CAPTCHA’s: Tough on Sales & Common Way to Test User Tolerance

CAPTCHA's are a visual verification to test if a user is human, but do their spam reduction benefits outweigh their flaws? What's the cost of slowing down spammers?

When someone visits a website, they typically have a goal in mind, and a certain expectation that they plan to achieve. User tolerance isn’t infinite however: aggrevate a viewer too much, and they will give up their goals eventually.

CAPTCHAs can test user tolerance

Strangely enough, we’ve invented a standard that’s been proven to do just that. CAPTCHA (or Completely Automated Public Turing test to Tell Computers and Humans Apart) is a method that we employ on websites to verify that a user is a human instead of, say, spam bots or some other malicious software pretending to be human. CAPTCHA’s are frequently used in user registrations, comment submission forms, and many other interactive online interfaces.

It’s absolutely clear that CAPTCHA’s reduce spam, but at what cost?

CAPTCHA’s Can Harm Business

How often will a user give up in a situation when presented with CAPTCHA? A recent case study from SEOmoz suggests that nearly 3.2% of all conversions were losts over a 3 month period on 50 websites when CAPTCHA is used to verify one is human. Other studies have reported similar potential losses in sales, some as high as 10% in failed conversions.

No one likes SPAM, but is the cost of lost sales worth deferring potential customers?

CAPTCHA’s deter user interaction

Another cost of CAPTCHA is that it may defer users from interacting whatsoever. Just like a reader may turn down reading a lengthy post on a blog based on it’s perceived size, a user may decide not to fill out a form where a CAPTCHA is involved based simply because they see it as taking extra time.

Even the users who decide to use the CAPTCHA won’t stick around long if they fail the test 2 or 3 times. For Users, CAPTCHA does not fit into their set of expected tasks when they’re attempting to accomplish their goals online. It’s just another barrier between them and what they want to happen. In short, a CAPTCHA slows users down, and provides less satisfaction than the alternative.

CAPTCHA’s Aren’t Accessible to People with Certain Disabilities

The average CAPTCHA is a string of warped/distorted text as an image. This distortion makes it very hard for a computer to recognize a string of characters, but a human can usually match the text in the image in a submission form. People who are blind or have poor vision however will have no way of knowing what the text is.

Some sites have begun adding audio alternatives for visual CAPTCHA’s, but there is still distortion which can make identifying yourself as human difficult.

Should You Use CAPTCHA?

It’s obvious that CAPTCHA’s are less than ideal, but they remain to be a necessary evil until a better alternative has been proven. For the time being, this question should probably be answered case-by-case.

Before employing a CAPTCHA, consider alternatives and also consider the potential cost of a human verification test. Will a CAPTCHA harm your business? Will it defer more users from interacting with your site? It may be worth doing an A/B Split Test to find out for sure.

What other ways are there to verify if a user is human? Do you know of any alternatives that have proven effective for yourself?

About the Author

David Leggett

David Leggett is a designer, developer, and builder of things. He currently resides as Director of Marketing and Design at Python Safety.


  • Carol Cox Reply

    I agree that CAPTCHAs can lose prospects and sales and can be very frustrating to the user. However, in my experience, as soon as I remove a CAPTCHA from a form, the spam bots make a run for it and we get tons of junk submissions. I would love to hear of a good alternative!

    • Rohan Reply

      A great way is use a ‘honeypot’ text field. What it is really is Spambots tend to fill every field and post it across. What you need to do is create a hidden text field that the user never sees (hidden through CSS) and in your code behind simply program it to discard any post that has the hidden field filled. Works brilliantly.

  • Larissa Reynolds Reply

    The irony of CAPTCHA is that determining whether or not a submission came from a human or a bot has become a moot point. Spammers regularly hire teams of human workers to solve CAPTCHAs (and to even submit spam on forms without CAPTCHA protection). The current rate is about 80 cents to solve 1,000 CAPTCHAs. Crazy!

    CAPTCHAs don’t have to be a necessary evil though. Proven services like Form Armor (full disclaimer: I’m the CEO) provide protection against Web form spam and abuse behind-the-scenes, where it’s invisible to the user and won’t interfere with conversion rates, usability or accessibility issues. (Plus we don’t just stop spam and junk form entries. We provide real-time protection against SQL injection attacks to help keep your data safe, too.)

    Whatever method you choose, testing CAPTCHA against the alternatives to see what works best for any individual site or Web form is a great recommendation. Thanks for a great post!

  • Ian M Rountree Reply

    CAPTCHAs are a great example of “Good Idea, Bad Execution.”

    More smoke and mirrors behind a site doesn’t always mean better user experience, but in cases like validation, the less often a user has to be interrupted the better. If it can be done behind the scenes, why not do so? What do I care, as a user, that you don’t want spam? I want your stuff!

    I understand security. It’s necessary to protect one’s business, and one’s clients. But unless it’s possible somehow to add CAPTCHA to the list of expected, unobtrusive, useful and reliable tools in the security kit, it might be time to move on to something else.

  • Tim Smith Reply

    I’ve never used CAPTCHA because I hate filling it out. However, I’ve always used Askimet and I’ve never had a problem. I think it’s an excellent filter and you don’t run the risk of readers deciding not to comment.

    Excellent post David!

  • Affordable website designers Reply

    CAPTCHA drives me absolutely mental sometimes. I give the same reaction as I would loosing on one of console games.

    CAPTCHA on ecommerce shops is a straight up no. I have left stores and gone and paid an extra £1 instead of filling out the form. Sometimes you really cant read it!

  • Jacob Rask Reply

    If it’s just for your personal blog, I don’t think captchas are needed, since spammers are unlikely to make scripts to target your blog specifically. Just add a field with a stupid question – it’s kind of security through minority.

    Where I work, however, we have spammers constantly trying to work around our anti-spam measures, so unfortunately we have to use a Captcha. reCaptcha has an audio alternative, but those “audio captchas” are very hard to solve even for someone with decent English skills and no cognitive disabilities.

    I think you need to use several anti-spam measures, not relying on one-method-to-rule-them-all. Just as Larissa wrote above, Captchas can also be solved.

  • Matthew Kammerer Reply

    @Jacob Rask: If it is a personal website using a largely used software such as wordpress then you face the same problems. Good points, though.

  • Shawn McBride Reply

    I hate CAPTCHA and I picked this trick up a while back looking for alternatives to implement on my site.

    Throw an extra field into the form with a common name (like zipcode), then use CSS to hide it. The idea is that spambots will see the field and fill it out, but real people won’t see it and leave it blank. On the server side if I get an entry with date in that field I know it ‘s a bot and just drop out and redirect appropriately.

    I made the switch a few months ago and went from a handful of junk sign-ups each day to none, and no complaints from real people that they couldn’t sign up.

  • Toby stokes Reply

    This is just thought of, but untested as yet.

    How about a question such as “Are you a real person?” with a radio button yes/no answer. Even if the spambot randomly chooses one of the radios, that’s still a 50% reduction in spam.

  • David Reply

    I have found that a very simple random math question ie(2 + 3) also combats spam easily. As long as your captcha is random and not easy to read in code, your ok.

  • Rachel Nabors Reply

    Honey pots work really well at keeping spam bots away. Spam bots like to fill every field in a form with junk. So you add a hidden form field with a label like “don’t fill this in!” for the visually impaired, and if any information is in that field upon submission, the submission fails. I’ve had really good results with it!

    (Also, I think “aggrivate” is meant to be “aggrevate” in your first paragraph.)

  • BebopDesigner Reply

    Brilliant article, real dilemma! I totally agree with your conclusion, whether it’s good or bad, we should judge on a case-by-case basis.

    I do feel comfy with those new “two plus five” type of captchas. They look a lot cleaner they’re not annoying.

    Thanks for posting.

  • Rob in Boulder Reply

    The article touches on something for which most people have an emotionally charged response, but I can’t figure out what kind of site the author has in mind.
    If I run a site that solicits user comments, and I wish to keep spambots out, then I need some means to keep spambots out while minimizing the pain to valid users, but I don’t lose CUSTOMERS if I’m too frustrating, I lose commenters.

    If I run a site where I’m selling things, and accepting payment from CUSTOMERS, then I’m not too worried about spambots filling in order forms. Heck, if the spambot has a valid CC#, I’m happy to sell my things to the bots.

    While I understand the desire to keep a vibrant community of happy commenters, I don’t understand the relevance of the “Other studies have reported similar potential losses in sales, some as high as 10% in failed conversions” section. What sales are we talking about here?

  • arfandia Reply

    thats to bad i’m use captcha plugin at my blog, i should try find another spam plugin for that, i usually had akisment too in my web. but thanks for this artcles, very useful fo me and another newbie blogger

  • Brent Reply

    Shawn and Rachel touched on something I’d heard of. Using CAPTCHA but hiding it. Bots see it and move on. Real folks are never bothered with it.

  • Yanay Zohar Reply

    CAPTCHA is evil. No doubt…
    A while ago I came across one design-oriented solution that actually kept me smiling for the entire day, and just had to write about it :

  • Beetbe Reply

    I agree with you. Captcha is not easy to read

  • Cedric Dugas Reply

    There is an easy way to solve this, by using directly javascript to submit in ajax your form, bots cannot send information this way.

    Well the obvious problem is the accessibility, I wonder if I would loose more people with the javascript solution ot the captcha.

  • Dan Broughton Reply

    Honeypots are the way to go – i have found these hugely successful. Add a hidden input field to the form and the bots will complete it (humans wont) – check to see if there is content, and if so, disable processing of the form.

  • Raina Van Cleave Reply

    Such a catch 22. I agree its an extra annoying step for the user and I also understand the need for it. I think the biggest ux flaw is poor design. Ex: Both the text and audio are unclear to the user. There are also some great solutions mentioned here.

  • Neen Reply

    yes the bane of my life when they are done so poorly that you cannot read the letters. However if done well, as occurs on some sites, I am happy to use them and actually don’t mind this spam stopping device.
    As it is always about, it’s whether you can use it or not that is critical

  • Sarah Reply

    Here’s an alternative CAPTCHA that is easier on humans than those awful distorted letters and warped words. It simply asks them to click on certain images, like dogs, flowers and cars: (full disclosure – I work for this company)

    Traditional text-based CAPTCHAs are a frustrating eye-strain test for users, but a CAPTCHA remains a good layer of security to have on a site (among other security tools that your website should use). Bots can do much more damage than simply spread annoying spam… they post links to malicious websites like phishing sites or sites that lead to drive-by attacks that download Trojan horses and keyloggers onto visitor’s computers.

    As someone pointed out above, the purpose of a CAPTCHA is to differentiate a human from a bot. So, a CAPTCHA can’t prevent teams of people who are hired to solve CAPTCHAs for mere pennies. However, one way to help combat this is through incorporating intelligence into the CAPTCHA so it can identify certain risk factors and increase the level of difficulty or the number of steps that the user has to go through if they are coming from a suspicious IP address, for example, or if they are attempting to solve hundreds of your CAPTCHAs each day. This would help be a type of deterrent against human teams because it would decrease the number of captchas they could solve per hour and therefore cut into their profits. They would need to have a pretty strong desire to target your specific site rather than move onto a different site that doesn’t have a captcha or uses a weak captcha.

  • Ben Reply

    These honeypot solutions sound like they could cause problems to screenreader users. Does anyone have any insight into whether hidden fields are read by screen readers. If they are read by screen readers, blind users might well fill those fields out and wonder why they are excluded.

Leave a Comment on This Article