I'm looking for inspiration here. I need to employ some sort of human verification for my website, but the most common method these days (asking users to type the letters & numbers they see in an image into a text input box) seems a little rubbish - I find it hard sometimes to work out what the letters & numbers are.

There must be a better way!

I've had a few ideas, the best one seems to be to show users a series of images (4-6), and ask them to answer a question based on the contents of the images, such as:

(show some geometric shapes) "Which image has 3 sides?"


(show picture of animals) "which animal can fly?"

This has the advantage of being easy to program, and hopefully easy to pass.

Can anyone think of any other approaches to this problem? Or possibly spot flaws in the system outlined above? Is it possible to make such systems both easier for humans to pass, and harder for bots to pass?

Although it's a bit old, I really found KittenAuth to be an amusing (and probably very effective) captcha approach. There only seems to be one demo on their contact page, though.

The problem with pure-image based approaches (as opposed to textual images) is that you are basically preventing blind users from using your site. The KittenAuth author acknowledged this on one of the comments on his site.

As a funny little rider to KittenAuth, this page has "10 of the worst captchas of all time," including one of my favorites:

calculus captcha


Try using a question challenge system where a simple question demands a simple cognitive response. For example ask a user to answer the following example question:

Three cars on the street can see three more cars. How many total cars are there?

Technology is not so advanced that a bandwidth sensitive bot is capable of answering such a question and yet the question is easy to answer. A user must enter three or 3 to verify they are a human and not a machine. You would have to have a large enough bank of questions that a bot would not simply ping your site looking at questions to record so that it may return with answers in hand.

  • 3
    You just failed your own captcha. If each car can see three other cars, there are four cars total.
    – SquareCog
    Commented Sep 19, 2009 at 14:54
  • No, obviously the 3 cars together form a Borg-like collective, and thus "see" as one. You would know that if you were One Of Us. Commented Oct 8, 2009 at 15:58

I particularly like the "which animal can fly" example. Simple & Effective.

But this kind of thing could be abused. It wouldn't be difficult to give it a cultural bias — or a perceived one.

And, as austin cheney showed, it could easily become a sort of intelligence test, and you would have an Accessibility problem.

  • 1
    (I would like to point out that my answer came before SquareCog's comment. I was referring to austin's mention of 'simple cognitive response' as an 'intelligence test,' and nothing else.)
    – pavium
    Commented Sep 19, 2009 at 15:11

Try using an ajax based submission process that's triggered by clicking a normal button (not a submit button), it's really easy with jQuery.

As far as I can tell, spambots don't have javascript.

If you're worried about users without javascript enabled, I think it's perfectly ok to have them unable to submit the form. If they can't trust you to enable javascript on your site, it's not your fault that they can't use the website to its fullest extent.


The problem though, if someone is targeting your site purposely, this kind of technique won't work.


I can't provide a link to a real life example, but I blogged about it with a bit more details, so here's some sample code:

function submit_form()
      "type": "POST", // or GET
      "url": 'action_url', // The url you wish to send the data to, the url you'd put in the "action" attribute on the form tag
      "data": jQuery("form#the-form").serialize(), // The data you'll send. You need to get the form somehow. Easiest way is to give it an id.
      "dataType": "json", // Only put this if the server sends the response in json format
      "success": function(data, textStatus) // server responded with http status 200
            // This is the happy case: server response has arrived
      "error": function(req, textStatus, errorThrown) // maybe HTTP 404 or HTTP 500
            // something went wrong, the response didn't go through or the response didn't come. Handle the situation: let the user know, or something.
      "complete": function(req, textStatus) // This one always gets called anyway
            // cleanup after yourself
        }   // XXX careful: if you put a comma here, IE6 will fail
  • That might be true at this moment, but I don't think it will be long before spambots actually can use Javascript. There are several libraries that makes it very easy for scripts to parse and execute Javascript. Commented Sep 19, 2009 at 15:02
  • Notice how I said to not use a standard submit button, but a normal button with onclick method. If spambots do use javascript, they have to figure out which button to click, assuming it's a button and not an anchor <a> tag with an onclick event.
    – hasen
    Commented Sep 19, 2009 at 16:19
  • Even so, it seems like with this route we're just delaying the inevitable? Commented Sep 19, 2009 at 19:42
  • We always are .. but IMO this is better than annoying the user with a captcha.
    – hasen
    Commented Sep 19, 2009 at 22:57
  • Hasen, Can you provide a link to an example of using a normal button. Thx.
    – Picflight
    Commented Oct 13, 2009 at 20:24

