My definitive guide to why CAPTCHA sucks

CAPTCHA is one of the most damaging and unnecessary user interface elements. Those that use CAPTCHA cannot claim to be user centric in their approach.

My wife had forgotten her password. It was hardly surprising. The mobile app wanted upper case characters, numbers and punctuation. Why that was necessary was beyond me. In fact why they didn’t make use of Touch ID is even more confusing. But that isn’t the topic of this post.

Even with the best system in the world people will forget their passwords. My problem was with what happened next. In order for them to email her a new password she had to complete a CAPTCHA field. This was horrendous for all kinds of reasons.

Why CAPTCHA sucks

Like many CAPTCHAs this one was impossible to read. Also until I pointed it out my wife didn’t realise she could reload an alternative one. The alternative was no better. Neither was the third or fourth.

Any company that uses CAPTCHA cannot claim to be user centric.
Any company that uses CAPTCHA cannot claim to be user centric.

We switched to the audio version in the hopes that would help. It didn’t. It is beyond me how anybody with a visual impairment could decipher that noise! CAPTCHA is in no way accessible.

To make matters worse my wife was trying to complete this task on a mobile device. Refreshing the CAPTCHA was fiddly. Each time she had to reselect the field to make another guess. She also had to wait for the page to reload over the poor 3G connection.

It is not that my wife is an outlier. 38% of people fail to complete a CAPTCHA first time. From there things get even worse. 80% of second attempts fail, 70% of third attempts and 90% of fourth. Few are willing to try more than five times and who can blame them. And that was on a desktop. Imagine what the failure rate is on a mobile device. A device where the CAPTCHA picture is smaller and even harder to read.

But CAPTCHA isn’t just frustrating for the user. It is also bad for business. When Reddit removed CAPTCHA from its signup process they saw an 8% increase. That means CAPTCHA was driving away almost 10% of people.

The most ridiculous thing is that CAPTCHA is unnecessary.

Why CAPTCHA is unnecessary 

Sites use CAPTCHA for one of two reasons. Either to reduce spam or to improve security. The thing is there are more effective solutions to both problems.

Security alternatives

I have already mentioned Touch ID as an alternative for mobile devices. But there are many more low tech options. Texting or emailing an authentication code is a common solution especially with lost passwords.

Google is one of many companies moving away from CAPTCHA to the more secure two step validation.
Google is one of many companies moving away from CAPTCHA to the more secure two step validation.

Time limits between attempts or limiting the number of attempts prevents brute force attacks. Although not perfect these are better than CAPTCHA which has proven breakable.

SPAM prevention

When it comes to SPAM there are alternatives to CAPTCHA. Alternatives such as solving basic puzzles or using pictures. But these alternatives miss the point. They are still making spam the users problem. Why should the user be inconvenienced because we have a problem with spam?

What is more there is no reason why the user needs to ever know about our spam problem. Spam filters have become sophisticated and can remove the majority of attempts. 

The Honeypot technique is another excellent solution. A solution that doesn’t need the user to do anything. This involves creating a hidden field invisible to users but visible to bots. The developer labels the field in such a way to encourage bots to spam it. If the field has content in it then we can presume it is spam.

In fact there are no end of alternatives to CAPTCHA. You have to wonder why it is still so popular. In fact I have read comments that justify CAPTCHA on the basis that it is widely used. This is of course circular logic.

The truth is CAPTCHA is easier and cheaper. It is easier to make our problems with security and spam the users problem. Easier than tackling the problem on our end. The flaw in this logic is that in doing so we are driving those users away and that is costing us money.

  • Hazel Bolton

    Hi Paul,

    totally agree about your point that many alternatives to CAPTCHA still make spam the users’ problem. That needs to stop.

    Re honeypots though, there are implications for accessibility. Anyone using a keyboard and hearing the web page, rather than seeing it, could fall prey to the honeypot. Do you think it could be labelled in such a way that tricks spambots but not real users?

    Google’s no CAPTCHA reCAPTCHA apparently plays nice with assistive technology and keyboard navigation

    However, it could look so unfamiliar that it damages conversions on the form, as seen in this case study:

    • You are right about Honeypot but it is still more accessible than any other solution in my opinion. Just because something is readable with assistance technology does not make it accessible. Some careful labelling can deal with the honeypot problem.

  • Great article Paul to get people thinking about not using CAPTCHA or reCAPTCHA. Usually, the LABEL for the honeypot says something like “do not fill out this field it used to stop SPAM bots” or some like that.

    Also, logic questions could be an issue for those with cognitive issues and those with dyslexia are pretty much going to not even try the CAPTCHA.

    jfc iii

  • NDO

    Thank you. I used CAPTCHA without thinking much about the end user experience or whose problem I was making it. Time to rethink some user interlaces.

  • Allyson Oberts

    I understand that this perspective is from the design world, but I find it disheartening that the article didn’t address the good that reCAPTCHA does. The reason that the text on reCAPTCHA is hard to understand is that it is, usually, scanned in from books. By filling out reCAPTCHA we are helping to decode thousands of books.

    • Decoding books is great if I volunteer to do it. But that is not what is happening with CAPTCHA. I am being force to do it.

  • David Yates

    Hi Paul. I agree with your comments but as you note, there are many alternatives to captcha although interestingly recaptcha is at the forefront here. One of the best alternatives I have come across is through recapture from google – also see example on attached.

  • Paul, I think the new “I am not a robot Captcha” is great. Nothing to squint at, and there’s also a game–we like games– (shows a grid of 6-9 images and has you pick out the ones with a common theme). Nothing offensive or off-putting there. Do you still think Captcha is bad?

    • I absolutely do. You can make it as pretty as you want but ultimately I am having to prove I am human. Why should I? Why is this my problem?