Death to CAPTCHAs
“Spam is not the user’s problem; it is the problem of the business that is providing the website. It is arrogant and lazy to try and push the problem onto a website’s visitors.”
— Tim Kadlec, Death To CAPTCHAs
You're probably familiar with image based CAPTCHAs. They often appear at the end of forms, and are those annoying little boxes with letters and numbers that are often difficult to make out. You're required to type out what you see in those blurry and often confusing images. Here's an example of one:
You might wonder why a website might use these at all? Well, the whole point behind CAPTCHA is to stop 'bots' (automated computers) from filling out their form with junk information, which leads to the website manager having to deal with loads of spam in their inbox. To it's credit, CAPTCHA does an excellent job weeding out spam form entries. The tradeoff is that it may even stop some real users from getting through your form.
Blocking spam is great for anyone's inbox, but when you start blocking potential customers who want your service, then you have real problem. SEOmoz performed a great case study where they found one website lost 3.2% of it's conversions when enabling image based CAPTCHA on their forms. Now that may not seem like a large number to most people, but if you're business is based on conversion (and most are), then you could be missing out on a slice of your business' income.
Another big downside is increasing the frustration level of a potential clients/conversion. Even if most users do get through, it may take them more than one try which would heighten their frustration level as a first impression. Instead of cultivating their trust, you force them to authenticate themselves to you. This could potentially come across as arrogant and distant. Do you want to risk damaging a relationship before it starts?
If you're not going to use CAPTCHAs on your website forms (and we recommend you don't), then what can someone do to protect their site from the bombardment of spam?
Most modern email hosting and clients have spam filtering enabled by default. Especially if you have web based email by any of the popular email providers (Gmail, Yahoo, etc.). Even if some spam emails do get through the forms on your website, email filtering should catch a good portion of that spam.
Another way to implement an unobtrusive CAPTCHA is to utilize a 'honeypot'. The basic premise is that you add a hidden field to your form, and a spam bot fills up the form with spam content, including the honeypot field. If the honeypot contains anything when the form is submitted, it will prevent the submission of the form, stopping the spam!
Simpler CAPTCHA Questions
Use an easier question. For example: "What is 1+2?" Sure, this isn't near as effective as a complicated image based CAPTCHA. It won't stop the really smart bots, however if it's something everyone knows, then it reduces the risk of blocking real conversions.
In summary, our whole point is to challenge developers to think through the consequences before defaulting to a UX pattern that can cause problems for the user. Sure, there are times when CAPTCHA may be the right approach, however it's important to weigh the options and impacts before implementing such a feature. Here are some good questions to ask:
- Will the client lose potential conversions?
- Does the client have any email spam filtering?
- What's more costly: The client's time spent cleaning out their inbox of spam? Or, the loss of potential clients and leads?
Overall, there's some great arguments on both sides. We feel that imaged based CAPTCHA should really be reserved as a last resort, and for serious cases of spam related issues.