Chapter 34. CrAP-TCHA and the Usability/Security Tradeoff

Over the past few years, most online signups have involved CAPTCHAs, perhaps the security technology with the worst acronym: Completely Automated Public Turing test to tell Computers and Humans Apart.

It’s understandable that Google might want to see if it’s a human signing up for that account or some automated program—bad guys would love to have lots of Gmail accounts to be able to send spam through.

Similarly, I can understand why ticket agencies like Ticketmaster might require you to confirm that you’re a human before every purchase. Who wants ticket scalpers writing programs to automate buying tickets (well, besides the ticket brokers)?

But come on, don’t these things make life horrible? I signed up for a Gmail account, which I use to look at my daughter’s blog and post comments. Every single time I want to post a comment, I click Submit, and I get a pop up with a CAPTCHA, like the one shown in Figure 34-1.

Why the heck do I have to click two buttons (one to submit the comment and another to submit the word verification)??!! And it is a pain in the neck to type. I usually just don’t bother commenting on a blog if I have to see one of these (though I do make an exception for my daughter).

A CAPTCHA pop up
Figure 34-1. A CAPTCHA pop up

The idea behind a CAPTCHA in this situation is to prevent bad guys from spamming blog comments. But is that benefit ...

Get The Myths of Security now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.