CAPTCHAs (or Completely Automated Public Turing test to tell Computers and Humans Apart) are the distorted images containing text that you sometimes find at the end of forms when logging in or registering for various services online. These images are generally used to make sure that it is a human submitting the form, not an automated computer script.
There are many different reasons for wanting to stop automated scripts from submitting forms. For example, scripts are regularly used to submit spam comments to blogs or to attempt to guess a user’s password by trying many different combinations very quickly.
Unfortunately CAPTCHAs introduce a big accessibility problem as they rely on visual perception (being able to see and understand the text). Any users with visual difficulties (for example, users with a disability) will potentially have trouble completing the test correctly. Anyone who uses a screen reader to browse websites will not be able to complete the form because it cannot read the image – after all, if it could, it would defeat the whole object of the test. Some CAPTCHA tests also include an audio version alongside the image, but this does not resolve the issues completely.
Because of these accessibility issues, we try and avoid using CAPTCHAs on all CF Labs applications. We try and make use of other methods such as email verification (where we send you a link in an email which you need to click) and only use CAPTCHAs as a last resort.
In the case of our StayPrivate.org service, we’ve built a CAPTCHA into our ‘log in’ and ‘forgotten password’ process – however we hope that the vast majority of users will never see it. While we want to reduce the possibility of an automated script trying to break into a user account, we didn’t want to impose a CAPTCHA every time you try to log in. Instead, we only show it if you enter the wrong email address and password combination three times in 15 minutes. This method means that the vast majority of users never see the image (and so do not face the accessibility issues), while we can reduce the threat of automated scripts.
To assist the minority that do activate this test, we’ve chosen to use the reCAPTCHA service which includes an audio version as well as the standard image.
This is not a perfect solution but hopefully it is a good compromise between security, accessibility and ease of use.