You know those annoying widgets at the end of many web forms that make you fill in a code of numbers and letters before you can submit the form?
I hate those things. And if you don’t; by the end of this blog you will.
Captcha stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”. The intention is to allow people to publish forms on their websites with a relatively high level of confidence that spam-generating automated programs won’t be able to fill in the forms and submit them because those spam bots cannot complete the captcha.
Sounds great in theory, but in practice those same forms are also cumbersome to humans because sometimes the codes are so difficult to figure out that the human in question becomes frustrated and departs before completing the process. Worse still, sometimes a real life flesh and blood human enters the captcha code incorrectly, but thinks they did it properly and leaves the site awaiting a response that will never come. Both of these scenarios mean lost customers.
So this leads to my thoughts on captchas.
Don’t Use Them.
Seriously. Don’t use them.
I know you want to reduce the amount of spam in your mail box, but that’s your problem, not your customers’ or potential customers’ problem. In this economy getting customers to part with their money is hard enough without throwing more roadblocks at them. Your mission should be to create as little space between you and a prospect as possible. A captcha does not help you reach that goal.
A group of researchers at Stanford researched the subject and here is their (partial) conclusion (bold mine):
We have presented a large scale study of how much trouble captchas present for humans. We collected 5000 captchas from each of 13 most widely used image captcha schemes and 3500 captchas from the 8 most widely used audio captcha schemes, and had them each judged by multiple human subjects from Amazon’s Mechanical Turk and an underground captcha-breaking service. Overall, we found that captchas are often harder than they ought to be, with image captchas having an average solving time of 9.8 seconds and three-person agreement of 71.0%, and audio captchas being much harder, with an average solving time of 28.4 seconds, and three-person agreement of 31.2%.
The full PDF report can be found here.
Forbes distilled the study here.
An independent study by SEOMOZ on captcha conversion rates can be found here.
A group of researchers in the UK came to many of the same conclusions.
Comedian Bill Maher sees it this way: “New Rule: Stop making me type in the trippy security letters. I’m trying to access my account, and all I can think is, all right, which one of you assholes laced my weed.”
And one of my favorites: F**ck Captcha
Once you’ve read (or scanned) all of the above, we should be in full agreement that having a captcha on your site is a bad…
What? You still want a captcha?
Really?
OK, fine.
What To Do If You Still Want A Captcha On Your Form.
You should know that captchas are relatively easy to build from scratch. As a result there are something like 47 gajillion of them on the web. Here are some rules to help you wade through the clutter.
Don’t use a captcha provided free by {insert dude here} unless you know said dude. Just because someone writes a program and makes it available for free doesn’t mean the programming is good. Or safe. Or works at all. The last thing you want is an easy-to-read captcha that works great for your end users, but doesn’t deliver the message to you because of a programming glitch.
How about paid captchas, you ask? If you pay for the pleasure of a captcha, let me know because I have this amazing deal on a bridge in the tri-state area for you. Chances most paid captchas are repurposed from some other free source and the author is sitting around waiting for a sucker to bite.
Ok, so you find a free captcha that you like, but it links to a third party service. All captchas rely on two stages. The first phase is when the form is delivered to the user and the second is when the form is submitted and the captcha is challenged. Sometimes this requires a third party arbitrator, which is fine, except when that service is down. If their great and free captcha service is down, then so is your form.
When in doubt, use Google’s ReCaptcha. It’s easy to implement and has Google’s reliability behind it. This will let you…
What? You read the Stanford study which found that Google’s captcha wasn’t that good?
OK, now you’re just nitpicking.
Yes, ReCaptcha was on the high end in terms of time-to-solve, but not by much, and in my opinion its reliability is superior. If you want a second option, try http://captchas.net/. They have been reliable in my experience, but for sites that do not generate much traffic, they have an automated termination policy for infrequent use. Read their documentation carefully.
More Important Stuff To Think About
Regardless of which path you go down, you should also follow some additional guidelines with respect to your forms.
- Use a different email address for your forms than you use for everyday email. Using a personal email address can get messy once forms start coming in. If you decide to use only one account, create a separate folder or rule for your forms so that they sit somewhere separate from your personal messages.
- Remember that spam prevention is still a factor. If a legitimate user submits a form, but your spam program thinks the message is not legit, then that message may be hidden from you. Check your spam folder on a regular basis to make sure there are no potential customers sitting there.
- Measure how many times your form is submitted, but also how many times the captcha is submitted correctly and incorrectly. This data will be beneficial in helping you decide whether a captcha is a good idea on your site or could be costing you too many leads and customers.
- If you have a decent amount of traffic and form submissions, it may be worth it to invest in a form that publishes itself randomly either with or without the captcha so that you can test the response rate from your form with and without the captcha.
If you have any questions or want to tell me your captcha horror or success stories, send me an e-mail. I won’t even make you fill out a captcha.
I can understand your frustration with captchas — they’re always at least mildly irritating, and sometimes require two or three tries to get right. But at the same time the level of spam out there is ridiculous — especially when it comes to things like blogs and contact forms.
The company I work for develops in Drupal, which besides being a great CMS, also has a nifty module called mollom. It’s like a back-up captcha. When a person comments on our blog or fills out our contact form, they are NOT presented with a captcha. But mollom is clever: if it detects a lot of links in an email, or occurrences of certain words typically associated with spammers (medical enhancements, anyone?), it will present just THAT user with a captcha when they submit their comment. Then they’ll have to fill out the captcha and submit the comment again.
mollom is pretty smart, and you can help it “learn” by adding terms to its filter settings, and reporting spam comments that DO make it through. Best of both worlds.
One thing I should have worked into this post was that my thoughts have a different impact on companies at different scales. A company with a handful of unique visits or submissions per day has entirely different needs and concerns than a company with hundreds of visits or submissions.
Mollom sounds great. If it helps with the signal to noise ratio then I’m all for it.
And for the record, I hate cicadas more than i hate captchas.
🙂
Yes, I should use the CAPTCHA. We all know that its come when we registered in any website. It is necessary for security purpose and stopping the spamming.