From the article reCAPTCHAs are finally readable by normal humans:

Google today announced that reCAPTCHAs served up to humans are finally readable without the need to squint your eyes or bang your keyboard in frustration after typing the wrong sequence of letters five times in a row. Who can even read those things, amirite?

I'm glad Google is making CAPTCHAs easier for humans to read. For the very, very rare times when they're necessary, that's a good thing.

However, I want to make an appeal to the thousands of developers who are thinking of implementing a CAPTCHA to deal with their site's form/registration spam: use CAPTCHAs only as a last resort.



CAPTCHAs: The nuclear option.

I maintain of one of the top 5 spam prevention modules for Drupal (Honeypot) and of dozens of websites with varying levels of community involvement (registration, forms, comments, etc.), so I've dealt with lots of spam. I also have user accounts on hundreds of different websites, and know that CAPTCHAs are maddeningly difficult for me to use (even if they're simple things like "type the fifth word in this sentence"), sometimes to the point that I abandon the form/site.

CAPTCHAs punish the user. They are a way of your site telling the user: "I don't trust you, so I'm going to make you do extra work to prove you're not a spammer, then you can accomplish what you were trying to do."

Shouldn't we first try punishing the spammers, then only as a last resort punish normal users?

I've written a few articles on form spam prevention techniques that are effective yet retain usability for 'real' users: Preventing Form Spam, and Introducing the Honeypot form spam prevention module for Drupal. I'll summarize my earlier posts here:

Your first priority should be getting users to enjoy using every aspect of your website—from registration, to comments, to surveys, etc. But to keep your own sanity, and save your own time, you also have to find a balance between preventing spammers from flooding your inbox or moderation queues, and maintaining form usability.

For most websites I've been involved with (even some pretty large ones), CAPTCHAs are major overkill. Using the Honeypot and timestamp-checking techniques like the Honeypot module uses catches at least 95% of automated spam posts, usually more. Using CAPTCHAs can sometimes provide a slight advantage to spam prevention, but leads to fewer conversions. I'd rather deal with a few percent more spam messages in my inbox than lose even one paying customer or valuable feedback for any of my services.

For human-based spam, which usually targets high-traffic sites, CAPTCHAs are still an insufficient defense, as there are services which can help solve thousands of CAPTCHAs for pennies on the dollar... Mixing honeypots, timestamps, and CAPTCHAs with varying custom recipes and rules for when each is employed is often the best solution for these larger sites. As an alternative, there are paid services like Mollom and Akismet that also prevent most spam using different techniques that only punish spammers.

tl;dr - CAPTCHAs are the nuclear option for preventing form spam. They should be the last—not the first, as is often the case—line of defense.

Do you have any other ideas for form spam prevention, or do you think I'm misguided in my dislike of CAPTCHAs? Let me know in the comments or in this Hacker News discussion.