CertPal

I have been researching captchas recently . The goal being, to understand how to make captchas better. I spent some time trying to determine the various forms of catcha available out there. There were quite a few and some were innovative (innovative does not necessarily mean easy to use ). Here are some that will interest you

Recaptcha:

The most common form of captcha is recaptcha. Recaptcha does a good job of displaying some sort of cryptic letters and numbers to its users. But it is far from the captcha solution that an end user might want. An image based approach promoted by captcha.net is also available, but some images are thoroughly confusing. I am currently researching better ways to categorize and display images. There are more problems to be discussed in image based captchas, which I would rather cover in a seprate post with an implementation.

Microsoft – Image based captcha:

Microsoft tried its hand at image captcha using Asirra , a  software that it had developed. MS tied up with shelters for cats / dogs and introduced an image based captcha that asks users to select cats and not dogs from a range of pictues. Very cumbersome for an end user to put up with. This excerpt from the wikipedia entry for captcha tells you why this approach might not work.

Human solvers are a potential weakness for strategies such as Asirra. If the database of cat and dog photos can be downloaded, then paying workers $0.01 to classify each photo as either a dog or a cat means that almost the entire database of photos can be deciphered for $30,000. Photos that are subsequently added to the Asirra database are then a relatively small data set that can be classified as they first appear.

Even with an image database of 3 million, Asirra was not able to get the job done.

Google image rotation captcha:

Google’s version of captcha involved asking users to rotate an image to its right orientation. Simply change the orientation of an image so that it is upright and let users submit comments after doing so. The PDF abstract makes for a very interesting read. Of course they do have the traditional captcha that asks users to type the cryptic letters + numbers. Like others, they do experiement and try to come up with a better solution.

JQuery page time captcha:

Yet another form of captcha tries to determine the time spent by a user on a page before a comment is submitted to the server. The rationale is that if the user spends less than 5-10 seconds on a page and manages to comment on it, the user is probably a bot.  Check out the JQuery example. It is not fool proof. A bot can manage to wait for some time and post a comment.

ASCII Captcha:

Captcha can manifest itself in the form of ASCII text too. If you try hard enough you will be able to see the word WOW -> \_/\_/ (0) \_/\_/

But the usability of such a solution is questionable. Generating random ascii based text is not easy and getting users to identify them is much harder. If you can get an image of the ascii, it might become a candidate for OCR recognition. Check it out

Math Captcha:

The classic 1+1 = 2 captcha. Most implementations that I have seen to date can be defeated by simply sniffing the HTML code. Never the less a very effective captcha for keeping away bots and humans that are not mathematically inclined . An implementation is also available with a little twist. Check it out

Solve failed OCR captchas:

Captcha APIs attempt to show you images that a OCR scan failed to read correctly. The idea behind this is that a bot will find it harder to read the image since the OCR failed. But if the words displayed are so obscure that a bot finds it hard to read them, human being are just as likely to find it hard to decipher what is displayed. This is related to reCaptcha like captchas.

Trivia captcha:

This form of captcha ask you trivia questions that might be easy for a human being to answer. For example: Where do you wear a watch, on your hand or your head ? This is intuitive but how do you come up with millions of questions that are free of bias or subjective answers ? And how do you display the answers ? If you show the answers to the user as a choice, a bot can pick one randomly, which results in a success rate of 50%. A 50% success rate is HUGE in the world of breaking captchas. If you allow the user to type the answer, you have to deal with typos, plural words, synonyms etc. The codechef site implements this without any dynamic variants by asking how many hours are there in a day. Not a solid implementation but a trivia never the less.

Drag and drop captcha:

The idea is to drag and drop images to a specified area in the captcha form. Should be defeatable by combining image recognition and automated test scripts that can perform functions that a user would (mouse click, drag etc). But would a bot go into so much trouble ? I dont know. Check it out

Here are some things to consider before choosing a captcha (certainly not exhaustive)

1. Will the captcha work without java script ?
2. What is the overhead of using the captcha. Images for example increase bandwidth usage.
3. How difficult is it for the user to decipher the captcha.
4. How difficult is it for the bot to decipher the captcha.
5. How easily will the captcha integrate ?

All that said, captchas by themselves are broken. Be it with an image or a cryptic code or whatever. Asking a user more information in order to identify them as “humans” is asking too much. However I am not aware of an alternative that is more attractive. So we might as well think of ways of improving it. If you had the option of choosing one of these captchas, which one would it be ? Vote here

 Loading ...

PS: I considered adding a  ‘I dont want to select any captcha !’ option to the poll. But ah ! what good is a poll when 100% of the respondents choose the same answer .