The trouble with CAPTCHAs is two-fold: First, that even a small success rate (say, 10%) renders them ineffective to someone with enough bandwidth. Second, and perhaps more importantly, it doesn't matter how good recognition algorithms get! The easiest way to get around a CAPTCHA is have a secondary system that farms out CAPTCHAs to low-wage workers (Amazon turk?) or as games or as a mild inconvenience in the way hedonic pleasure-seeking (pr0n). If a porn sit and a hacker combine, the hacker can have the CAPTCHAs solved manually by the porn site's users for free. No need to write a fancy recognition algorithm (although the success rates for most public decoders are already sufficiently high).
In short, CAPTCHAs are bothersome because they only deter, not prevent access, and are thus only slightly more effective than a "No trespassing" sign or robots.txt file.
I feel in that case, a honeypot field is a better technique. It has approximately the same spam-rejection rate and doesn't hinder your real human users.
Bad behavior and Akismet combine to do the same thing (WP).
The trouble is, you've made life more difficult for your users. On blogs, non-image "CAPTCHAs" are trivial. (e.g., "Put 42 in this box -->"), so long as your site is low enough traffic that no one cares to write a bot targeting you.
>Wave distortion is the most effective The swirly, almost-melding-into-each-other effect that Google uses in its captchas is very hard to segment and recognize.
I'd argue that it is nearly as effective at preventing human readers from correctly interpreting the CAPTCHA as well. I am not proud of my success rate on Google's CAPTCHAs. It would seem the better route for CAPTCHA makers would be to figure out what makes recaptcha work so well, without having to resort to such levels of swirly distortion.
I wonder if there's enough demand for someone to start a service that provides those visual-style captchas "Click the two puppies in this 3x3 grid of kitten pictures", but with a large enough sample size / solid enough presentation to make it useful.
Granted, that approach takes up more screen real estate by definition, but is very hard to break, and can be made to look more professional than kitties and puppies.
The article claims that a 1% failure rate is considered too high. Random guessing gets you over 1% success on your example. Making it larger helps, but makes it harder too.
The bigger problem is: where do you get a giant source of kitten and puppy pictures that the spammers don't also have access to? It needs to be large enough that it's not worth it for the spammers to sit down and manually categorize them. It needs to be difficult to replicate because if you're just taking 10K pictures of each from an image search, the spammers can do that too.
Well, a few months ago I had my go at a service that would use data from people working on machine learning systems so I guess that part is not a big deal. The bigger problem is people are accustomed to typical 'write down the word' CAPTCHAs and yet, they're fed up with them, so anything different would only be more annoying and hardly more secure. It's also hard to think of a challenge type that would have enough combinations for blind guessing to be ineffective and not be of the text-based type we all know. You'd need dozens of kitten and puppy pictures in one challenge to have a reasonable failure rate and no one will be interested in solving those.
In addition to being easier for a human to solve than a computer, a CAPTCHA should also be cheaper for the person creating it than the spammer. It is far, far cheaper for the spammer to classify one picture than it is for you to obtain it, validate it, and classify it. Counterintuitively, with every source picture you add to the system you're actually giving the spammer incrementally more advantage over you. (Trying to mangle the picture on the way out just adds a constant, and you'll start having trouble with humans; is a color-rotated-to-puke-green wave-distorted kitten still "cute"?)
We commonly phrase the CAPTCHA requirement as being easier for humans than computers, but if you're really set on designing a system you need to think in terms of costs, not ease, and you really ought to think of them like security algorithms, where we simply stipulate that an attacker is assumed to have everything constant about your system, its algorithm and its data sources, in hand. You need to create a system where you have a huge cost advantage over the spammers even in that case. And not make the mistake of assuming the spammers are dumb or lack resources.
If you are thinking about putting together your own CAPTCHA solving program, as hinted at near the end of the article, keep in mind that it may be illegal to break a CAPTCHA without explicit permission under the DMCA. I'm not a lawyer, though.
The answer is use other techniques to block spam bots. Honeypot fields (user invisible fields, bots assume to fill in all fields in the source regardless of if those fields are rendered for a user) and timing data entry (no human can fill in a form with a few fields in .3 seconds like a bot can) both are not broken (yet) and do not have a measurable negative affect on conversions.
I'm surprised these techniques are still effective, especially the hidden field trick. It's not rocket science to embed a proper Web layout engine into an application these days so the bots should already be doing that rather than working with plain HTML.
Also putting randomly placed, "randomly" named hidden field with "random" data works well. For instance, you could put encrypted salted timestamp in there, and then, when you get the POST back, make sure the timestamp is not older than X minutes.
In fact, all your fields could be named that way, as long as you're willing to decrypt the names on POST.
Ad-hoc techniques work great until your site (or the software you're using) is popular. Most web spam is done on a large-scale basis; as soon as a particular type of CAPTCHA is popular enough, or appears on an important enough site, web spam software will start including heuristics to defeat it.
Most sites aren't. reCAPTCHA has an accessible version, though, featuring a voice recording of a sequence of digits distorted by noise and background voices.
Also the article mentions that reCaptcha is the most secure implementation of captchas so far. This is semi-true. Up until mid-August of this year (if I remember correctly) reCaptcha was quite trivial to break. Then in late-August/early-September someone apparently kicked their ass into high gear and they released several different variants of reCaptcha only weeks apart (unfilled in letters and lines that ran through multiple words). Again these were trivial to crack by simply modifying the old OCR to work remove the new distortions.
Then in late September (I believe, I don't record these dates anywhere) they finally settled on a wave distortion that I have yet to figure out how to break (due to lack of skill, time, and interest). You can check it out here:
But all spammers that need to crack reCaptcha usually do so for account creation. In this case, their margins are high enough for them to simply use deathByCaptcha. So, captchas are defeated, not due to the security of their implementation, but due to economics.
This web site is a total mess when accessed with an iPad. It is not readable. They automatically switch to mobile media. When trying to read page 2 it switch from one media type to the other back and forth. It's very frustrating, because this article seems really interesting.
22 comments
[ 3.1 ms ] story [ 62.3 ms ] threadIn short, CAPTCHAs are bothersome because they only deter, not prevent access, and are thus only slightly more effective than a "No trespassing" sign or robots.txt file.
I have a trivially breakable CAPTCHA on my web blog, but it cut automated contact form/reply spam down from dozens per day to zero.
They definitely have a place, just not for anything super high value.
The trouble is, you've made life more difficult for your users. On blogs, non-image "CAPTCHAs" are trivial. (e.g., "Put 42 in this box -->"), so long as your site is low enough traffic that no one cares to write a bot targeting you.
I'd argue that it is nearly as effective at preventing human readers from correctly interpreting the CAPTCHA as well. I am not proud of my success rate on Google's CAPTCHAs. It would seem the better route for CAPTCHA makers would be to figure out what makes recaptcha work so well, without having to resort to such levels of swirly distortion.
Granted, that approach takes up more screen real estate by definition, but is very hard to break, and can be made to look more professional than kitties and puppies.
The bigger problem is: where do you get a giant source of kitten and puppy pictures that the spammers don't also have access to? It needs to be large enough that it's not worth it for the spammers to sit down and manually categorize them. It needs to be difficult to replicate because if you're just taking 10K pictures of each from an image search, the spammers can do that too.
We commonly phrase the CAPTCHA requirement as being easier for humans than computers, but if you're really set on designing a system you need to think in terms of costs, not ease, and you really ought to think of them like security algorithms, where we simply stipulate that an attacker is assumed to have everything constant about your system, its algorithm and its data sources, in hand. You need to create a system where you have a huge cost advantage over the spammers even in that case. And not make the mistake of assuming the spammers are dumb or lack resources.
More info: http://www.chillingeffects.org/anticircumvention/
In fact, all your fields could be named that way, as long as you're willing to decrypt the names on POST.
Also the article mentions that reCaptcha is the most secure implementation of captchas so far. This is semi-true. Up until mid-August of this year (if I remember correctly) reCaptcha was quite trivial to break. Then in late-August/early-September someone apparently kicked their ass into high gear and they released several different variants of reCaptcha only weeks apart (unfilled in letters and lines that ran through multiple words). Again these were trivial to crack by simply modifying the old OCR to work remove the new distortions.
Then in late September (I believe, I don't record these dates anywhere) they finally settled on a wave distortion that I have yet to figure out how to break (due to lack of skill, time, and interest). You can check it out here:
http://www.google.com/recaptcha/demo/ajax
But all spammers that need to crack reCaptcha usually do so for account creation. In this case, their margins are high enough for them to simply use deathByCaptcha. So, captchas are defeated, not due to the security of their implementation, but due to economics.