worstcaptchaeverI was reading an interesting post over at depressedprogrammer that I found by way of digg's Technology section which talked about Captchas. Specifically the worst Captcha known to man.

I haven't a shred of doubt that you all, by now, are intimately familiar with the foul evil that is the Captcha. This woefully necessary evil's howling cries shake my very soul with the implications they put forth. While their previous necessity and usefulness is not lost on me, their ability to crush even the strongest vestiges of user enjoyment and ease of use must not be overlooked.

In the world of the Internet we're all aware of the increasing need for security in all of its glorious and awe inspiring forms. The varied denizens of the tubes dance about the great Tree of all that is Encryption, the beginning and the end of all that is good and noble in Internet security. We rejoice as our data is transmitted safely, carefully, indeed almost lovingly from point A to points B, C, Q, R and Zed, safe from the slavering, would-be thieves and henchmen along the way. I have no intention to debate this, nor the audacity to attempt to refute the usefulness of the ever increasing measures of security used to keep private data ... well ...  private.

My issue with the Captcha, as is alluded to in this article by the demonstration of how truly impractical they have become, is that they do more harm than good. In an attempt to scale with the arms race that is the security war, pitting the good citizens of the web against those vile and nefarious hacker types, they are more of a problem for real users than they are for crackers. People that are trying to discern what in the name of all that is hypertext those images are supposed to represent are left banging their heads against the keyboard and flinging various USB devices across the room in anger while the script kiddies and hackers cruise through with programs that unravel the captchas as fast as they are released. Those precious little kittens are transformed into vicious, snarling beasts sent forth from the depths to devour your hope and will to continue.

I understand the need for security, but why does security have to get in the way of productivity, ease of use and usefulness? This has been the case as it is definitely the easiest trade-off to make. Increasing security in all the easy ways solves the problem in the short term, but by choosing only two of the options in the title, you're ensuring that someone, somewhere is getting left out. There are better answers.

Dig deeper. Look for things that are inherent in the connections and transmissions of real users that are hard to spoof. Put together many pieces of data to identify who it is that's accessing your site, good or bad. Take a more pro-active approach and profile who is connecting, what they are doing, and how you can identify good vs. bad users. By laying the shroud of responsibility on the user, making them the one solely in charge of identifying themselves in a manual and increasingly difficult fashion, you do nothing but deter real users while the very people you are trying to stop feel nearly no burden whatsoever.

This is part of why you'll often hear me raving about how amazing the inspection engine alone in TMM is. By the time you've allowed someone to even request the download in question from your site you could have filled a virtual filing cabinet with the information collected by your BIG-IP. All that you need to do is extract it, perhaps via iRules. It's this type of information that I feel is the answer to real Web security, not images of kittens behind alpha-numeric characters run through a Photoshop filter. Is BIG-IP the only answer? Of course not, it's just a great option. Do yourself a favor, look at the whole picture, and don't scare off your users with those terrifying kittens.