CAPTCHA Codes are not Accessible

June 09, 2005

CAPTCHA tests are showing up like crazy these days to validate that users are humans, and not computers. They are used in blog comments, and are getting popular for online registration sites.

I think that most people implementing captcha's these days are overlooking the fact that they are not accessible, and they would fail Section 508 accessibility compliance for a web application.

Nearly 10% of the population is color blind, and even more can't see very well. Some CAPTCHA codes are hard for me to read and I am not color blind, and have 20/20 vision. Just take a look at the CAPTCHA code on slashdot to see what I mean.

By the way CAPTCHA is an acronym for "completely automated public turing test to tell computers and humans apart."

Like this? Follow me ↯

You might also like:

8 people found this page useful, what do you think?


The color blindness thing regularly gets me. I'd say I have to re-key at least 1 out of every 5 captcha's I try to enter.
You could use a question based captcha such as "Fill in the blank with the missing sequence a _ c d", or provide an answer to a common question "Who's buried in Grants Tomb?____" and so on, but over time AI systems will be able to decipher even these unless you have a very large set of questions. From a section 508 perspective, One method is to provide a phone number to call for an activation code. The alt/title field would contain the challenge code which the user punches into the phone and the person or automated system provides the response to be entered into the text field. If you are using an 800 number, you have the added advantage of being able to guarantee caller id, since the person paying for the phone call (you being the 800 number owner) has a right to know who's calling you.
I just found this site: which offers an audio captcha service.
The reason the why all these CAPTCHA images are obfuscated is to prevent OCR packages from reading them. I wonder if you couldn't just get around this by having Flash dyamic querying the server and display a string to display. This wouldn't address accessibility, but might allow you to display an easier to read string.
Yea, I have come across a fair few CAPTCHAs and I really don't like them. Gmail has some legible ones, but when you view Microsoft's they are horrible. I tend to stay away from them if I can.
what about verify by email? better than phone
Verify by email can usually be done by a computer.
Thought you guys might like this. GigoIt's HumanAuth is based off the ideas presented by HumanAuth supports ADA and Section 508 requirements, increased security and includes watermarked images with random positioning. HumanAuth ensures that an actual human is using your site without forcing them to read distorted CAPTCHA text.
How about using onFocus(), onChange(), or onBlur()? All of them are standard events which are also fired by screen readers, etc. When at least one field has had some text put in it, then either set a hidden field's value to a specific key or dynamically add a hidden field.
I don't think adding audio makes it section 508 compliant, as there are also hearing disabilities. And from what I hear the audio CAPTCHA's are just as hard to decipher by someone with good hearing.
Great Blog. I add this Blog to my bookmarks.
I’ve been visiting your blog for a while now and I always find a gem in your new posts. Thanks for sharing.
I just sent this post to a bunch of my friends as I agree with most of what you’re saying here and the way you’ve presented it is awesome.

Foundeo Inc.