blind archives

A study on captchas is being conducted. It only takes a few minutes, and they are looking for anyone to take it (sighted or not). I recognize the styles of many of the audio captchas from various sites including Google, Yahoo and Craigslist.

The results of this study should be quite interesting.

(Update: the link now works. Sorry for the inconvenience.)

posted by cannona on Thursday, Jun 19, 2008

Ars Technica posted an interesting article on the gaming industry and how they have all but forgotten colorblind gamers. Not surprisingly, folks who are colorblind manage to play anyway. In fact, I my self used to play Mike Tyson’s Punch-Out!!. (I could get all the way up to Bald Bull.) Apparently, based on my conversations with other totally blind people, this is not as unusual as you might imagine. There have always been video games which (probably unintentionally) gave the user enough information to literally play blind.

posted by cannona on Thursday, Apr 10, 2008

In order to keep out spammers and blind people, please type the characters you see below.

If you’ve been online longer than a day or two, you’ve undoubtedly been confronted with a CAPTCHA: one of those annoying collections of numbers and letters that you have to type into a form before you can continue. A lot of complaints have been made about their inaccessibility, but what are the alternatives? Even more importantly, when are captchas necessary, and when are they overkill?

Before trying to answer the above questions, I would like to define captcha. In short, the definition of a true captcha is a test which can be designed by a computer, but only answered by a human. In addition, each test should be unique with a high degree of probability. If you think about it, this is actually a very difficult problem, and its only going to get more difficult as computer speeds increase and the computer sciences advance. In fact, many captcha schemes currently in use have been broken, although the processing time often makes this impractical for attackers. But again, as time goes on, this will be less of an issue.

When deciding whether a captcha is warranted, at least three factors need to be considered:

  1. Is your site high traffic or a high value target?
  2. If an attacker gained access, could they cause a serious problem for you or your users?
  3. Are there other less intrusive ways to keep out attackers?

If the answer to 1 is no, you should consider the fact that it is probably easier for an attacker to just spam you manually rather than write a script to do so. If 2 is no, then why burden your users needlessly? If 3 is no, then again, think of your users and find an alternative.

If your site is small, you might try a weaker type of captcha which is accessible. For instance, you could create a list of simple questions and answers, and then present your users with a random one from the list. The problem with this is obvious; an attacker can just keep hitting your page until they’re reasonably certain that they’ve seen all of your questions, and then alter their spamming software accordingly. However, if your site is small enough, it probably won’t be worth the effort, and the attacker will either go some where else, or just answer the question manually (which is obviously something which no captcha can protect against, no matter how good).

But what if your site is a high value target, and you definitely need a captcha? There are still a few alternatives. You can setup a standard captcha for most users, and provide an email address or phone number (hopefully with TTY) that disabled users can use to verify that they are in fact a real person. This has the advantage of being accessible to practically everyone, while being hard for an attacker to automatically thwart. The drawbacks are that it would cost money and time to maintain, and, depending on how you had it setup, might require the user to wait for a call back or returned email. Unless the user can gain access in a timely manner, however, I would not consider that they are being given equal access. In addition, (if you provide a phone number) it may not be available to all users, such as those without the ability to make international or long distance calls.

The other option of which I am aware is to set up an audio captcha in addition to a standard visual one. The benefits are that, once it is setup, it would require almost no maintenance, and most disabled users wouldn’t have to wait for a return email. The disadvantages are that it is not accessible to deaf-blind users, and persons who can’t hear the file for what ever reason. It may also not be as secure as a traditional image captcha, although this undoubtedly depends greatly on the implementation.

So how do audio captchas work? Essentially, they work like visual captchas, except that instead of reading a series of numbers (and sometimes letters) you listen to them.

If you do a Google search for audio captcha, you will find a few pre-made solutions. Unfortunately, none that I have found are adequate. They provide a little security, but not much. One problem with all the ones I have seen is that they use synthesized speech to produce the captcha. However, synthesized speech is highly predictable, in addition to being a little hard to understand at times. This means that all an attacker has to do is find out how a computer says each letter, and then match those patterns in the captcha. The other closely related problem is that the program does not introduce any randomness into the captcha, aside from the selection of the characters. This is like having a visual captcha with no variation in how the letters are displayed; it would be very susceptible to analysis by optical character recognition software.

A very few audio captcha generators seek to introduce a little more variability into their captchas by randomizing the voice, pitch, and speed, but I contend that this is still not sufficient to increase the computing cost to the attacker by much. However, it probably does make the captcha more difficult to understand for the user.

So what is the solution? I believe the best and most secure option currently available is to create an audio captcha with human read characters. It must also have a lot of random noise added to it to make pattern recognition more difficult. A good audio captcha generator should do as many of the following as is feasible:

As with visual captchas, care must be taken to insure that your security measures don’t effect the usability of the captcha. However, the above mentioned techniques should make it more difficult to automatically recognize your captcha text, though it is certainly not impossible. Nevertheless, Google, Microsoft, and other companies have been using many of the above techniques for several months; you can make your own conclusions.

I believe that captchas are currently one of the biggest barriers to accessibility. Unfortunately, there appear to be no perfect solutions. Even the last option is pretty secure, but its still probably not as good as the traditional image captcha. Further thought and research is definitely needed, so if you have any ideas, please don’t keep them to your self.

For further information and some history, see the Captcha article from Wikipedia.

posted by cannona on Friday, Dec 14, 2007 · 0 comments

Two great finds today! The first is this video from Victor Tsaran at Yahoo. He gives a very in depth demonstration of how a blind person uses a screen reader, like the kind I wish I could have done during my presentation if I had had more time.

The other find is a study which is nearly five years old, but still gives some great advice which is as relevant as ever. Basically it’s a government sponsored study which tries to answer the question “what helps and what hinders screen reader users?”

posted by cannona on Friday, Dec 07, 2007

Opening New Browser Windows

A lot has been written on the opening of new browser windows and how you shouldn’t do it because it annoys and confuses just about everyone, especially the blind and visually impaired.  However, I feel that, while it can be over used, it definitely has its place. 

For instance, if I am filling out a long and complex form, and I click a help button for a field, I don’t want to be whisked off to another part of a page, or to another page entirely with out an obvious way to get back.  I don’t want to have to worry about my form session being preserved. 

When a new browser window is opened, I can flip back and forth between the form and the help window as much as needed, and when I’m done, I just close it.  To be honest, I don’t find them to be nearly as annoying as some writers claim, and in fact, they can be quite convenient when used right.  Of course, this is just my opinion, and less experienced users, or users of screen magnification might have a different view.  Still, it may bare looking into.  My personal feeling is that whether or not a user will have difficulty with spawned windows is probably less a question of disability and more a question of experience with the web.

posted by cannona on Wednesday, Nov 28, 2007