Web form security can be a tricky thing—spammers don't make our jobs any easier as Web professionals. In fact, we've been exposed to so much spam that the supposed best way to deal with it is by making users suffer through a captcha. The ugly and intrusive captcha has been growing like wildfire, and while it tries to solve a valid business problem, I don't like it one bit.
A captcha—Completely Automated Public Turing test to Tell Computers and Humans Apart— is a test given to people while filling out Web forms to prove they're human. It works like so: you read a box of jibberish and re-type said jibberish into a text field. Makes sense right? Wrong.
Site security is something that should never be seen by users. Users shouldn't see another form field and be forced to read difficult boxes of nonsense. Users need to be set up for the win—they need to cruise through your form and get to the very end with flying colors. Captchas are cop outs. They're a poor solution to a larger problem that puts the problem onto users' shoulders. They make websites and companies look like amateurs who have given into the spammers at their front door. It might solve your spam problem—a mighty and admirable feat—but at what cost?
When it comes to Web forms, as designers and developers, we need to help people through to the very end. We need to encourage accurate responses, limit frustration, and set users up for success at every turn. What is the better business case: improved results and feedback from users, or a more complex form that produces less spam and more frustrated users? Captchas just make for poor business decisions; here's why.
In most sites, there are constant efforts made to convert a visitor to a new user. With every click there is marketing that speaks to the visitor, begging her to sign up because it will do this, that, and everything in between. And then, when that person finally gives in and decides to sign up for your service, you make her do all the work with a form that ends with a captcha. We need less form fields, not more of them. That's not how the Web should work, nor how your business should work. Do you force users to be responsible for knowing where their data is stored, too? Website security is a business problem, not the users' problem.
Users should never have to see, hear, or deal with any of your site's shortcomings, security least of all. Think of it this way: how much else do you want users doing instead of you? It's a bad habit to put things on users' shoulders instead of your own. Take the extra effort and make your site fun and easy to use at every turn. Don't annoy your users by making them do extra work.