The Trouble with CAPTCHA
(Page 1 of 4 )
The technology world is full of terrible acronyms, but if there were a competition to identify the worst, CAPTCHA -- Completely Automated Public Turing test to tell Computers and Humans Apart -- would have to be a major contender. Nonetheless, anyone who has ever registered with a social networking web site or forum knows what a CAPTCHA graphic looks like. They are those strange, squiggly collections of letters that users are asked to type to confirm that they are in fact people rather than machines, based on the supposition that computers are unable to read the oddly shaped and colored characters. Having offered good protection for years, these are now under attack. Keep reading for today's alternatives to CAPTCHA.
CAPTCHA is currently an important element of the registration process for many web sites because they must protect themselves from abuse, whether it be spam sent from webmail services, commercial exploitation, or automated postings to blogs and forums. On the whole, the system has worked reasonably well for a number of years, despite humans themselves often needing several attempts to get them right. This, you might imagine, only confirms the effectiveness of the CAPTCHA: if it's difficult for a human to solve, how much more challenging for a machine?
The reality is somewhat different. Spammers and crackers are resourceful, and the value of accounts on legitimate systems is high to such people. As a result, the security of the CAPTCHA has become deeply compromised, to the extent that, according to an article published recently on Computerworld.com, up to 35% of attacks against the CAPTCHA systems of Microsoft and Yahoo are now successful.
These attacks are carried out in a variety of ways that demonstrate the core vulnerabilities of CAPTCHA systems. The first main problem is that they are vulnerable to increasingly sophisticated Optical Character Recognition (OCR) software. This has led to the distortions in the letterforms becoming so great in order to deceive machines that they frequently deceive humans too. It isn't uncommon to have to attempt half a dozen or more CAPTCHAs to register for a single web site, resulting in frustration levels that cause these sites to miss out on some of the genuine human members on whom they depend.
Typical CAPTCHA graphic, demonstrating typical CAPTCHA problems. Is the first 'P' upper or lowercase? Does it matter? Is 'cume' actually a word?
The second major problem faced by CAPTCHA graphics is that no matter how elaborate they become in order to defeat software cracks, they will always remain vulnerable to circumvention by humans. In some cases this has resulted in the abandonment of attempts at machine-based circumvention in favor of an obvious solution: employing people to solve the CAPTCHAs.
Teams of solvers operate in data processing centers, typically in low-wage economies such as India, where a "salaried" CAPTCHA solver requires approximately six seconds to produce a solution for which he or she is paid around $0.002. Services such as decaptcher.com have used this model to commoditize CAPTCHA solutions: you simply pay them via PayPal and wait for the solutions to roll in.
Next: Alternatives to CAPTCHA >>
More Web Development Articles
More By Bruce Coker
