With increased computing power, we are really able to do some amazing things. Unfortunately this also means that spammers also have access to this increased speed and ability to crack OCR based puzzles. But on the bright side, this also allows us to digitize books without humans more accurately (which is one of the primary purposes of reCAPTCHA)
They are ridiculous, but they are so because what they are trying to achieve can no longer be easily achieved by solving the "visual acuity" problem.
Think of it as an opportunity to create something better. Personally I think shared secret with physical device has longer legs here but it does have a distribution/cost/re-authentication hump that is large. So far that has prevented its adoption but as you can see captcha systems are becoming non-functional.
I'd be curious to see the ability for a machine to solve picture based captcha systems. For example, given a lineup of 10 pictures of pets, choose the three that are cats. I've seen them before, just not widely implemented.
That's actually pretty interesting. With time the number of computers/processors required to do these tasks will go down, but for now and based on that experiment, it almost seems more efficient to use picture based captchas.
I don't think you 'get it' Andrew :-) The folks who bust captchas, 16,000 machines is chump change, they run botnets of hundreds of thousands of machines, they dynamically buy EC2 instances, they make a lot of money.
That is the primary reason why I believe that people who use the term 'computationally unfeasible' (you see that a lot in crypto papers) never counted on the kinds of growth we've seen in computers coupled with the ease with which these folks can steal computer power from clueless users.
My claim is that you need an independent engine of computation on your side that can prove you are you with a high degree of confidence, and cannot be corrupted economically by a third party. (so local programs on your PC or Smart phone won't cut it)
Cryptosystems that require 2^128 tries to crack aren't going to be much easier even if you have a billion machines; you really need a theoretical breakthrough. :)
I guess the issue is, does Google know when someone recycles a captcha, and if they do, are they doing anything about it? It's useless if the captcha isn't flagged and is just given to another use.
And they are becoming less and less effective. Since they are so ubiquitous, users don't think twice about completing them. Therefore, infected users are going around unwittingly solving captchas served to them by their associated bot nets.
Wow, I've never heard of that happening before. That would definitely be an issue... Unfortunately I'm not sure how we would end up solving that issue-- there's always going to be the users that don't realize they are being exploited, to solve captchas or otherwise.
Anything you write for them is accepted. In fact of these captchas you only need to get one word correct (the non-maths one). IIRC the other is scanned from a book somewhere and the computer used to scan it couldn't figure out what word it was.
Simply put, we need a better way. Some of these are just unintelligible and require multiple attempts. Someone please come up with a model that makes sense!
I had just noticed that captchas were getting worse. I always thought sites should just make the user perform an operation. Display a hard to read but still legible "type the second letter of the third word". 'e' would be the correct response. There's got to be a reason this isn't done already, does someone know why?
I was going to say don't most modern sites limit multiple attempts in succession? Then I realized that spammers have thousands of computers at their disposal so the successive attempts would not come from the same IP. Shoot this is a hard problem...
Parsing and responding to a question like that isn't difficult when the questions are algorithmically generated from a finite number of human-designed types.
Or how about short stories, something like; "Brian came home very late. He couldn't find Mr. Hat. While he was thinking where his cat might be, he noticed the window was wide opened." What's the name of the cat?
I don't know if it's hard or easy to guess it algorithmically.
Seems like it would be fairly easy to parse many of these questions automatically. The only reason they work is probably that they're not widely used enough for spammers to care about.
With ReCAPTCHA, you only have to get one of the two words right. I've never had it be the illegible word (or my terrible guesses match the "correct" answer), as one might expect given the one you need is necessarily the one for which they have the answer.
There was an interesting talk that mentioned CAPTCHA by one of its creators, Luis von Ahn, at the AAAI-12 conference on AI and robotics this past week.
In ReCAPTCHA, the two-word CAPTCHA version, one of the two words is taken from a scanned book. That (unknown) word was one that failed OCR for that book.
The other word is one that captcha already knows the answer to.
The assumption is if you get the known captcha correct, then you probably got the other one correct as well (if it was possible to read it). The answer to the unknown word supplements the OCR of the book.
The captchas are put in random order, and you only have to get one of them right.
Luis's thought was that people are wasting all this time doing captcha - why not use that time to do something useful, like help digitize books.
As an aside, he's also one of the principal people behind duolingo, which is a quite awesome language learning / human-assisted translation engine.
Yeah. The actual problem as I see it is that people have been trained that you have to get captcha's "right", where with these recaptchas all you really need is a reasonable guess because there is no 'right' (and nowhere does it say that).
The assumption behind recaptcha was a novel one, but it seems pretty obvious that the OCR is really just about as good as humans anyway - the 'difficult words' that usually get served are most commonly either non-existant words (printing/writing errors) or scanning/cropping errors.
It's easy to criticize captchas. That's why there are so many articles like this, which we all knowingly nod along to as we read.
It's much harder to provide productive criticism that leads to an actual improvement over the status quo. (Although it is easy to suggest bad alternatives to captchas, which is why they appear in every comment thread about captchas on Hacker News, including this one.)
It's fine to say "X is broken", but I doubt you can find anyone on Hacker News who didn't read an article like this years ago and thus already knows X is broken. This article is beating a dead horse. The fact remains, captchas are the worst technique to prevent bots from filling out a form, except for all the other ones.
Right now I think the best solution is no captcha. HN doesnt use one for the sign up form. Yes, the HN community is flooded, but for the most part I dont think a captcha would change that.
HN is a (largely) community moderated content aggregation site. What if you don't have the benefit of a community to moderate? If you're an email service and want to stop bots from signing up and spamming the world at large, how would you do that?
The best anyone else has come up with is, "You've typed your password wrong one time. Your account is now disabled, please call a customer service representative at 1-900-TIME-WASTE between the hours of 10:30 AM and 3:30 PM Indian Standard Time. Please note that we are closed on Monday, Tuesday, Wednesday, Thursday, and Sunday, and that we have lunch between 11:00 AM and 3:00 PM."
That prevents brute force attacks against one specific account, but not against an attack against all users of a site. If you have the capability to make, say, 10k login attempts per second (no idea if that's realistic), you don't slow down to 1 attempt/second, you just attack 10k different accounts once every second.
IP blocks can be countered in other ways (botnets, tor, etc).
I'm not saying it's a bad idea though, there doesn't seem to be any downside apart from the book-keeping required. You could probably start with a higher delay (5 to 10 seconds seems very reasonable) and increase it to several minutes. But please don't make it 24 hours after 3 failed attempts, which happened to me when I tried to order train tickets online and forced me to make a trip to a physical ticket vending machine.
The site should have the capability to detect login attempt for multiple attempts - Show captcha
Same account login attempt from multiple IPs - show captcha
With the above: a simple time wait for next attempt could solve the issue for most legit attempts right?
I believe a cookie is a datum given by the server to the client so that the client may present it to the server when making requests later. This is entirely voluntary on the part of the client; the client is free to pretend it has never received any cookies, or to present a made-up cookie (though the server would likely recognize that as suspicious). Browsers are likely to mindlessly accept cookies from servers and to obey servers' instructions as to when to present the cookies back to the server; but obviously a bot is likely to be more sophisticated, and to not present any cookies other than ones that say "You have successfully authenticated yourself as user xxx".
Would it work to do that by IP, and allow only X different IPs for an account to try to login on a single day? e.g. if you've tried to login with 10 different IPs on that day, you will no longer be able to login that day. (Of course this would mean saving some extra data.) The biggest problem I see is that this means people can lock you out of your account, which is probably unacceptable.
What my bank does (and PayPal too if I remember correctly) is keep track of my IP, and if it changes then it forces me to enter additional data about my account before letting me continue. (This assumes I got the password correct.) I think one or both also may use some cookie(s) to mitigate changing IPs. They may also make use of leaky browser data (like user agent strings etc.) to help identify me; they have the potential to see a lot since I'm not trying to hide from them.
I don't see anything wrong in principle with "account lock out" provided that it doesn't affect existing sessions and provided that you can just ask the site to send an email with a token to reset your password. Spammers can lock a user out, so what. Minor inconvenience. If it's happening a lot to the same user and it's also affecting the user negatively, something extra could be done to minimize lockouts for the actual user (who should be easy to detect by the server through logs and a premise the user isn't trying to hide).
Spammers are able to flood you with "forgot your password?" emails, too. I don't know how often they do it. I had my first wave in after 7 years of the same email just a few months ago mostly from old sites I forgot I even had accounts on.
I'm not really a fan of the exponential backoff idea proposed earlier above, I'd sooner go with the "X tries, then wait" approach. The lockout time should not be more than 24 hours, ideally less. Though one could also set the lockout period to expire when the user's session automatically expires, if there's a current one, but that may be too clever.
I feel that there are really two pieces of advice to give on dealing with spammers for the general case... Advice for low-traffic sites and advice for high-traffic sites. I don't have any advice with high-traffic sites since I have no experience with spam at that level (and by high-traffic I mean thousands to millions of uniques per hour), though I don't think the status quo is good enough. With low-traffic sites spam behavior is easy to detect and create a custom solution against. Custom solutions are often better than the popular stuff just by virtue of not having anyone targeting them specifically, and even if that's the case it's still easier to cat-and-mouse if the main options against spam aren't acceptable. Something as dead-simple as loading your form with javascript (or dynamically changing the URL endpoint when the submit button is clicked to something different than what's reported by the form's html attribute...) stops a lot of bots regardless of a captcha, even though you sacrifice the Lynx users. And in my own anecdotal experience I've had more success (less spam bots getting through and leaving a message) with a captcha like "Please join these two "words" together (without spaces): taeiswovd and brhpugqc" than with ReCaptcha even though it'd take less than a minute to add a parser for mine in a bot program. I used to use an arithmetic question but even the dumb bots are on to that one these days--at least the ones after my comment boxes. (I don't even think they added, they just tried numbers 0-99 and sometimes got lucky.)
PayPal doesn't ask you for some extra data. It blocks ("limits") your account so you can't actually use it until you provide them with a copy of your utility bill or something. Terrific when you're on vacation and need to make a PayPal payment. That had me so pissed of that I closed my account (which isn't possible whilst it's "limited" unless you manage to get them on the phone -- good luck with that. -- at least you can then tell the person on the phone that you think they're full of )
Yeah, PayPal does a lot of crap... But I was buying some stuff on a different-than-usual computer and place just a few weeks ago, and it made me provide my bank account number as verification before it would let me send the payment. (Had to sign into my bank account to find a scan of an old check to read it off of..) In a similar vein, Amazon requires reentering your credit card every time you send to a new shipping address.
Why do you call that crap? A normal bank would do something similar. Try traveling to another country and using your ATM card, it likely won't work unless you call your bank ahead of time and tell them of your travel plans.
>at least you can then tell the person on the phone that you think they're full of
Why? The poor soul answering support calls likely didn't make this policy and cannot do anything to change it. I guess if you like just unloading anger at some unempowered person who has the responsibility of taking a bunch of crap without reacting in turn then this is a good idea. Otherwise it is more useful to take your business elsewhere, and if you must try finding someone to complain towards that might actually be able to encourage change.
Note that captchas are not (only) to prevent brute forcing passwords, but (also) to prevent bots from signing up for accounts. This would not work against that.
We launched in January and are using games to make them easier for people. Some of our early testing showed captchas can decrease signups by up to 25% and we're able to recover almost all of that.
We also monitor how you play the game (like mouse movement) so we can ramp up our security without having to make the task more difficult for people. Read more here http://areyouahuman.com/how-playthru-stops-the-bots
This is a neat idea, but these game captchas have some high level of similarity with in-banner-games (at least to me). Not sure if theses "catch the monkey" banners are still around but they were extremely annoying. I hope you are doing some testing to make absolutely sure that this great idea is not mistakenly experienced as some form of banner ad.
Thanks. We certainly don't want to become the equivalent of 'catch the monkey' We constantly do UX testing. Early on it was an issue that people thought we were just and ad on the page, but we updated our start screen and design. By default, we also show our games in a modal window after people click submit, so they know they have to do it. With these two things we saw registrations increase by 40% over recaptcha.
We're also getting ready to roll out an update to our API that will allow you to hide/disable the submit button until the game is played. Our testing showed this helped increase submission rates even more.
Finally, we are also trying different styles of games to see what people respond to best.
I'm skeptical of your efforts to distinguish humans from bots by mouse movements and other inputs. Anything you can infer can be modeled. It's unreasonable to expect a smart captcha cracker to resemble a zero reaction time Counter Strike aimbot.
Thanks for asking. First, our main focus is on making something more usable for people. We also think captchas are only part of the solution and should be employed with other things (rate limiting, keyword filtering, etc)
That being said, we don't just ignore security. There are a lot of captcha alternatives out there that survive on just obscurity, if they were widely adopted, they wouldn't take much to get around (like a slide to unlock captcha). We analyze mouse movement and other behavior, to avoid this.
To test our algorithms, we write our own bots to break our game (as well as working with the AI lab at the university of michigan) and use that data in our machine learning algorithms. We're always tweaking the bot to see how we can beat it and then looking for new features from the data that we can use.
The main point being, that as people do write bots, we can learn from that and incorporate it. We can also adjust the threshold. Some of our customers care much more about usability and just want a minimum level of protection, other's want the threshold a little higher and accept the risk that humans might fail more often.
> our main focus is on making something more usable for people
Considering that your games can be played by a random number generator with something like 10% success rate, you can just skip the captcha completely. Much more user friendly.
The other things you look at to increase security, like detecting patterns and behaviors that indicates bots can be done without a captcha.
I'm note sure you can get a 10% success rate, if you have let us know, we'd love to hear about it. Note that our demo page has the threshold set to almost nothing and other security features disabled.
Totally agree that we could detect patterns and behaviors without the captcha. Baby steps, though. We'll get there.
And it still identified my as a bot in one out of three tries. And now I shall put the food in the refrigerator when the only items left are a microphone, a stapler and a bottle of household cleaner.
This is so stupid. Your CAPTCHA is unusable by blind people, and your audio CAPTCHA is inaccessible (you have to see the <canvas> element to know where to click to access to the audio CAPTCHA).
If you want to download or listen the audio CAPTCHA, you have to click on a <canvas/> element, which is totally unusable by a blind people. It's like saying “Look, we've made an elevator, but you have to climb some stairs to take it”.
Actually, we should be worked be ADA compliant and have worked to make this accessible.
Screen readers should pick up the alternate text.
<a href="javascript:AYAH_fallback()" style="position:absolute;left:-10000px;top:auto;width:1px;height:1px;overflow:hidden;">Please complete this audio captcha before submitting the form</a>
Also, I know the audio sucks, but it's the most secure out there, otherwise it would just be a giant hole for bots to get through. It's one of the things we want to make better.
In fact, we've experimented with audio games and had some good results.
Ha. Looks like the domain is available. In reality we were initially targeting users in the US, but have had a lot of interest internationally. Most just use it as is, but we have had others pay for translation or custom games.
We are also planning on a set culturally agnostic (as well as culturally specific) games. If you go to our homepage and refresh through the games you'll see a shape game, that has no language for an example.
Damn, people were kind of hard on you. I think it's very clever. Even though sometimes our inventions don't work as perfectly as we expected them to. Your captcha system is new and fresh and many bots are not prepared for it. I'm sure you'll improve over time, the bots will improve over time, you'll counter, so on and so forth.
I'd rather have my signup system use areyouhuman than re-captcha. What makes me uneasy about using it on a massive site is the whole html5 + flash dependency. And the audio captcha alternative you have is terrible. I have better than average hearing and wasn't able to understand anything on my audio sample. That and the re-captcha system helps digitize books while areyouhuman is just playing games. Even though I hate captcha it makes me feel like I'm helping digitize a book when I use recaptcha, so I feel better about it. On the other hand your games are interesting and dare I say it, a little bit addictive, especially with all those congratulatory stars at the end.
I wonder if a good approach would be to provide an audio-only website if you use the audio-only CAPTCHA? Cracking one word is one thing, but if the website then goes on with "Press 1 for your account balance..."
That one is actually pretty easy to beat - the OCR is easy enough, and you can refresh the page until you get an easy question. Some of them are very simple integer arithmetic exercises.
As for the harder questions, Wolfram Alpha is better able to do them than the average human.
I'm not sure about which OCR you're talking about but I've tried ABBYY and because of the fractions ie top and bottom halves the thing craps out. Granted, if you get a single line problem it could easily be solved. Definitely there's the problem of application as well. Since this is a quantum bit service Site, you can expect people to know a minimum of integration. But I don't expect Facebook login to have anything even close to 8th grade mathematics.
I always seem to strike it lucky with that site. I can remember it coming up twice on HN (once now, once a while ago - http://news.ycombinator.com/item?id=2290466), and both times I got a one-line equation. I didn't save the equation I got this time, but it was maybe five terms long and most of the atoms were zeros.
I'm not sure you'd want to involve NLP. I think it's more down to the fact that it's relatively easy to reverse engineer the function generating the question and get the parameters that way.
Wolfram Alpha won't answer very many questions of that sort[0] but a cracker can spent a couple of hourse to enumerate all kinds of questions and writing tailored functions (and a detection routine) for each. If your detection routine is naive (e.g. choose randomly) and some or all of your answering functions work badly, no problem, you only have to get it right occasionally anyway.
[0] And indeed it fails unsurprisingly if comically for the second question How many times does the word four appear within this sentence?, trimming it to How many times and showing details about the British newspaper.
No, it is easy just to throw in a CAPTCHA instead of trying to solve the problem without abusing your users.
I've always said that captchas were a wrong idea and should not be there at all.
Filters are coming to CSS so I guess it will be possible to show an image with hidden numbers (or words) and let the user pick a color filter that applied to the image will show the numbers and submit the color and the number to the server for verification. Like color blindness tests.
CAPTCHA seems relatively pointless at stopping spammers since there are dozens of online services that use human labour to solve them for a dollar per thousand.
In tests on my own sites I've found that introducing reCAPTCHA during the registration process leads to a significant increase in people abandoning their registration when they fail at recognising the text the first time, without putting a significant dent in spammer registration at all. I've found it far more effective to do things like randomising form field names (instead of using names like 'username' and 'password') so the spammer has to scrape the site to figure out which fields he needs to submit for each and every account he registers, silently dumping registrations that don't use the correct field names, and then applying various heuristics to successful registrations to detect patterns common to spammers.
For instance, one particular spammer always seemed to use the same user agent string and didn't ever trigger any of the AJAX calls on the page. It was trivial to detect registrations coming from that one spammer and silently dump new accounts when he created them.
Randomizing the field names is a great idea but as you said they would just need to scrape the HTML each time they wanted to register. Have you considered sprinkling in random bits of markup to throw off the people using regex and other lazy parsing methods? That might make it a real pain to scrape your forms depending on how the spammer parses your page.
One way to avoid this issue might be to plop a hidden input box on the page if this input has text in it when it's submitted, you silently drop the registration.
I still have 'username', 'email', and 'password' fields in the form but I hide those elements with CSS, which no scraper is going to bother parsing. When the registration form is submitted the account is essentially hellbanned, they can 'activate' the account via the normal email confirmation process but anything they post disappears into the ether.
I'm catching about 100 spam accounts a day with this technique[1] and the ones that I miss are fairly easy to detect through analysis once they start using their account.
What happens if someone uses something like LastPass, RoboForm, or any of the other automatic form fillers to legitimately sign up for your website? I would imagine that these would "guess" that username means username and email means email, which may lead to false positives for real users.
Isn't that a result of the massive deployment of reCaptcha? It appears that all the easy words have already been solved with enough confidence, so there's only garbled scans left. Add more books?
That said, there are plenty of alternative solutions with good success rates (and far lower abandonment rates), like requiring the answer to a simple question (not math), photo captchas, randomizing inputs, using javascript techniques and honeypot forms. Captchas are so popular because they are easy to implement.
That's what I was thinking. Originally reCAPTCHA had the control word be a scan as well, which meant that an attacker had to beat their OCR. Now that the control word is computer generated, the system has devolved into a regular CAPTCHA that further asks humans for recognition task work.
This version no longer advances OCR algorithms, but does provide cheap exception handling. I don't know when or why the change was made, but obsolescence is at the top of my mind. Either they've ran out of unrecognized words, or adversaries have beaten their OCR. Either way, it seems we're back to 2005.
edit: That said, Luis von Ahn mentioned that Google is experimenting with other image processing tasks, so there's hope yet.
I feel like the author of this article is still slightly misunderstanding the reCaptcha. Not to criticize him, but it's almost immediately clear which word you are actually being tested on, because it's has the same general 'look' to it each time.
Take the first one: 'Secretary' is clearly out of some book. The other thing is the real test. Now, reCaptcha never gives you real words as a test, so he shouldn't be surprised that it isn't a real word.
The third captcha complained about is actually incredibly easy. The first thing is clearly the word form a book, so you can just type a short bit of nonsense there. The second thing is 'ndaaar'. It's pretty legible and easy to enter. Other 'impossible' ones are pretty easy also.
Again, not trying to pick on the author, but hopefully someone will have an easier time after reading this comment. And while Captchas are annoying, I don't really feel they are impossible.
Edit: To the commenter below - I have no idea what green names mean here, so I don't know how that influences people. What do they represent?
The author's blog post is retarded; "herp derp I don't know how recaptcha works and it's too hard for me." He has a pretty blog and a green name on HN, so everyone upvotes it. Pretty sad IMO.
I feel like you didn't read the article, because the author already addresses what you said and had you read the article you'd realize you made incorrect assumptions that, again, he already addressed.
I disagree: "The capatchas were not only difficult for a computer to read, but impossible for a human." He goes on to quote that computers can guess capatchas at 10%. My point is that if you understand capatchas, you can get them right almost all of the time. (Not talking about the audio ones here, since the visual ones seemed to be the focus of the article.)
I understand captchas and so does the original article writer (if you read the article he clearly explains how reCAPTCHA works). While I would have agreed with you a couple of years ago, the author's point that reCAPTCHA has reached a point where it isn't working nearly as well is spot on. I myself fail on them about 75% of the time now -- quickly approaching the failure rate of computers.
For reCAPTCHA it used to be close to 100% success for me, but something has certainly changed with them, I don't know if it was intentional or is the result of a dwindling data set and as an end user, it doesn't matter, what matters is that they are really difficult to solve now.
reCaptchas are very good for small sites which can be easily affected by spamming. Even if hackable, the hacker will need strong reward for hacking such site with captcha. For bigger sites, there are better methods to prevent hacking. and with reCaptcha you are allow to be almost right.
I see two possible long-term solutions to the captcha problem
1) Ask user to do a relatively expensive computation. This can be done in the background while the user is typing his post.
2) Request a small amount of money (10c) per comment. Good websites will return the money to non-spam commenters, will keep spammer's money. This however requires working microtransactions.
1) Asking a computer to do a computation is not such a great idea. Low powered devices (think iPads) running javascript would be at a great disadvantage to highly efficient botnet clusters that spammers own.
2) Requesting a small amount of money may work. Alternatively requesting a user to do some useful task (like Amazon Turk HIT) to get some funds.
Some computations just cannot be parallelized. (Yet. I'd be ironic if spammers advanced the field of parallel computing) The speed difference for single processors remain, but that's a single order of magnitude, except in extreme cases.
The known word is the one that is bent. This is the only word you have to type. You can enter "dogman" or "foo" for the cut-off (scanned) word and it will let you through.
I can't seem to understand the "Onightsl secretary" CAPTCHA. We all know that the first word is extremely hard to identify, and according to the author "secretary" wasn't the control word.
This means that reCAPTCHA knows the first word. Identified by OCR? Not possible unless reCAPTCHA deliberately distorted the image. Identified by N other people? Not possible to determine such a word with confidence either.
Also it seems that there is exactly one distorted word and exactly one "proper" word. I would assume the distorted word is the control word. I should try a few reCAPTCHAs to see if this is a correct assumption.
EDIT: Confirmed. The "proper" word is taken directly from book scans and I can type anything to pass the CAPTCHA. It seems that the control word is very Google-style.
> unless reCAPTCHA deliberately distorted the image.
Isn't it obvious that this is the case? There is one word in every image that is distorted in the same way and another image that might appear in some other way that Google wants to know what the word is.
The paranoid, tin foil hat wearing part of me has always put post Google acquisition Recaptcha in the must-be-part-of-the-long-arm-of-Google-tracking category of services encouraging me to do my very best to avoid allowing it to run in my normal browser session.
I do agree they are becoming ridiculous.. I often have a hard time figuring them out. The real question is what the next step will be. Where do we go from here? What experiments are out there for new captchas?
237 comments
[ 2.9 ms ] story [ 276 ms ] threadThink of it as an opportunity to create something better. Personally I think shared secret with physical device has longer legs here but it does have a distribution/cost/re-authentication hump that is large. So far that has prevented its adoption but as you can see captcha systems are becoming non-functional.
That is the primary reason why I believe that people who use the term 'computationally unfeasible' (you see that a lot in crypto papers) never counted on the kinds of growth we've seen in computers coupled with the ease with which these folks can steal computer power from clueless users.
My claim is that you need an independent engine of computation on your side that can prove you are you with a high degree of confidence, and cannot be corrupted economically by a third party. (so local programs on your PC or Smart phone won't cut it)
Of course that doesn't apply here.
I don't know if it's hard or easy to guess it algorithmically.
That was the problem with all the "kitten captchas" etc. Very limited image database.
Here's an example that I got while trying to register an API account: https://www.wolframalpha.com/input/?i=One+%2B+3+equals+%3F
In ReCAPTCHA, the two-word CAPTCHA version, one of the two words is taken from a scanned book. That (unknown) word was one that failed OCR for that book.
The other word is one that captcha already knows the answer to.
The assumption is if you get the known captcha correct, then you probably got the other one correct as well (if it was possible to read it). The answer to the unknown word supplements the OCR of the book.
The captchas are put in random order, and you only have to get one of them right.
Luis's thought was that people are wasting all this time doing captcha - why not use that time to do something useful, like help digitize books.
As an aside, he's also one of the principal people behind duolingo, which is a quite awesome language learning / human-assisted translation engine.
The assumption behind recaptcha was a novel one, but it seems pretty obvious that the OCR is really just about as good as humans anyway - the 'difficult words' that usually get served are most commonly either non-existant words (printing/writing errors) or scanning/cropping errors.
It's much harder to provide productive criticism that leads to an actual improvement over the status quo. (Although it is easy to suggest bad alternatives to captchas, which is why they appear in every comment thread about captchas on Hacker News, including this one.)
Of course, if one ip is making too many requests, it gets blocked or captchaed
IP blocks can be countered in other ways (botnets, tor, etc).
I'm not saying it's a bad idea though, there doesn't seem to be any downside apart from the book-keeping required. You could probably start with a higher delay (5 to 10 seconds seems very reasonable) and increase it to several minutes. But please don't make it 24 hours after 3 failed attempts, which happened to me when I tried to order train tickets online and forced me to make a trip to a physical ticket vending machine.
I don't see anything wrong in principle with "account lock out" provided that it doesn't affect existing sessions and provided that you can just ask the site to send an email with a token to reset your password. Spammers can lock a user out, so what. Minor inconvenience. If it's happening a lot to the same user and it's also affecting the user negatively, something extra could be done to minimize lockouts for the actual user (who should be easy to detect by the server through logs and a premise the user isn't trying to hide).
Spammers are able to flood you with "forgot your password?" emails, too. I don't know how often they do it. I had my first wave in after 7 years of the same email just a few months ago mostly from old sites I forgot I even had accounts on.
I'm not really a fan of the exponential backoff idea proposed earlier above, I'd sooner go with the "X tries, then wait" approach. The lockout time should not be more than 24 hours, ideally less. Though one could also set the lockout period to expire when the user's session automatically expires, if there's a current one, but that may be too clever.
I feel that there are really two pieces of advice to give on dealing with spammers for the general case... Advice for low-traffic sites and advice for high-traffic sites. I don't have any advice with high-traffic sites since I have no experience with spam at that level (and by high-traffic I mean thousands to millions of uniques per hour), though I don't think the status quo is good enough. With low-traffic sites spam behavior is easy to detect and create a custom solution against. Custom solutions are often better than the popular stuff just by virtue of not having anyone targeting them specifically, and even if that's the case it's still easier to cat-and-mouse if the main options against spam aren't acceptable. Something as dead-simple as loading your form with javascript (or dynamically changing the URL endpoint when the submit button is clicked to something different than what's reported by the form's html attribute...) stops a lot of bots regardless of a captcha, even though you sacrifice the Lynx users. And in my own anecdotal experience I've had more success (less spam bots getting through and leaving a message) with a captcha like "Please join these two "words" together (without spaces): taeiswovd and brhpugqc" than with ReCaptcha even though it'd take less than a minute to add a parser for mine in a bot program. I used to use an arithmetic question but even the dumb bots are on to that one these days--at least the ones after my comment boxes. (I don't even think they added, they just tried numbers 0-99 and sometimes got lucky.)
Why? The poor soul answering support calls likely didn't make this policy and cannot do anything to change it. I guess if you like just unloading anger at some unempowered person who has the responsibility of taking a bunch of crap without reacting in turn then this is a good idea. Otherwise it is more useful to take your business elsewhere, and if you must try finding someone to complain towards that might actually be able to encourage change.
And as a complete aside: given the attitude PayPal phone representatives have displayed, they seem to deserve it personally, too.
If account is locked - user can either wait, or request account recovery (get email).
We launched in January and are using games to make them easier for people. Some of our early testing showed captchas can decrease signups by up to 25% and we're able to recover almost all of that.
We also monitor how you play the game (like mouse movement) so we can ramp up our security without having to make the task more difficult for people. Read more here http://areyouahuman.com/how-playthru-stops-the-bots
We're also getting ready to roll out an update to our API that will allow you to hide/disable the submit button until the game is played. Our testing showed this helped increase submission rates even more.
Finally, we are also trying different styles of games to see what people respond to best.
I'm skeptical of your efforts to distinguish humans from bots by mouse movements and other inputs. Anything you can infer can be modeled. It's unreasonable to expect a smart captcha cracker to resemble a zero reaction time Counter Strike aimbot.
That being said, we don't just ignore security. There are a lot of captcha alternatives out there that survive on just obscurity, if they were widely adopted, they wouldn't take much to get around (like a slide to unlock captcha). We analyze mouse movement and other behavior, to avoid this.
To test our algorithms, we write our own bots to break our game (as well as working with the AI lab at the university of michigan) and use that data in our machine learning algorithms. We're always tweaking the bot to see how we can beat it and then looking for new features from the data that we can use.
The main point being, that as people do write bots, we can learn from that and incorporate it. We can also adjust the threshold. Some of our customers care much more about usability and just want a minimum level of protection, other's want the threshold a little higher and accept the risk that humans might fail more often.
Considering that your games can be played by a random number generator with something like 10% success rate, you can just skip the captcha completely. Much more user friendly.
The other things you look at to increase security, like detecting patterns and behaviors that indicates bots can be done without a captcha.
Totally agree that we could detect patterns and behaviors without the captcha. Baby steps, though. We'll get there.
Do you consider that blind people are bots?
I agree that the button itself should be easier to discover for blind people, like an image link with a title tag.
Screen readers should pick up the alternate text.
<a href="javascript:AYAH_fallback()" style="position:absolute;left:-10000px;top:auto;width:1px;height:1px;overflow:hidden;">Please complete this audio captcha before submitting the form</a>
Also, I know the audio sucks, but it's the most secure out there, otherwise it would just be a giant hole for bots to get through. It's one of the things we want to make better.
In fact, we've experimented with audio games and had some good results.
We are also planning on a set culturally agnostic (as well as culturally specific) games. If you go to our homepage and refresh through the games you'll see a shape game, that has no language for an example.
I'd rather have my signup system use areyouhuman than re-captcha. What makes me uneasy about using it on a massive site is the whole html5 + flash dependency. And the audio captcha alternative you have is terrible. I have better than average hearing and wasn't able to understand anything on my audio sample. That and the re-captcha system helps digitize books while areyouhuman is just playing games. Even though I hate captcha it makes me feel like I'm helping digitize a book when I use recaptcha, so I feel better about it. On the other hand your games are interesting and dare I say it, a little bit addictive, especially with all those congratulatory stars at the end.
Eg. 'What's 4 times four?' or 'How many times does the word four appear within this sentence?'
http://random.irb.hr/signup.php
As for the harder questions, Wolfram Alpha is better able to do them than the average human.
> http://www.wolframalpha.com/input/?i=what%27s+4+times+four
Wolfram Alpha won't answer very many questions of that sort[0] but a cracker can spent a couple of hourse to enumerate all kinds of questions and writing tailored functions (and a detection routine) for each. If your detection routine is naive (e.g. choose randomly) and some or all of your answering functions work badly, no problem, you only have to get it right occasionally anyway.
[0] And indeed it fails unsurprisingly if comically for the second question How many times does the word four appear within this sentence?, trimming it to How many times and showing details about the British newspaper.
How about that for a captcha?
Makes me wonder what sort of social engineering opportunity this creates. What other fields could be advanced in a similar way.
In tests on my own sites I've found that introducing reCAPTCHA during the registration process leads to a significant increase in people abandoning their registration when they fail at recognising the text the first time, without putting a significant dent in spammer registration at all. I've found it far more effective to do things like randomising form field names (instead of using names like 'username' and 'password') so the spammer has to scrape the site to figure out which fields he needs to submit for each and every account he registers, silently dumping registrations that don't use the correct field names, and then applying various heuristics to successful registrations to detect patterns common to spammers.
For instance, one particular spammer always seemed to use the same user agent string and didn't ever trigger any of the AJAX calls on the page. It was trivial to detect registrations coming from that one spammer and silently dump new accounts when he created them.
I'm catching about 100 spam accounts a day with this technique[1] and the ones that I miss are fairly easy to detect through analysis once they start using their account.
[1] http://i.imgur.com/kdp7Q.png
That said, there are plenty of alternative solutions with good success rates (and far lower abandonment rates), like requiring the answer to a simple question (not math), photo captchas, randomizing inputs, using javascript techniques and honeypot forms. Captchas are so popular because they are easy to implement.
This version no longer advances OCR algorithms, but does provide cheap exception handling. I don't know when or why the change was made, but obsolescence is at the top of my mind. Either they've ran out of unrecognized words, or adversaries have beaten their OCR. Either way, it seems we're back to 2005.
edit: That said, Luis von Ahn mentioned that Google is experimenting with other image processing tasks, so there's hope yet.
Take the first one: 'Secretary' is clearly out of some book. The other thing is the real test. Now, reCaptcha never gives you real words as a test, so he shouldn't be surprised that it isn't a real word.
The third captcha complained about is actually incredibly easy. The first thing is clearly the word form a book, so you can just type a short bit of nonsense there. The second thing is 'ndaaar'. It's pretty legible and easy to enter. Other 'impossible' ones are pretty easy also.
Again, not trying to pick on the author, but hopefully someone will have an easier time after reading this comment. And while Captchas are annoying, I don't really feel they are impossible.
Edit: To the commenter below - I have no idea what green names mean here, so I don't know how that influences people. What do they represent?
For reCAPTCHA it used to be close to 100% success for me, but something has certainly changed with them, I don't know if it was intentional or is the result of a dwindling data set and as an end user, it doesn't matter, what matters is that they are really difficult to solve now.
1) Ask user to do a relatively expensive computation. This can be done in the background while the user is typing his post.
2) Request a small amount of money (10c) per comment. Good websites will return the money to non-spam commenters, will keep spammer's money. This however requires working microtransactions.
2) Requesting a small amount of money may work. Alternatively requesting a user to do some useful task (like Amazon Turk HIT) to get some funds.
This means that reCAPTCHA knows the first word. Identified by OCR? Not possible unless reCAPTCHA deliberately distorted the image. Identified by N other people? Not possible to determine such a word with confidence either.
Or am I missing something?
EDIT: Confirmed. The "proper" word is taken directly from book scans and I can type anything to pass the CAPTCHA. It seems that the control word is very Google-style.
Isn't it obvious that this is the case? There is one word in every image that is distorted in the same way and another image that might appear in some other way that Google wants to know what the word is.
And, slightly related, one of my favorite lighthearted sites: http://www.captchacomics.com/