Posted by
Amit Kulkarni [Admin]
| Posted in
CAPS
,
CAPTCHA
,
lock
,
user
| Posted on
12/03/2009 12:40:00 AM
We always talk of making life simple for end-users and so we "testers" come up with good suggestions that will really make is simple. Good job guys! Really?
By the way - What is CAPTCHA? Completely Automated Public Turing test to tell Computers and Humans Apart. A CAPTCHA or Captcha is a type of challenge-response test used in computing to ensure that the response is not generated by a computer. A common type of CAPTCHA requires that the user type letters or digits from a distorted image that appears on the screen. E.g. post available for public, registration forms etc.
I have filled up so many registration forms, blog post where they ask for CAPTCHA to be entered by the user. But I always wonder if the application has kept the CAPTCHA in UPPERCASE letters that means if all the combination of letters and numbers, if they are in UPPERCASE letters then why not automatically enable CAPS lock on when the user move their focus to this field. Any security issue?? Nah...I don't think so.
So many sites I've seen with CAPTCHA in UPPERCASE letters but when the user move their focus to CAPTCHA field where the user has to enter the letters, they first have to put on CAPS lock ON. Isn't that pain for the user? IMO.
Why it is not possible that when the user move their cursor to CAPTCHA field, automatically their CAPS is lock is ON or if not that, then while the user enter the characters as per the CAPTCHA image - it should display in CAPS. What it does?
- The user don't have to perform one more task of putting on their CAPS lock ON again!
- The frown on the users face if they fail to put on CAPS lock on and enter the character and hit "Submit" button.
How it would be? When the user reach to the text box as given in below image - the application is smart enough and turn on CAPS lock for the user OR it display the characters in CAPS which the user is entering but they have not put on the CAPS lock.
Isn't that useful for the user?
Best Regards,
Amit
testing is my passion!!!
http://bugteaser.blogspot.com
CAPTCHAs are one of the poor solutions that we offer to the problems that we face in web application security. As you know, they are meant to distinguish HUMANs from BOTS. There are works already done in academia to break captchas( google it). So, if we were to go by your option of enabling CAPS LOCK if all the words in CAPTCHAs are uppercase letters, you are GIVING A CLUE to the attacker/attacking program. Yes, CAPTCHAs are irritative. But, it is one of the several DOORS that you have in protecting your WebApplication. Read Bruce Scheneir's work on this and you will have a better idea of what I'm talking about.
Hi Amit, nice post. Was sometimes wondering/irritating myself with that.
For one side i like the convienance aspect of the entry. Especially in some CAPTCHA it doesnt really seem to matter if i put it in lower or upper case.. might be converted internally anyway.
For the other side i dont like the idea very much, that an application can play around with my keyboard or any other part of my computer without my approval. :-)
Even if CAPTCHA would only put Capslock on at "focus in field".. it also have to take care to turn it off, when i "exit the field".
Would be another chance for bug, if the implementation of that mechanism dont work properly. :-))
Cheers,
Maik
@Rajkumar
I appreciated your valuable comments and I appreciated you give a serious thought to it.
There are two point which I'd like to highlight over here:
1. Security is not 100% - even if we take all measures.
2. User experience with the application they're using.
If you've read the complete "blog" the last thing which I've mentioned is as below:
As always I wonder - if what I assumed is not a good OPTION. What say?
Best Regards,
Amit
testing is my passion!!!
http://bugteaser.blogspot.com
@Kazarr
Why you always think of it will crop up yet another bug? First think of whether its an good option - if we come to any conclusion then we can think of the implementation and testing part.
Best Regards,
Amit
testing is my passion!!!
http://bugteaser.blogspot.com
Hi Amit,
"As always I wonder - if what I assumed is not a good OPTION. What say?" .. I understand that as the question if the CAPS option is an alternative to the current implementation, aka the user has to put CAPS on himself.
It is an option, yes. Is it "good"?
Good/bad are subjective terms.
From my personal view... i wouldnt do it that way. Why?
The benefit is not worth the risk.
A) You need new code for it; code can have new bugs.
B) In the code you need to find out when user enters field and when he leaves field to toggle the CAPS on and off.
C) You also need to find out, if CAPS is already on *before* user enters field, then no toggle should happen.
D) What if user decides to use "SHIFT" key within CAPTCHA field?
There are a lot of things to think about and implement.
All for the minor improvement of one less keystroke for the user.
I always try to think of "worst cases" and how the user could (mis)use a functionality.
And i try to consider the "pro" and "contra" of a feature, if i have a say in it; aka in discussion with product management, *before* they implement something new.
Cheers,
Kazarr
As another option i would suggest to convert any entered letter internally (aka in processing in code/background) to the preferred method... lowercase or uppercase.
That way user GUI can stay the same, there will be less hassle for the user and he wont get an error for entering a "wrong" letter (in terms of lower/uppercase).
Might be also better for the security question raised earlier.
But then i am no dev..
Kazarr,
I like your perspective at looking at the things. I've already mentioned this is just what I think but then I'm open for any suggestions.
I've already discussed this - that user will enter the characters and they will internally converted to UPPERCASE letters and what User will see in UPPERCASE letter regardless of what they entered.
then while the user enter the characters as per the CAPTCHA image - it should display in CAPS
As another option i would suggest to convert any entered letter internally (aka in processing in code/background) to the preferred method... lowercase or uppercase.
That way user GUI can stay the same, there will be less hassle for the user and he wont get an error for entering a "wrong" letter (in terms of lower/uppercase).
Might be also better for the security question raised earlier.
But then i am no dev..
Best Regards,
Amit
testing is my passion!!!
http://bugteaser.blogspot.com
@Amit,
I want to say few things,
A captcha is meant for security to stop spam registrations or fake registrations continuously automating them. Catpcha prevents this from happening as random string is generated always. But, if you say CAPS lock should be automatically turned on when user moves the mouse to the field then I think you are helping those spam bots to some extent. You are helping spam bot programmers by making their job little bit easy :)
Let me know your concern(s) if any.
Thanks,
Santhosh Shivanand Tuppad
@Santhosh.
You are correct in your statement.
But.. (it was sure, that there would be one but, eh?)
I think, we see two different "Quality" aspects here.
One lets call "UsabilitY".. making it the human user of the CAPTCHA easier to finish with the process and proceed.
The other would be "Security", where the focus would be to make it "as difficult as possible" for a bot to break the CAPTCHA process and go beyond it.
By what i read, the captcha process can already be broken by bots fairly easy (depending on the implementation). So now the "benefit" of making it harder for bots is decreasing the usability.
I personally left a website i was interested in, cause the captcha submit was not working.
I dont know, if my answer was wrong or if the captcha needed to be case sensitive... but as a prospective customer, i was not interested in the technical facts. It was inconvenient and my patience was done after 5 tries..
Therefore, *if* captcha is still be used (for whatever reason) the focus should shift (in my subjective opinion) to make it the human user easier.
Just my 2 cents for today,
Cheers,
Maik