The use of a Captcha — which stands for Completely Automated Public Turing test to tell Computers and Humans Apart — is a very common element in web forms used across several industries. It's used to hopefully to restrict form submissions to human beings and not machines, as its name suggests; this is intended to keep spam bots and malware at bay.
Unfortunately research has proven that this may not be as effective as we think. Computer scientists seem to have developed ways to reliably render the original use of Captcha useless.
Types of Common Captchas
Captchas come in various forms. Firstly the most common is to use the image based Captcha which displays a combination of proper words or gibberish, using alphanumeric characters. These characters can be distorted and rendered using one or more fonts then placed on a background with added noise so as to make it more difficult for automated bots to read the text off the image.
The second type of Captcha is audio based which is supposedly ideal for those human beings that may have issues reading the mangled text of the Captcha image.
The third type of Captcha is the text-based Captcha. This Captcha requires the human user to solve an equation and provide an answer.
Down Memory Lane
Traditionally it was assumed that using Captchas was a foolproof method for keeping out spam bots and other malware from having a field day on web based forms. This assumption may have been the Achilles heel in the adoption of this technology.
At the time, the idea of using a Captcha to secure web forms came into play — the technology to beat it was not yet there. Probably the only problem was the usability of the Captcha; was the human user actually able to read the mangled contents of the Captcha? If not then it beat the purpose of the web form.
Over the years, as the potentially destructive technology and the algorithms driving them improved, they found a need to make the Captcha text more complex for machines to read, but fairly easy for humans to read. The problem with this is that there are always limits to how far you can mangle the image context without making it impossible for humans to read. Unfortunately Captchas do a great job of keeping out a large number of humans out as well as spambots.
With more and more services such as online banking being made available online, security had to take a paramount place in requirements and design planning.
The Current Situation
In this current era, Captchas are still widely being used to protect web forms, but their levels of security make the situation appear less than favorable. With advanced technologies in various research centers in selected universities across the world, that are being used to break these Captcha methods, there is a clear defense that the current crop of Captchas are not as secure as we would hope.
With several passes, the technology in the form of software applications is able to effectively determine which characters are used in images based on the shapes after analyzing the images.
Of the several Captcha codes tested, it was only the Google Captcha and reCaptcha (also owned by Google) that held up against all the scrutiny. Mny recorded a 100 percent vulnerability rate.
A New Entrant
In the midst of this gloomy situation there is a silver lining. A relatively new entrant into the Captcha technology business is NuCaptcha. NuCaptcha has employed a different technique which makes it easier for humans to read, while at the same time making it more complicated for machines to read.
NuCaptcha uses an animation showing a moving image-based background with moving text over it. Apparently this motion makes it easier for humans to recognize the patterns, but makes it a nightmare for machines.
In addition to this, NuCaptcha can also detect bot-like activity; such as forms being filled out at unusual speeds.
With this in mind, the text in Captcha images can have less characters (down to even three characters), and still be very effective.
In the Years to Come
The future of effective and secure Captchas depends on the continuous innovation behind the creation of the image codes. Even though reCaptcha and NuCaptcha have somewhat proven to hold-up against attacks, it is just a matter of time until the world is widely exposed to better pattern recognizing technology.
Until some other technology comes along that renders Captcha obsolete, then constant usability tests and improvements are the key to the continued success of Captcha Security models.
Is it Safe to Continue Using Captcha?
Depending on which Captcha you use, for now we can say that you are relatively safe; some of the technology used to break Captcha is not in the public domain after all. Despite the flaws in the current Captcha codes, they are still effective at keeping almost all the bots at bay.
So it is safe to say that the use of Captcha is still intact for now and it is still currently better to use Captcha that to expose a form without it.
- NuCaptcha, www.nucaptcha.com
- Screenshots by Author
- Elie Bursztein Publications, http://cdn.ly.tl/publications/text-based-captcha-strengths-and-weaknesses.pdf
- Annual Computer Security Applications Conference (Ascac.org), http://acsac.org/2010/openconf/modules/request.php?module=oc_program&action=summary.php&id=53
- reCAPTCHA, www.google.com/recaptcha