Sunday, February 12, 2012

CAPTCHA - Broken? Yes and No

Sanford researchers have reported results on breaking CAPTCHA (Completely Automated Public Turing Test To Tell Computers and Humans Apart). What they are reporting is that the audio portion of a captcha test can be an easy target for a hacker or a botnet.  Audio captcha are used to increase web site accessibility and to make sure public web sites are in ADA 508 legal compliance.

The bad thing is the success rate was greater then they were expecting. Using their new tool Decaptcha, they are able to solve Microsoft’s audio captchas with 49% success, Yahoo’s with 45% success and 82% for eBay. This rate is often better accuracy then humans. To make matter worse the required learning time was approximately 20 minutes, with tens of captchas being solved per minute using a single desktop computer. Decaptcha does not require any special hardware or software.

The success rate is high enough to label audio captcha as broken.

If you are using text base captchas here are some design principles that you should take into consideration to create more secure captchas.

  1. Randomize the captcha length: Don’t use a fixed length, it gives too much information to the attacker.
  2. Randomize the character size: Make sure the attacker can’t make educated guesses by using several font sizes / several fonts. 
  3. Wave the captcha: Waving the captcha increases the difficulty for the attacker.
  4. Don’t use a complex charset: Using a large charset does not improve significantly the captcha scheme’s security and really hurts human accuracy.
  5. Use anti-recognition techniques as a means of strengthening captcha security: Rotation, scaling and rotating some characters and using various font sizes will reduce the recognition efficiency and increase security by making character width less predictable.
  6. Keep the line within the captchas: Lines must cross only some of the captcha letters, so that it is impossible to tell whether it is a line or a character segment.
  7. Use large lines: Using lines that are not as wide as the character segments gives an attacker a robust discriminator and makes the line anti-segmentation technique vulnerable to many attack techniques. 

As with all things in security no one thing is going to make us secure. It will always be security by defense in depth.


  1. Also check out for some really good anti-spam measures.

  2. Luke Thanks for the comment. I went to the url, very interesting. Have you used this before? The one thing he did say which I believe is true is as software gets better at breaking text CAPATCHA, CAPATCHA will get harder for humans. Unfortunately bots are not going away.