The Design of Software (CLOSED)

A public forum for discussing the design of software, from the user interface to the code architecture. Now closed.

The "Design of Software" discussion group has been merged with the main Joel on Software discussion group.

The archives will remain online indefinitely.

Captchas Suck, and so does forgetting settings

I was trying to use some yahoo thing. They have revamped their captchas so that they are now literally impossible to read, with mixed case, standard and italic, numbers and letters all jumbled together. One captcha had what seemed to be seven letters all printed directly on top of each other to make a sort of ink blot. After trying and failing 30 times, I gave up.

DESIGN RULE ONE: DO NOT USE HUMAN UNREADABLE CAPTCHAS. USER TESTING WILL HELP YOU DETERMINE WHICH ARE NOT HUMAN READABLE

In addition, there is a link "If you can not see this captcha, click here". That link leads to a generic Help page that has no information about captchas at all. WTF?

RULE TWO: YOUR LINK TO A HELP PAGE SHOULD GO TO A HELP PAGE THAT HAS HELP

In addition, each time you fail, it resets all of your settings to the 'defaults' so you can't just type in the catpcha, you have to set all your settings for your request again every single time. Oh, your name stays the same, but settings like "I want you to send me unlimited spam" keeps reseting itself to "YES - Send  me unlimited Spam".

RULE THREE: IF THERE IS A PROBLEM WITH YOUR REQUEST, REPOPULATE THE GOOD FIELDS WITH THE PREVIOUS SETTING THE USER SET, ISN'T THIS OBVIOUS

In addition to all this, it is doing all this nonsense AFTER I am already signed in to my yahoo account!!! I have to sign in AND then use captchas.

RULE FOUR: ONCE THE USER IS SIGNED IN, STOP ASKING FOR CAPTCHAS, ASSHOLES

I swear that yahoo has completely gone to &*() lately, but this captcha madness is screwing up website usability in all sites.

If you are incapable of creating a user readable captcha, do the world a favor and don't use the damn things.
Scott
Saturday, April 26, 2008
 
 
I'm really baffled as to why every single site on the web uses captchas lately.  Particularly sites where people can comment.  It seems like the very simple fix would be simply not to put links around anchor tags, which would make it pointless for spam sites to post there.  It would make it harder for people to follow *real* links, sure, but at least that would only annoy people wanting to follow links, rather than *every single person* who posts.
Kyralessa Send private email
Saturday, April 26, 2008
 
 
*which would make it pointless for spam sites to post there*

No, they are happy enough just to draw traffic, without tricking googlebot.
my name is here Send private email
Saturday, April 26, 2008
 
 
It's not "captcha madness," it's "spambot madness." Simply snipping off the internet connection to a couple key countries (which I have found we can't mention here) would probably solve 99% of the spambot and thus captcha problems.
John
Saturday, April 26, 2008
 
 
Hi John, after years of looking at activity in logs, I have to disagree with you there. Almost all spam attempts on our forums come from the US and Europe. I am assuming these are all compromised PCs. It's pretty rare to see spam coming in directly from the countries where, presumably, the business network that originates it is located.
Scott
Saturday, April 26, 2008
 
 
Two thoughts:

1) Would there be a way to monetize a good captcha system?
2) Could captchas be used to block email spam?

For #2 it seems to me there are three categories of email addresses:

a) an address for friends (never filters incoming mail)
b) an address for mailing lists (filters incoming mail against a whitelist)
c) an address for public posts (such as on discussion forums) which filters incoming mail against a captcha, refusing to deliver the mail until they pass it.

Has this been tried before?
Gili Send private email
Sunday, April 27, 2008
 
 
Captcha controlled email systems I've seen. You send someone an email and you get an auto-email back saying the email is being blocked until you go to some page and solve a captcha. After that, your email address is allowed to go through.

I'm not opposed to all captchas. I've seen a few that work well. If you can get them right 100% of the time, and the sequence is not a long one, they are not much of a burden (assuming you're not blind).
Scott
Sunday, April 27, 2008
 
 
"You send someone an email and you get an auto-email back saying the email is being blocked until you go to some page and solve a captcha."

And (if you're anything like me) you probably respond by making a rude gesture at your monitor and crossing that email address off your list of people to contact...

Like most "solutions" to spam, challenge-response-based whitelisting sucks.  :)  And so do captchas, as can be seen from the recent news that first Hotmail's and then Google's have been cracked, so they are continuing to inconvenience humans without even stopping the spammers!

What does Joel use to prevent spam here?  Whatever it is, it's great.  Zero hassle -- I can post without registering _or_ filling in a CAPTCHA -- and yet I can't think when I last saw a spam post.
Iago
Sunday, April 27, 2008
 
 
All captchas have been broken for a certain percentage of codes. The more complex ones are not 100% broken.

Most spammers can not break even the broken captchas, so captchas do stop most spam. Bayesian filtering stops most of the rest. Then you have your ip block lists to get a few more.

One thing captchas do is require a bunch of cpu time to solve, and the maintenance of a live session while that happens. That can mean that each spam relay can only send out 1 thousandth as much spam.

The problem I have is what I said, and yahoo's latest is a great example of a terrible terrible design:

- Captchas that can not be decoded by humans
- Captchas still required after you are logged in to your account
- Captchas controlling forms that reset fields to yahoo-desired defaults when captcha failure occurs
- Whatever my 4th point was (can't see the post right now)
Scott
Sunday, April 27, 2008
 
 
4th point was that their captcha had a specific link for captcha help that went to a page that had no captcha help, not even if you search for it.
Scott
Sunday, April 27, 2008
 
 
Ian, Joel has his own Bayesian algorithm, plus moderators who can both delete spam that gets through and approve things that are not certain.

If you post with a unknown name, it often gets held up until it is approved. After you have posted with a known name a few times, it seems to auto-approve.

moderation note: I am discussing the design of the system in the context of spam prevention design systems, the topic of this thread. I am aware that discussing the board is prohibited, but please do not delete this post.
Scott
Sunday, April 27, 2008
 
 
"I'm really baffled as to why every single site on the web uses captchas lately."

Because every single website gets spammed!  My forums get spammed, my contact forms get spammed, signup forms get spammed, everything gets spammed.

"It seems like the very simple fix would be simply not to put links around anchor tags, which would make it pointless for spam sites to post there."

On http://www.crazyontap.com we got lots of spam that didn't have *any* links.  What was the point?  Not really sure.  But your making the assumption that the attacks are targeted -- they are not.  If you have a form, it *will* be submitted by a bot irregardless of what happens with that submission.
Almost H. Anonymous Send private email
Sunday, April 27, 2008
 
 
Did any1 notice the new rapidshare cats and dogs captchas
Midhat Send private email
Monday, April 28, 2008
 
 
"What does Joel use to prevent spam here?  Whatever it is, it's great.  Zero hassle -- I can post without registering _or_ filling in a CAPTCHA -- and yet I can't think when I last saw a spam post."

I think human beings delete it. Maybe they have some flagging algorithm but I feel the presence of human beings here.

At some forums I've seen blatant spam not deleted after weeks or months. This annoys me a lot and sends the message that noone is taking care of the place.
Daniel_DL Send private email
Monday, April 28, 2008
 
 
"a) an address for friends (never filters incoming mail)"

But:

1. Some (alleged) friends will send stupid joke mails including all the addresses and these mails will get forwarded and suddenly your address is out there. I have friends who do not know anything about spam and keep resending stupid messages about a missing boy, a terrorist threat for next week ("just *don't* go shopping!!"), etc.

2. Some spam tries random addressess (especially true with Yahoo! Id's) and it will eventually hit yours
Daniel_DL Send private email
Monday, April 28, 2008
 
 
"I think human beings delete it. Maybe they have some flagging algorithm but I feel the presence of human beings here."

That's me, your moderator. As mentioned in the sidebar.
John Topley Send private email
Monday, April 28, 2008
 
 
"I have friends who do not know anything about spam and keep resending stupid messages about a missing boy, a terrorist threat for next week ("just *don't* go shopping!!"), etc."

Don't make friends with idiots, then :P
quant dev
Monday, April 28, 2008
 
 
"Don't make friends with idiots, then :P "

Actually, what I've noticed is that these people are intelligent (and, in some cases, attractive :) in their everyday lives, but idiots in their use of email. So there's a balance going on.
Daniel_DL Send private email
Tuesday, April 29, 2008
 
 
Balance, huh?  I wonder what *we* are stupid in.

For me, the answer might be CAPTCHAs.  I have failed to get some that looked obvious.

Yesterday, I repeatedly failed on one site where the CAPTCHA was simply digits at slightly different vertical positions.

The possibility is that my policy of not allowing cookies and JavaScript for most sites did it, but since the site gave no clue as to why the CAPTCHA failed, who knows?

Sincerely,

Gene Wirchenko
Gene Wirchenko Send private email
Tuesday, May 06, 2008
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz