Two (or three) waves of broken Captchas

Captcha is that technology you see when a site (like mine) is trying to keep spambots from posting spam comments or create junk accounts. Captcha uses a distorted image of a word like this

Captcha

The idea is that only an actual human can read this image and see the word within. The human is then asked to type this word correctly before they are allowed to enter a comment or create an account, etc.

There were three waves of failure for the Captcha technique.

  1. Initially, webmasters¬†did not even distort the work in the picture. Spammers simply used OCR technology to “read” the picture.
  2. Next, webmasters used scrambled words like above. Spammers used better OCR.
  3. Webmasters improved the scrambling (see below). Spammers enlisted humans to do the OCR (!)

Improved Captcha

Enlisting humans to do OCR? Basically the image is relayed to users who are either paid money or paid by access to porn to solve the captcha and return the solution which can then be used to gain machine or script access to the target system.

Wikipedia does its usual great job explaining the whole Captcha thing.

Jeff Atwood does it best at Coding Horror: March 04, 2008 — CAPTCHA is Dead, Long Live CAPTCHA!¬†

Jeff also has a great thread on it in his discussion of his ongoing efforts to manage bad behaviour at his excellent StackOverflow site.

Comments are closed.