On 9/20/05, Steven Lumos <steven / lumos.us> wrote:
[...]
> OCR isn't *that* easy. Humans--even young children--far exceed
> machines in discerning even relatively clean machine-print characters.

Yes, I understand that. However, CAPTCHA is also proving to be
relatively ineffective and against accessibility standards. If you have
to follow US Federal 508 guidelines, you shouldn't use CAPTCHA. As noted
on the various discussions that I linked to, the large sites that
spawned CAPTCHA have now abandoned it.

[...]

> The research at Lehigh is interesting.
> http://www.cse.lehigh.edu/~baird/research_hips.html

Interesting, but I believe it will be ultimately fruitless. If I am
visually impaired but do not, for example, have audio attached to my
computer, then an audio CAPTCHA is just as limiting as a visual CAPTCHA.
Even the logic puzzle CAPTCHAs -- the most promising of CAPTCHAs -- are
often culturally or linguistically exclusive.

>> Basically, my advice is to forget CAPTCHA and go with double
>> verification. You can even provide multiple levels of user
>> accessibility, allowing immediate access but nothing that could be
>> construed as spam until they have verified their identity in some way
>> that is accessible.
> I guess you're talking about email, but that is considerably less
> difficult for a machine to pass than CAPTCHA. Verifying that some
> thing that gave you an email address has the ability to view messages
> sent to that address doesn't prove much.

Not necessarily email. Google has solved this for GMail and Google Talk
with SMS, as the number of people who own computers and the number of
people who own cellphones has a high correspondence.

Other systems can solve it with multiple levels of privilege. If you
have a bulletin board, then someone who has signed up but not yet
verified might have command set X (maybe posting new messages to the
support forum once every four hours and replies to any forum once every
fifteen minutes). After they've verified, they might have the base
restrictions lifted and get command set X + Y (posting new messages
to any forum every thirty minutes, replies every five minutes). After
they've participated on the site for ten days continuously or thirty
days sporadically, they get full posting and reply priveleges. Or maybe
they don't get PM capabilities until thirty days.

CAPTCHA don't work nearly as well as people think and they're
inaccessible. There is a reason that Ruwiki will never support them.

-austin
-- 
Austin Ziegler * halostatue / gmail.com
               * Alternate: austin / halostatue.ca