We have a customer who is looking to implement CAPTCHA on the authentication page of an external facing self-service password reset page. This just seems like an unnecessary measure to me. It’s something that will end up frustrating users and leading to helpdesk calls.
We’ve all tried to log in to a website and been frustrated by the dreaded CAPTCHA. We stare at it trying to figure out what exactly it says. According to a study at UC San Diego [pdf link], the median response time to CAPTCHA is 14 seconds, and accuracy is about 90%. That adds up to a lot of wasted time.
Here is the latest one I received from Google:
Can anyone tell what this says?
I’m sure some of you can but I sure couldn’t, and I have 20/20 vision. The biggest problem I have is that it wasn’t even necessary. I was logging into my Google account. It already has authentication. If you’re worried about bots brute forcing authentication, CAPTCHA is not your answer. Better authentication is.
It reminded me of a blog post by Thomas Baekdal I read a while back about the usability and hackability of passwords:
All you need to do is to prevent automatic hacking scripts from working effectively. What you need to do is this:
- Add a time-delay between sign-in attempts. Instead of allowing people to sign-in again and again and again. Add a 5 second delay between each attempt.It is short enough to not be noticeable (it takes longer than 5 seconds to realize that you have tried a wrong password, and to type in a new one). And, it forces the hacker to only be able make sign-in requests 1 every 5 seconds (instead of 100 times per second).
- Add a penalty period if a person has typed a wrong password more than – say – 10 times – of something like 1 hour. Again, this seriously disrupts the hacking script from working effectively.
If you just add in a 5 second delay between attempts with a 5 minute penalty period after 10 failed attempts, then a 6 character password, letters only, case insensitive would take an average of 171 years to crack via brute strength. I have a feeling the password would either be irrelevant or reset by that time.
I understand that CAPTCHA has it’s place when you want to make sure a human being is using a page to answer a poll, purchase tickets, register for a site, etc. For those limited circumstances, it’s appropriate.
It is not appropriate when coupled with authentication. Can we finally get rid of it and actually make sites that are easy on end-users?
Hat tip to Kerem Kacel for pointing me to the 14 second stat.