March 2021
Mo Tu We Th Fr Sa Su
<< >>



Posted on Oct 07 2008

Quoting Wikipedia, a CAPTCHA is a type of challenge-response test used in computing to ensure that the response is not generated by a computer.

CAPTCHA are often used when subscribing to a popular service that would otherwise be subject to be targeted by bots.

However, there are several ways to break captchas :

The first one is to use the human brain. Some spammers have been using p0rn websites : they get the captcha image from Yahoo or MSN, then ask some good-willing guy visiting their website to enter the captcha meaning to be able to watch available pictures....

Quite smart indeed.

One other possibility is to use latest advances in shape-recognition algorithms that enable a computer to automatically "read" the content of an image, even if it's been rotated or distorted.

With more research being done in that field and more powerful computers being used to break CAPTCHA, we will sadly soon reach a level where the amount of complexity required to "hide" the meaning of the CAPTCHA from automated computers will be too much for the human brain to make sense of it.

It's already possible to find some very annoying CAPTCHA that makes you feel bad about subscribing to a given service. Things will even get worse from here...

But with captcha being broken, how will you prevent bot-automated subscription in the future ?

One answer might come from more centralized way of handling the identify of users, such as OpenID. By adding some kind of social filtering of users, it might indeed be possible to ensure that bots will never reach enough trust to be able to subscribe. But that's also a problem since you don't want to loose "real" people in the process...

One other possibility might be to run NP problems on the client side, so subscription would require quite a lot of client CPU power (and very little server CPU for the correctness check). This would not stop spam bots but at least increase their hardware cost (we would still have trouble with botnets...).

Actually, this idea of having the client computer doing complex calculus can be applied to the human as well. Character recognition is still quite CPU expensive, so if you still want to use CAPTCHA on your website, why not help people to digitize books at the same time ?

reCAPTCHA does just that, and as they say "stop spam, read books"

  • Oct 07, 2008 at 22:59

    That's a cool idea. I've always thought general knowledge questions or simple written requests would be a good option. For example :

    What day occurs directly after Tuesday?
    What organ beats inside your chest?
    What is turnip spelled backwards?

    Granted, some people might spell it wrong, but computers aren't yet quite smart enough to understand English, no matter how well they can read it.

  • Oct 08, 2008 at 21:34

    Yes, but you need quite a big database of knowledge questions, and spammers can hire some guys (or use 1st solution to solve CAPTCHAs) to create the corresponding answers database... That's why you need some random in your CAPTCHA generation.

  • Nov 16, 2008 at 15:41

    Solution is of course is that nothing is free.

    (Translation: Everything has a cost, and when we try to give away things for free that have a cost, there are side effects. When the side effects become too great, then malinvestment (e.g. centralized ad supported model of the current web) die. It applies to bandwidth sharing as well:

    This concept that we can't share equally has enormous implications on internet, society, what is money, etc... read my forum at to come up to speed.)

Name : Email : Website : Message :