that would help. It didn’t. It is beyond me how anybody with a visual impairment could decipher that noise! CAPTCHA is in no way accessible.

To make matters worse my wife was trying to complete this task on a mobile device. Refreshing the CAPTCHA was fiddly. Each time she had to reselect the field to make another guess. She also had to wait for the page to reload over the poor 3G connection.

It is not that my wife is an outlier. 38% of people fail to complete a CAPTCHA first time. From there, things get even worse. 80% of second attempts fail, 70% of third attempts and 90% of fourth. Few are willing to try more than five times and who can blame them. And that was on a desktop. Imagine what the failure rate is on a mobile device. A device where the CAPTCHA picture is smaller and even harder to read.

But CAPTCHA isn’t just frustrating for the user. It is also bad for business. When Reddit removed CAPTCHA from its signup process they saw an 8% increase. That means CAPTCHA was driving away almost 10% of people.

The ridiculous thing is that CAPTCHA is unnecessary.

Why CAPTCHA is unnecessary

Sites use CAPTCHA for one of two reasons. Either to reduce spam or to improve security. The thing is there are more effective solutions to both problems.

Security alternatives

I have already mentioned Touch ID as an alternative for mobile devices. But there are many more low tech options. Texting or emailing an authentication code is a common solution especially with lost passwords.

Google is one of many companies moving away from CAPTCHA to the more secure two step validation.
Google is one of many companies moving away from CAPTCHA to the more secure two step validation.

Time limits between attempts or limiting the number of attempts prevents brute force attacks. Although not perfect these are better than CAPTCHA which has proven breakable.

SPAM prevention

When it comes to SPAM there are alternatives to CAPTCHA. Alternatives such as solving basic puzzles or using pictures. But these alternatives miss the point. They are still making spam the users problem. Why should the user be inconvenienced because we have a problem with spam?

What is more there is no reason why the user needs to ever know about our spam problem. Spam filters have become sophisticated and can remove the majority of attempts. 

The Honeypot technique is another excellent solution. A solution that doesn’t need the user to do anything. This involves creating a hidden field invisible to users but visible to bots. The developer labels the field in such a way to encourage bots to spam it. If the field has content in it then we can presume it is spam.

In fact there are no end of alternatives to CAPTCHA. You have to wonder why it is still so popular. In fact I have read comments that justify CAPTCHA on the basis that it is widely used. This is of course circular logic.

The truth is CAPTCHA is easier and cheaper. It is easier to make our problems with security and spam the users problem. Easier than tackling the problem on our end. The flaw in this logic is that in doing so we are driving those users away and that is costing us money.