So, I’m trying to find some decent Jazz tickets the other day and I run into their captcha test. That’s “completely automated public Turing test to tell computers and humans apart”, of course. Unless you’re the programming-type, this will probably help:

Over the course of my visit to Ticketmaster, I probably fail the test 25% of the time. Me, the programming-type, with 20/20 vision, and an itch to buy some egregiously overpriced tickets. Sites add these tests to their submission forms to keep sneaky people from doing things in an automated fashion, like posting comment spam on blogs on a massive scale. That’s nice and all, but it has gotten out of control on some sites to the point where users are regularly failing these tests multiple times in a row. That’s a serious impediment to users who are trying to give you money. Ticketmaster execs, I’ll bet you a cup of Starbucks per day for the rest of your life: you are losing a measurable amount of revenue at your captcha test screen. In an ideal world, I’d venture to guess that they’ve carefully weighed their options and have chosen a captcha method that is in-line with their choice of calculated risk, walking the line between maximum usability and reasonable security. But this isn’t an ideal world, and they’ve likely just got an overly hyper programmer who tends to forget that it’s real, live “human beings” that need to be able to use the site first. The w3c has a nice paper about it too. They are so SMRT.

Since I’m a somewhat idealistic programmer, obviously I have to rant a little about development too. I swear, a lot of these programmers don’t even bother to look at the what’s currently available to break captchas before developing their own-special-super-secret captcha script. That’s fun, no doubt, but in typical CrapProgrammer fashion, it’s also tunnel vision. A quick search found PWNtcha, which has been used to break several common types of captchas. No doubt it will continue to get more advanced.

And there seems to be a trend of captcha tests requiring more characters and being more difficult for humans to decipher:

A terrible blogger captcha:

A typical slashdot captcha (this one is actually pretty effective, but man! what an eyesore!):

Boo hiss.

How to develop a captcha that doesn’t suck:

• Don’t forget that your mom might need to be able to use it
• Don’t forget that nearly 10% of the population is color blind
• If someone really wants to automate your site, your captcha won’t stop them
• It should ALWAYS be human solvable
• Try object verification (or something) instead (what animal is this?)
• Variance is key. Vary text size, rotation, font, color, distortion, and effects per character
• If it’s xx characters long, you will piss us all off
• No amount of garbage you put in the background matters unless it’s the same color as your text(careful!)
• Overlapping characters are bad for humans to read and bad for computers to read (there’s a fine line to walk)
• Provide an audio version as well, e.g. a recent version of the SMF forum software
• It doesn’t have to be black on white. As long as there is contrast when desaturated, you’re good. Mix it up, and invert too! Hardly anyone does this.
• If your captcha script is resource intensive, you’re opening yourself up for a DOS-attack