CAPTCHA, HOW IMPORTANT IT IS?

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission.

The First Mini-Conference in Web Technologies and Trends (WTT)

© 2009 Information Technology Department, CCIS, King Saud University, Riyadh, Saudi Arabia

Amal A. Al-Suwaidan

King Saud University Riyadh, K.S.A

P.O Box 291772, Riyadh 11362amalalsuwaidan@gmail.com

ABSTRACTSince browsing internet became a daily need for all people, which means it should satisfies the security and accessibility issues. CAPTCHA became an important part of internet browsing and it is used to prevent the bots illegal access to the web sites. On the other hand, CAPTCHA is inaccessible, especially for the blind persons, visually impaired or dyslexic. This paper is about CAPTCHA and its history, advantages, applications, disadvantages and future.

KeywordsWeb accessibility, CAPTCHA accessibility, CAPTCHA and special needs people, and CAPTCHA alternatives.

1. INTRODUCTION:In this paper I will talk about CAPTCHA and some its related issues. At first I will talk about CAPTCHA history and related work. Then I will talk about how to create CAPTCHA and how does CAPTCHA work. After that I will show CAPTCHA benefits. Then I will discuss the CAPTCHA accessibility survey. After that I will talk about CAPTCHA accessibility and brief discussing about some CAPTCHA alternatives. Finally, I will talk about CAPTCHA future.

2. CAPTCHA BACKGROUND AND RELATED WORK:Bots are software applications that run automated tasks over the Internet. Typically, bots perform tasks that are both simple and structurally repetitive at a much higher rate than would be possible for a human alone. Some kinds of bots are harmful when attacked a web site. In 1996, Moni Naor discuses several ways to verify that a request comes from a human and not bots. In his paper "Verification of a human in the loop or Identification via the Turing Test". Then in 1997, Primitive CAPTCHAs produced at AltaVista by Andrei Broder and his colleagues to prevent bots from adding URLs to their search engine. CAPTCHA is an acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart.". Then, in 2000, Luis von Ahn and Manuel Blum coined the term 'CAPTCHA', improved and publicized the notion, which included any program that can distinguish humans from computers. They invented multiple examples of CAPTCHAs, including the first CAPTCHAs to be widely used, which were those adopted by Yahoo! but the trademark application was abandoned on 21 April 2008 [1].

The CAPTCHA can be described as a picture contains distorted letters to ensure that the user is a human not bots. These pictures can not be read by bots because CAPTCHA is resistant to OCR (Optical Character Recognition). e.g. (see figure 1 and figure 2).

Figure 1: Hotmail CAPTCHA Figure2: Yahoo! CAPTCHA

CAPTCHA spreads widely in the web sites. As a result, CAPTCHA must satisfy two main issues the security and the accessibility. CAPTCHA already satisfies the security issues by providing a great protection from bots. On the other hand, CAPTCHA faces a big challenge with accessibility issue. Since, CAPTCHA rely on the picture vision which could be hard to the normal users and impossible to the special needs users.

A lot of internet users trying to avoid CAPTCHA and provide some alternative but until now CAPTCHA still the most popular. Matt May on his paper "Inaccessibility of CAPTCHA" discuses this topic from several ways and produce some alternatives.

3. HOW DOES CAPTCHA WORK?CAPTCHA is fooling the bots by asking questions only human can answer it. CAPTCHA fooling bots by generating pictures contain distorted letters -different pictures with different letters in different shapes are generated- Then CAPTCHA asking the user to enter the letters shown in the picture. Bots can not recognize each letter alone. After the user submits the answer CAPTCHA validate the answer.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission.

The First Mini-Conference in Web Technologies and Trends (WTT)

© 2009 Information Technology Department, CCIS, King Saud University, Riyadh, Saudi Arabia

4. HOW TO CREATE CAPTCHA?

CAPTCHA can be written using some programming languages like PHP and ASP. The code should provide three main functions. First, the code should generate a random picture with different properties. Second, validate the user answer. Third, make these pictures secure. Also, there are many things to make the code more reliable like" Rotate the text randomly, add random spaces in between characters, use a TTF fonts and change the font randomly every time, use a random text and image size every time, use more advanced text distortion and colours, move the lines randomly, store the password in a random cookie"[2]. In addition, there are CAPTCHA creator programs which allow users to choose their CAPTCHA shapes.

5. CAPTCHA BENEFITS: [3]

5.1 CAPTCHA security services:CAPTCHA provides several services in security, including:

Preventing Comment Spam in Blogs.

CAPCHA prevents spam replays without asking the user to sign up.

Protecting Website Registration.

Ensure that the users who sign up for free services such e-mail are human not bots.

Protecting Email Addresses from Scrapers.

CAPTCHA hide the e-mail address and asked the users to enter the text in the picture to show the e-mail. This help to prevent scrapers from sending to the e-mails.

Online Polls.

In online poll asking bots can vote thousand of times. CAPTCHA allows humans only to vote.

Preventing Dictionary Attacks.

CAPTCHAs can also be used to prevent dictionary attacks in password. The idea is simple: prevent a computer from being able to iterate through the entire space of passwords systems by requiring it to solve a CAPTCHA after a certain number of unsuccessful logins.

Search Engine Bots.

Since, search engine bots are usually belong to large companies, respect web pages that don't want to allow them in. However, in order to truly guarantee that bots won't enter a web site, CAPTCHAs are needed.

Worms and Spam

CAPTCHA protects e-mail from worm and spam by ensuring that the sender is a human not bot.

5.2 ReCAPTCHA project:ReCAPTCHA is a free CAPTCHA service that helps to digitize books, newspapers and old time radio shows. Since solving CAPTCHA consume more than 150,000 hours of work each day. ReCAPTCHA is trying to make appositive use of this human effort. ReCAPTCHA does that by channelling the effort spent solving CAPTCHAs online into "reading" books.

Digitizing physical books is by scanning the book pages photographically, and then transformed into text using "Optical Character Recognition" (OCR). Since OCR is not perfect reCAPTCHA improves the process of digitizing books by sending each word that cannot be read correctly by OCR is placed on an image and used as a CAPTCHA.

But if a computer can't read such a CAPTCHA, system knows the correct answer by "giving the word that can not be read correctly by OCR to a given user in conjunction with another word for which the answer is already known"[3], if the user answered the word already known correctly the system assumes their answer is correct for the new one. Then, the system gives the same world to a number of other users to determine the correct answer.

6. CAPTCHA ACCESSIBILTY SURVEY:In 7 December, 2008 CAPTCHA accessibility survey was created. The survey contains two parts focuses on CAPTCHA accessibility and some of it is alternatives. The survey covered 118 internet users for part 1 and 111 internet users for part 2 the responders was from different abilities, ages, cultures and interested. The

coming sections will discuss the left of CAPTCHA issues and the survey results. In addition, the full survey results are provided in the below graphs.

What is the average time you need to solve the CAPTCHA?

I can not pass it, 1

>30 sec, 8

10sec to 30sec, 57

<10 sec, 52

0 10 20 30 40 50 60

If you have a web site or blog or in case you will have, are you interesting to use the

CAPTCHA?

No, 28Maybe, 65

Yes, 25

0 20 40 60 80

In general, Do you have any reading difficulties (eye blind, dyslexia … etc)?

Yes, 17

No, 101

0 20 40 60 80 100 120

Does CAPTCHA bother you?

Never, 17

Sometime 74

Always, 27

0 10 20 30 40 50 60 70 80

Is solving CPTHCHA hard and complicated?

Never, 49

Sometime, 64

Always, 5

0 20 40 60 80

How much do you know about CAPTCHA

benefits ?

a little, 61a lot, 33

This is the first time I hear

about CAPTCHA 24

0 20 40 60 80

Do you think CAPTCHA is difficult because it

is written in English?

Never, 101

Sometimes, 12Always, 5

0 20 40 60 80 100 120

Who many times you solve CAPTCHA

pictures per week ?

>20 times, 2

10 to 20, 12

<10 times,

104

0 20 40 60 80 100 120

If you have a web site, do you use CAPTCHA alternatives?

I don't have a w eb site.,

105

No, 11

Yes, 2

0 20 40 60 80 100 120

Do you prefer to have some CAPTCHA alternatives ?

Depend on these

alternatives, 85

No, 4

Yes, 29

0 20 40 60 80 100

If have any reading difficulties, Do you think the audio alternative are enough?

I don't have any reading diff iculties,

95

No, 12

Yes, 11

0 20 40 60 80 100

The alternative w ill be a program that does not require any thing from the user?

Bad, 22

Good, 41

Excellent, 48

0 10 20 30 40 50 60

The alternative w ill be a calculation like (1+1=)?

Bad, 28

Good, 32

Excellent, 51

0 10 20 30 40 50 60

The alternative w ill be an arrangement of letters or numbers or spell letters in reverse

order

Bad, 50Good, 40

Excellent, 21

0 10 20 30 40 50 60

The alternative w ill be a puzzle, easy problem or general information question.

Bad, 70

Good, 30

Excellent, 11

0 20 40 60 80

The alternative w ill be sentence completion w ith a multiple choice w ord

Bad, 51

Good, 41

Excellent, 19

0 10 20 30 40 50 60

Figure 3: the result of CAPTCHA accessibility and alternative survey

7. CAPTCHA ACCESSIBILITY:The accessibility is an important issue in the web. CAPTCHA is an important part of the web so, it should satisfy this issue. In the accessibility survey 22.88% of responders said that CAPTCHA is bothering them and 62.71% of them said that CAPTCHA some times is bothering them. Actually, the internet users have different abilities and skills. As a result, some thing that bothers the normal users could be very bothering to the special needs users. In addition, to prevent bots illegal access we need to define something humans have but bots

don't have. CAPTCHA asking the users to distinguish between a set of letters this require human mind and eyes. A lot of internet users are eye blind or visually impaired but still they are human. Also, distinguishing between a set of letters is impossible for the dyslexic users again they are still human. As a result, CAPTCHA requires skill and sense that not all humans have.

In fact, CAPTCHA provides security which is important but users are more important. Special needs users can not add a comment or create an e-mail. Since, the screen reader can not read CAPTCHA which, prevent special needs users from using the web services.

The users are facing CAPTCHA challenge many times and they are spending a lot of time to pass CAPTCHA. In the CAPTCHA accessibility survey 48.31% of responders spend between 30 to 10 seconds in solving CAPTCHA picture and 88.14% of them facing CAPTCHA challenge less than 10 times in a week. Also, 0.85% of responders said they can not pass CAPTCHA. Moreover, solving CAPTCHA is not always easy in the survey 54.24% of responders said solving CAPTCHA is sometimes hard and complicated and 4.24% of them said it is always hard and complicated and 41.53% of them said is it easy.

As a result, CAPTCHA is inaccessible and makes web services inaccessible too.

8. CAPTCHA ALTERNATIVES:CAPTCHA main function is to provide a good protection for the web sites from bots. A lot of CAPTCHA alternatives are provide the same protection with out bothering the users. CAPTCHA alternatives can be separated in two types the first is alternatives that prevent bots access without asking the users to input any thing. The second type is alternatives that prevent bots access by examining humans mind only. In the CPATCHA accessibility survey 24.58% of responders prefer any CAPTCHA alternatives and 72.03% for them said it is depended on these alternatives. Also, 88.98% of the responders don't have websites but 1.96% of the responders who have a web sites said they are using alternatives.

In fact, alternatives are facing some accessibility and security issues. Sometimes, alternatives are not providing full protection also, they are not always accessible.

In the coming part I will show some CAPTCHA alternatives and some of their advantages and disadvantages.

8.1 Alternatives that require a user input:

8.1.1 Audio alternative: A lot of web site using the audio alternative as solution to CAPTCHA inaccessibility. Audio alternative contains a distorted voice that says a set of number or letters and asking the user to enter it. Although, the audio alternative can help the special need users to pass CAPTCHA, a lot of websites don't use it like Yahoo!, MySpace and Friendster.

Audio alternative it is not perfect. The voice some times could be difficult to solve. In the survey 14.41% of responders are having reading difficulties. 10.17% of them responded that the audio alternative is not enough to be considered as CAPTCHA alternative.

Audio alternative can not be used alone with out CAPTCHA picture. Since, CAPTCHA is inaccessible for the blind users; audio alternative will be inaccessible for the deaf users.

To make audio alternative better it should be improved to give a clear voice to the human abilities also, to make it available in all the web sites. Web sites administrators should understand the limited abilities for the special need users and show some respect for them.

At last, Audio alternative is not the best solution but on the other hand it provides an appropriate solution to the special need users.

8.1.2 Simple calculation alternative:This alternative could be very simple for the users. It will provide simple calculation like 1+3= or 6+2= and asks the user to enter the result then, validate the user's result. The calculations provided are changed each time. The most important advantage of this alternative is providing calculation that every user with different abilities can pass it.

Simple calculation alternative is used by many web sites instead of CAPTCHA and it can prevent bots completely, it provides the same protection CAPTCHA does.

In the CAPTCHA alternative survey 45.95% of responders think Simple calculation alternative is an excellent alternative.

8.1.3 Problem solution or general information question alternative:This alternative will provide simple question that all users can answer it. Simply, it is asking the users to enter the answer. These questions can be general information like "in morning, what is the sea colour?" or problem like "my name is Amal and my only brother's name is Badr Abdulrahman what is my full name?", since these questions are written in specific language, not all users can understand it. Also, the questions provided may have several correct solutions or may the users can not answer it especially for the problems. Moreover, the question list should update each period of time to have more secure. On the other hand, these questions can be accessible for all users and can stand only without CAPTCHA.

In the CAPTCHA alternative survey 9.91% of responders think Problem solution or general information question alternative is an excellent alternative.

8.1.4 Complete sentence with a multiple choice word alternative:In this alternative a question with multiple choices is provided then it asks the user to choose the correct or appropriate word. The question could be like this "I am reading a _________" and the choices are "shoes, Book, bread". This alternative could be accessible for all users with different abilities. This alternative faces the same problems that Problem solution or general information question alternative face, because it written in a specific language, but here the choices make answering questions easier. Moreover, this alternative can work without CAPTCHA.

In the CAPTCHA alternative survey 17.12% of responders think complete sentence with a multiple choice word alternative is an excellent alternative.

8.1.5 Letters or numbers arrangement or spell letter in specific order:In this alternative questions like "write the letters in reverse order" or "arrange the letters in alphabetical order". This alternative will give a complete accessibility for the normal users and special needs users, but the letters or numbers provided will belong to a specific language which not all users know it.

In the CAPTCHA alternative survey 18.92% of responders think Letters or numbers arrangement or spell letter in specific order alternative is an excellent alternative.

8.1.6 Manual alternative:Some web sites provide manual alternatives for the users who can not pass CAPTCHA. Manual alternative can be for example "for more support call the number" or "for more support visit us". This alternative solves the CAPTCHA inaccessible problem but it makes special needs users spend more effort to get some services that normal users can get via the web sites. In fact, special needs users need more facilities than normal users to get benefit from the services.

8.2 Alternatives that don't require any input from the user:There are a lot of programs that prevent bots from accessing the websites. Some of these programs offer a great protection from bots. In addition, there is no need to examine humans which offer a perfect accessibility for all the users. I think if these programs improved to give a full protection CAPTCHA will disappear.

In the CAPTCHA alternative survey 43.24% of responders think, if the alternative will be a program doesn't require an input from user this will be an excellent solution.

9. FUTURE OF CAPTCHA:A lot of CAPTCHA alternatives are provided. Therefore, a lot of web sites replace the CAPTCHA with some alternative. Most of CAPTCHA alternatives are accessible and easy to use. In the CAPTCHA accessibility survey 23.73% of responders said they are not using CAPTCHA in their web site. CAPTCHA could disappear in the coming few years because it is inaccessible and facing a hard challenge with accessible alternatives. We hope CAPTCHA creator find some way to make CAPTCHA accessible. In fact, I think CAPTCHA will disappear before they can make it accessible.

10. CONCLUSION:In conclusion, browsing internet is not for the normal users only. The special needs user need the internet like the normal user or may be more. The web sites are provided to help users, give them more information or make their work easier, but CAPTCHA makes reaching the web sites services more complicated. At last, we need some way to tell CAPTCHA that special needs users are human not bots.

11. REFERENCES[1] Wikipedia, the free encyclopaedia Located on the Internet at http://en.wikipedia.org/wiki/Captcha. Last

visited: 9 December, 2008.

[2] Web cheat sheet Located on the Internet at http://www.webcheatsheet.com/PHP/create_captcha_protection.php. Last visited: 10 December, 2008.

[3] The Official CAPTCHA site located on the internet at http://www.captcha.net/. Last visited: 10 December, 2008.