screen archives

In order to keep out spammers and blind people, please type the characters you see below.

If you’ve been online longer than a day or two, you’ve undoubtedly been confronted with a CAPTCHA: one of those annoying collections of numbers and letters that you have to type into a form before you can continue. A lot of complaints have been made about their inaccessibility, but what are the alternatives? Even more importantly, when are captchas necessary, and when are they overkill?

Before trying to answer the above questions, I would like to define captcha. In short, the definition of a true captcha is a test which can be designed by a computer, but only answered by a human. In addition, each test should be unique with a high degree of probability. If you think about it, this is actually a very difficult problem, and its only going to get more difficult as computer speeds increase and the computer sciences advance. In fact, many captcha schemes currently in use have been broken, although the processing time often makes this impractical for attackers. But again, as time goes on, this will be less of an issue.

When deciding whether a captcha is warranted, at least three factors need to be considered:

  1. Is your site high traffic or a high value target?
  2. If an attacker gained access, could they cause a serious problem for you or your users?
  3. Are there other less intrusive ways to keep out attackers?

If the answer to 1 is no, you should consider the fact that it is probably easier for an attacker to just spam you manually rather than write a script to do so. If 2 is no, then why burden your users needlessly? If 3 is no, then again, think of your users and find an alternative.

If your site is small, you might try a weaker type of captcha which is accessible. For instance, you could create a list of simple questions and answers, and then present your users with a random one from the list. The problem with this is obvious; an attacker can just keep hitting your page until they’re reasonably certain that they’ve seen all of your questions, and then alter their spamming software accordingly. However, if your site is small enough, it probably won’t be worth the effort, and the attacker will either go some where else, or just answer the question manually (which is obviously something which no captcha can protect against, no matter how good).

But what if your site is a high value target, and you definitely need a captcha? There are still a few alternatives. You can setup a standard captcha for most users, and provide an email address or phone number (hopefully with TTY) that disabled users can use to verify that they are in fact a real person. This has the advantage of being accessible to practically everyone, while being hard for an attacker to automatically thwart. The drawbacks are that it would cost money and time to maintain, and, depending on how you had it setup, might require the user to wait for a call back or returned email. Unless the user can gain access in a timely manner, however, I would not consider that they are being given equal access. In addition, (if you provide a phone number) it may not be available to all users, such as those without the ability to make international or long distance calls.

The other option of which I am aware is to set up an audio captcha in addition to a standard visual one. The benefits are that, once it is setup, it would require almost no maintenance, and most disabled users wouldn’t have to wait for a return email. The disadvantages are that it is not accessible to deaf-blind users, and persons who can’t hear the file for what ever reason. It may also not be as secure as a traditional image captcha, although this undoubtedly depends greatly on the implementation.

So how do audio captchas work? Essentially, they work like visual captchas, except that instead of reading a series of numbers (and sometimes letters) you listen to them.

If you do a Google search for audio captcha, you will find a few pre-made solutions. Unfortunately, none that I have found are adequate. They provide a little security, but not much. One problem with all the ones I have seen is that they use synthesized speech to produce the captcha. However, synthesized speech is highly predictable, in addition to being a little hard to understand at times. This means that all an attacker has to do is find out how a computer says each letter, and then match those patterns in the captcha. The other closely related problem is that the program does not introduce any randomness into the captcha, aside from the selection of the characters. This is like having a visual captcha with no variation in how the letters are displayed; it would be very susceptible to analysis by optical character recognition software.

A very few audio captcha generators seek to introduce a little more variability into their captchas by randomizing the voice, pitch, and speed, but I contend that this is still not sufficient to increase the computing cost to the attacker by much. However, it probably does make the captcha more difficult to understand for the user.

So what is the solution? I believe the best and most secure option currently available is to create an audio captcha with human read characters. It must also have a lot of random noise added to it to make pattern recognition more difficult. A good audio captcha generator should do as many of the following as is feasible:

As with visual captchas, care must be taken to insure that your security measures don’t effect the usability of the captcha. However, the above mentioned techniques should make it more difficult to automatically recognize your captcha text, though it is certainly not impossible. Nevertheless, Google, Microsoft, and other companies have been using many of the above techniques for several months; you can make your own conclusions.

I believe that captchas are currently one of the biggest barriers to accessibility. Unfortunately, there appear to be no perfect solutions. Even the last option is pretty secure, but its still probably not as good as the traditional image captcha. Further thought and research is definitely needed, so if you have any ideas, please don’t keep them to your self.

For further information and some history, see the Captcha article from Wikipedia.

posted by cannona on Friday, Dec 14, 2007 · 0 comments

Two great finds today! The first is this video from Victor Tsaran at Yahoo. He gives a very in depth demonstration of how a blind person uses a screen reader, like the kind I wish I could have done during my presentation if I had had more time.

The other find is a study which is nearly five years old, but still gives some great advice which is as relevant as ever. Basically it’s a government sponsored study which tries to answer the question “what helps and what hinders screen reader users?”

posted by cannona on Friday, Dec 07, 2007

The Accessibility Cookbook: a Recipe for Disaster

To many amateur bakers, making bread is a mysterious and often frightening process. For this reason, it is often avoided. Those who do decide to take the plunge usually are extremely careful not to vary the recipe one bit. In fact, most cookbooks with bread recipes warn strongly against experimentation. Some make the reader feel as though using one more egg than recommended would cause their kitchen to catch fire and their family to die a horribly painful death of bread poisoning. And so, the myth is perpetuated that bread making is a very complex process, the inner-workings of which can only be understood by those bakers with a doctorate in breadology. They forget that our ancestors (a few of whom had to be at least slightly dumber than they are) made bread on a regular basis with no problems.

Fortunately, there are a few enlightened authors who have written books explaining, in essence, how bread works. Many people are surprised to find out that it’s really quite simple. In fact, once they understand the basics, many home bakers find that they no longer need a recipe or even measuring utensils, and they go on to make excellent bread by guess work and intuition alone.

It has been my experience that many people who learn about accessibility are led down a similar path as would-be bread bakers. They are handed a recipe and told, “This is what you are to do, and if you don’t do this exactly, those crazy disability advocates will come after you with their blood-thirsty lawyers.” They are told things like, “mark headings up as such,” and “put skip-to-content links at the top of pages.” What all too often is not mentioned is why. The reader is not told, for example, that most screen readers have a hotkey which, when pressed, will present the user with a list of all of the headings on the page, and that this is often used to “skim”, just as a sighted user might look down the page to see what was typographically emphasized. No mention is made of the fact that persons who must use the keyboard as a result of limited mobility, find skip links a huge time saver, because they don’t have to tab through all those links that one usually finds in abundance at the top of most pages.

What is worse, sometimes advice is given that is just plain wrong. For instance, it is a common misconception that every image on a page should include an alt attribute with a verbose description. In actuality, only images with important information should be provided with descriptions, and those should be as brief as possible. For example, if there was an image which said “50% off this week on all orders over $50”, then that should clearly be provided with alternative text. However, if there was a picture of a man using a particular product, I’m really not interested in hearing “picture of a man looking pleased as punch to be using the new ultra-lite USB hair drier,” or worse, “picture of a man.” I really don’t care about what image the designers chose to use as eye-candy. I can’t see them, and descriptions of meaningless images just waste my time and delay my getting to the information I’m really interested in.

So, what’s a baker to do? Unfortunately, the efficient use of a screen reader takes time to learn, so it is not all that practical to simply install a demo version and try out your site. Your best bet is to learn the accessibility recipe, but then go on to learn why each step is necessary and important. However, in the end, one must ask the question, could a person with no sense of taste learn to make good bread? I believe they could. The real question is, could they do it consistently? Also, how will they know when they’ve botched it. The only real way to know would be to ask someone with a sense of taste, or, in other words, ask a disabled user to test it. As the person suffering from ageusia receives additional feedback on his or her bread, their skills will increase, and they will get it right more of the time. So, in short, learn all you can about the why of accessibility, and then go do your best. Most of the time, it will probably be good enough, and almost certainly better than if you just blindly follow a recipe.

A great book, which gives a lot of good detail on the why and how of accessibility is Web Accessibility: Web Standards and Regulatory Compliance by Andrew Kirkpatrick, et al.

posted by cannona on Friday, Nov 09, 2007 · 1 comment