How Long’s A CAPTCHA take to die?

Posted on July 24, 2008
Filed Under Bots, Web Programming | Leave a Comment

With all due apologies to the Beautiful South for the title .

Anything that can be exploited eventually gets broken so how come so many people seem to think that CAPTCHAs are somehow exempt from this?

Surely their history so far is sufficient to establish that they will become less and less useful.

When CAPTCHAs first burst upon the scene they cut spam to near zero immediately but then any new method will do likewise. As they were adopted by more and more sites and services it became more and more worthwhile for certain people to break them. As it became more and more worthwhile to break them so they were broken more and more until it has gotten to the point where I, as a human (for the sake of argument alright! ), struggle to read some. This year there have been several news stories about how certain groups can break x% of CAPTCHAs from Google, Yahoo etc. Twisted text is clearly on its way out.

What will replace it?

Many people are suggesting just another form of CAPTCHA. Either image recognition (”click on the kitten”) or text based questions. Both of these have their problems.

The image recognition one requires a huge database of images to avoid making it easy for ne’erdowells to simply collect every example and just look up the answer. Most sites do not have the resources to implement this and having one supplied as a service to multiple sites just makes it more valuable for certain types to collect all the images in order to break it.

It also has accessibility issues.

It also has the problem of offering a choice of answers rather than being open ended. If you do not have additional code looking for excessive submission ne’erdowells can just fire massive numbers of submissions at your script and guess at the answer to get x submissions through.

Textual captchas at least have fewer accessibility issues, although you’re still asking the visitor do something extra for no direct benefit to themselves. However, the only thing keeping these safe at the moment is lack of widespread or important adoption. If GMail or similar services were to implement text based CAPTCHAs they would be broken in under an hour. We’re talking about a level of technology equivalent to the text adventures/interactive fiction of the ’80s.

Make no doubt about it every class of CAPTCHA will eventually wither and die. It will become more and more difficult to come up with new classes.

But hey! Until then we can make hay with CAPTCHAs on the door though?

No.

The whole point of a CAPTCHA is to tell the difference between a computer and a human. Any workable CAPTCHA (where we define workable as one passable by the majority of the population) can be simply farmed out to a human. Think that would be too expensive? I’ve just seen a freelance job posting looking for people to break CAPTCHAs. It was paying 1$ per 1000 correctly entered CAPTCHA. The industry is already organised, the poster was looking for teams not individuals and already had bids well into double figures.

Or in other words, even if your CAPTCHA is perfectly implemented it costs a ne’erdowell a maximum of a tenth of a cent to make a submission against your form!

How Long’s A CAPTCHA take to die? Not long.

Comments

• 

• Categories

  • Analysis
  • Bots
  • Browsers
  • content
  • Data Protection
  • email
  • Graphic Design
  • Mobile Web
  • Operation SaturatEng
  • Process
  • seo
  • Uncategorized
  • Web 2.0
  • Web Design
  • Web Programming

• Blogroll

  • Bad Bot Blocker Boss
  • Double-Tongued Dictionary
  • TechBrew

• Web Design

  • Website To Dos

• Meta

  • Register
  • Log in
  • Entries RSS
  • Comments RSS
  • WordPress.org

• About What A To Do

  What A To Do is the sister site to Website To Dos which is a list of important but easily forgotten tasks for the busy webmaster.

  What A To Do covers subjects related to web development that do not fit into the lists on Web Site To Dos.

• Search for: