Zone38 Presents...
Letters to the World


Adventures in Bad CAPTCHA Design

Filed under: General — codeman38 @ 12:35 pm

I was just trying to register for a forum today, and came across a CAPTCHA that looked like this (this isn’t the one that I actually failed, but it was generated soon thereafter):


Seems pretty easy, right?

Only one problem: it’s case-sensitive. That is, uppercase and lowercase matter.

“X” and “x” look virtually alike, except for size. “O” and “o” do as well. Same with “S” and “s”. And when the characters are distorted in size to begin with… good luck.

Let’s see… that’s five characters that are ambiguous in this particular CAPTCHA… which makes 25 = 32 different possibilities for how this CAPTCHA should be entered.

Oh, no, wait… that third character could also be a zero. That means there are not 32, but 24 * 3 = 48 different possibilities.

Did nobody actually test this before rolling it out?


  1. Ha nice. Are you familiar with recaptcha? Its a nice little system of using captcha to get human validation of words that can’t be computer read to facilitate the digitization of books.

    Comment by Joga Luce — 26-Feb-2008 @ 1:26 pm

  2. I hate captchas. Hate hate hate.

    What’s wrong with just making sure that software verifies email addresses on a registration? Is it really that insufficient to stop spam?

    Comment by Ciaran — 26-Feb-2008 @ 2:12 pm

  3. Ciaran: I’ve wondered about that as well, to be honest. I really don’t understand when a forum has both CAPTCHA and e-mail verification.

    Comment by codeman38 — 26-Feb-2008 @ 3:34 pm

  4. I guess it’s probably to do with how people think of it. People think of email verification as only making sure that you own the address, not to stop bots. (and technically, it’s true that bots could cope with that; very few do, though, in my experience.)

    Comment by Ciaran — 27-Feb-2008 @ 5:40 pm

RSS feed for comments on this post. TrackBack URL

Leave a comment

You can use these HTML tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

© 2001-2022 codeman38. Powered by WordPress.