CAPTCHA

From Computing and Software Wiki

CAPTCHA is an acronym for Completely Automated Public Turing Test to Tell Computers and Humans Apart. Commonly, these tests take the form of images of scrambled text that a human is able to read, but current optical character recognition software cannot decipher. The most common use of a CAPTCHA is to protect web-accessible services from being abused by "bots".

Contents 1 Background 2 Weaknesses 2.1 Poorly Made CAPTCHA 2.2 Accessibility 3 References

Background

Weaknesses

Poorly Made CAPTCHA

A CAPTCHA can be described as poor in one of two ways. Either the test fails to be human-solvable in a reasonable amount of time, or it can be solved by a computer using current AI techniques.

To the right are two CAPTCHA that fall under the first category. The first image displays a CAPTCHA that requires the user to solve a difficult calculus problem in order to proceed. While this may successfully thwart a bot, it also prevents many legitimate users from using the web service. Likewise, the second example CAPTCHA is simple unreadable by humans due to poor contrast.

The second category of poor CAPTCHA are those that can be solved by a computer, as it then fails to be a test that can tell computers and humans apart. To the left is an example of a program written by Casey Chesnut that successfully posted spam to 94 blogs in 10 minutes [2].

Although it can be said that these are examples of poor CAPTCHA, based on the very definition of a CAPTCHA these are not CAPTCHA at all. If a test is either not solvable by humans or solvable by computers, it is not longer a test that tells computers and humans apart

Accessibility

Many CAPTCHA also suffer from poor accessibility. For example, each of the CAPTCHA shown above would be unusable by a blind user as they require the user to decipher text from a bitmap image. Some websites now provide audio CAPTCHA as well, though these are sometimes equally difficult to understand by humans, or easier to crack with speech-recognition software [6]. As such, the W3C has recommended that low-volume, low-resource websites (such as blogs protecting against comment spam) replace CAPTCHA with spam-filtering heuristics [6].

References

1. Carnegie Mellon University. 2009. What is a CAPTCHA?.
2. Chesnut, Casey. 2005. Using AI to beat CAPTCHA and post comment spam
3. Luis von Ahn, Ben Maurer, Colin McMillen, David Abraham and Manuel Blum. 2008. reCAPTCHA: Human-Based Character Recognition via Web Security Measures. In Science.
4. Luis von Ahn, Manuel Blum, Nicholas Hopper, and John Langford. CAPTCHA: Using Hard AI Problems for Security. In Eurocrypt.
5. Luis von Ahn, Manuel Blum and John Langford. 2004. Telling Humans and Computers Apart Automatically. In Communications of the ACM.
6. W3C. 2005. Inaccessibility of CAPTCHA.
7. Willis, John M. 2008. Top 10 Worst Captchas.

--Dangelsm 14:07, 8 April 2009 (EDT)