An Overview and Discussion of CAPTCHA Alternatives

Page content

In Bright Hub’s article What is a CAPTCHA? our readers have learned that a CAPTCHA is a small program designed to make sure that a web site’s service is used by humans, not bots. We have been making the case that CAPTCHAs fall short of preventing Spammers and mass email account harvesters for example. Therefore, CAPTCHA alternatives must be taken into consideration.

Common alternatives to text based CAPTCHAs are photo or image challenge-response Completely Automated Public Turing Test to Tell Computers and Humans Apart, that is to prevent bots. Users of a web site, for instance, can be presented a number of thumbnails and asked to click the image which shows a hot air balloon for example.

Also, it is getting increasingly more common to present users simple arithmetic operations to solve in addition to using sound based CAPTCHAs. It was only yesterday when the author of this article had to solve a multiple choice test by watching a 36 seconds flash animation to identify the last spoken words in the animation.

This sound CAPTCHA in the form a commercial spot was found to be annoying to say the least: I didn’t get the words the first time because the animation ended earlier than expected, and in the absence of a rewind button, I had to watch all over again. As cheap labor country-based human CAPTCHA operators can solve these CAPTCHA alternatives they aren’t a viable solution either.

Combing image, text and logic CAPTCHAs, or making them more difficult to solve will more likely deter legitimate users trying to send an email or open an account than black hatters who can also relatively quickly adapt to honeypot data form fields invisible to humans but likely to be filled in by bots.

The CAPTCHA alternative identification is trying to identify users and computer trough a combination of browser properties and IP address for example and block prohibited use. As you can imagine is this an arms race between bot operators and websites, partly because proxy servers might be used. Besides not being absolutely reliable, this solution can be too expensive in some cases.

Gmail has come up with a really effective means of preventing the creation of bulk accounts if they notice suspicious activity by sending an activation (short message service) code to a cellular phone number associated with the account being opened. This and similar forms of verification seem to be the best alternative to CAPTCHAs.


  • Author’s own experience