Friday, September 15, 2017

Website Captcha -- The Humanoid Must Not Escape or Are you an evil robot?

This is a Captcha. Does it Captcha your imagination?
This NOT a real captcha. Please don't click it. Thank you.

Captcha. Not the best defense. Before I launch into my diatribe about website captcha, I need to fill you in on some of the picky details about what they are and why it they are used...then discuss what you can do INSTEAD of captcha.

First. If you are going to have a website, you want to connect with customers via a web form. Users have to be able send you their information in order to make a purchase, right? Or they need to ask questions or whatever. Right? Yes. Absolutely.

In Web Design, the only option to have users communicate with you is to use the HTML input boxes or other user editable elements and some sort of send button. These somehow (there are lots of ways) connect to a web server via a script. This is called a FormToMail script or app, which can collect and prepare the input data from a site, store it for use later and often email that input to you the website owner.

Just to catch you up....

A web server is a program that runs on an internet-connected computer that receives requests for information from clients (web browsers, apps whatever) and outputs the requested information for the client in a format that the web designer intended (we hope). This is really how the web works and hasn't changed much in over 25 years.

This system is a great party and everyone is invited!

But. That's the problem. Insert Dramatic Music here!  Done, done da!

Not everyone who comes to the party wants to play nice.

Evil doers know that all sorts of fun information is now stored on computers that are connected to the internet. Information like social security numbers, credit card numbers, bank accounts, personal addresses and email addresses. This is information that Evil Doers can use to make money by selling it to even more Evil Doers, send spam, steal your money, influence federal elections...all sorts of horrible and terrible things...and many others of which we haven't even thought of yet.

Hackers spent enormous effort figuring out ways into web servers. They can try to crack the password, crack the firewall, exploit code or they can try to get in by hiding malicious code inside a FormToMail script. Many FormToMail scripts are not written very well or are easily fooled into sending out spam and sometimes can even allow a hacker access to the server itself. Sheesh.

Hackers create Evil Web robot programs that are endlessly scouring the internet, looking for poorly written FormToMails to exploit....and this is where Captcha comes in...

Captcha's were created as a means to prevent bots from executing FormToMail scripts. Basically, they are a way to "prove" that the user completing the web form is a human being.

The idea is ok. But for the web user, IT SUCKS because it is an annoying extra step to completing a web form. Like the new chips in your debit card, they slow down the transaction and offer very little extra security. If you've completed a web form before, perhaps you've been asked to click a button that says, "I am not a robot" or you've been asked to input the answer to 2 + 2. Or input some random list of hard to read characters. Annoying.

This about it. As a website owner, you've spent enormous amounts of money to bring users to your site so that they will connect with you to make a purchase, ask a question or get information. Now you're going to ask them what 2 + 2 is? Or to enter some obscure numbers or how many squares contain a bike? Please. Not on my watch.

The idea of Captcha is quite naive in that assumes all human beings that are using a web form have good intentions. This cannot be further from the truth. And while Captcha does prevent Bots, it doesn't prevent them all.

There are some very great methods available to Web Designers and Web Programmers that can accomplish everything that Captcha can do but in the background and away from the user, where it should be. Ask your Web Consultant if there are alternatives to Captcha and what those are. Ask me. I would be very happy to discuss the many creative alternatives to Captcha.

Which classic 80's arcade game uses,
"The Humanoid Must Not Escape"?
Berserk, of course!