bestkungfu weblog

Matt Presents: Escape from CAPTCHA

Filed in: accessibility, CSUN2004, tech, Sun, Mar 21 2004 02:15 PT

It’s really hard to blog your own presentation. I mean, there you are, saying something brilliant, and then you have to go sit down, remember what you said, and annoy all of the people listening by wasting their time as you select your LiveJournal mood and what’s playing in iTunes. So these are just fading memories of my fantastic presentation on the inaccessibility of CAPTCHA. (This is long. Sorry. It’s also kind of important.)

In the beginning, life was easy. Resources flowed freely across the Web. Then people started creating Web sites that offered resources people liked, and made people register for them. These were usually useful resources like, say, Web-based email, instant messaging, and so forth. Thing was, these accounts were valuable to people who wished to exploit them for this new “spam” thing that was going around. And then the cat-and-mouse game began: spammers started creating millions of Hotmail and AIM accounts just to steal their resources, and the goal for those sites became finding a way to keep the bad guys out, while letting the good guys in. The hunt for a better mousetrap led to a system called CAPTCHA, which shows distorted text in a bitmap image, and asks users to enter the text into a form.

The T in CAPTCHA stands for “Turing test.” (Actually, there are four T words in a row, but I’m pretty sure they only promoted these two.) A Turing test is a hypothesis put forward by famous mathematician Alan Turing in 1950. He said (and I paraphrase), put somebody in front of a terminal. Feed them input. It could be from a human or a computer. If the user can’t tell whether the input comes from a human or a computer, then call 60 Minutes, baby, the era of artificial intelligence has begun. Well, Morley Safer will tell you that they haven’t gotten that call, so the only use of a Turing test is to create something that will let humans pass, while totally hamstringing robots. (Poor things. I can see them wincing and grasping their legs right now.)

Only, it’s inaccessible by design. Assistive technology, which is, for all intents and purposes in this story, a robot, can’t read these images. (And if they could, so could all the bad robots going around stealing stuff.) There is no alt text available for most CAPTCHAs, which makes their host documents invalid in addition to inaccessible. This isn’t a test to prove you’re human. It’s a test to prove you’re human, have very good eyesight, and are not dyslexic. People are frequently stopped dead at a CAPTCHA.

More proof that this is a poor mousetrap: CAPTCHA is hackable. In addition to CAPTCHA crackers using optical character recognition to defeat the images (which is why they’re sometimes so distorted as to be unreadable even if you are human), there are some great social engineering exercises. Let’s say you’re a spammer (you filthy bastard). If your business comes from stealing these accounts, then it’s worth it to make sure a human can create these things as rapidly as possible. So you pay someone to code you a system, and you pay someone else minimum wage to sit there and help the robots by deciphering a thousand of these codes every hour. (Humans are crafty.)

Or you can do it for free. The first publicized hack of CAPTCHA consisted of a developer creating a porn site, then making its users enter the CAPTCHA codes in order to gain access to the pictures. (Humans are really, really crafty.) In other words, there are ways to ensure that an infinite number of users are willing to solve your CAPTCHA problem. (Though it’s probably best not to suggest this idea to blindness and dyslexia-oriented advocacy groups.)

So, CAPTCHA is broken. What to do? We wrote a paper, which I originally titled “On the Internet, Nobody’s Sure if You’re a Robot“, but is now something much uncooler. It says all the stuff I just said here, (erm, formalized slightly), and then tries to get people thinking about CAPTCHA to step back and think about exactly what they’re planning to solve, so that they can see that no matter what it is, CAPTCHA ain’t the solution.

There are three models of user checking out there on the Web:


Most sites don’t really care whether a user is a robot, as long as they’re not hammering the server. The accounts that are set up are more for tracking settings and gaining user data than anything else.


This is to see if someone is an actual-factual human. Humans buy more stuff. And humans may even be afforded the privilege of more than one account on the same system: some sites give one user seven email addresses, to be parceled out at the user’s choice.


This is the one-person, one-vote system: passports, state identifications, driving licenses, bank cards. As social services move online, Americans will likely have to cough up their Social Security numbers in order to approximate this right. In the long term, hopefully, this will change.

With these in mind, we came up with several different approaches to enhanced security. While we don’t have the silver bullet, we can say that CAPTCHA isn’t any better, and many of our suggestions are more accessible.

Logic puzzles

Is there an elephant in the room? Humans can answer that correctly and uniformly. (Except for people who work with elephants, or have hangovers.) Computers can’t. So using logic-based questions would be sufficient – until the Semantic Web happens, perhaps. Cons: this is bad for users with cognitive disabilities, speakers of foreign languages, and people who can’t spell. And you’d need a zillion questions to keep robots from caching them and determining the answers.


What if they read the letters out to you instead? The advantage is that it would be usable in more than one modality. Cons: it’s hard to transcribe audio. (Trust me. I do it all the time.) You may need to listen to something like this several times before you actually manage to write it down. But this is also vulnerable to voice-recognition systems, so often these sound files are also distorted and hard to understand. And they’re no great bargain if you happen to be deaf and blind.

Credit-card validation

The first private identity system in the United States was the credit card network. Using a credit card number, you can match a person to a mailing address, which is good enough security for many companies. Cons: many users, including all under 18, do not have a credit card. This also costs money for companies to execute, and creates perception issues around security.

Live operators

Yahoo and AOL both offer live operators to allow users to bypass this system. Computers are really poor at conducting a phone conversation, so this would be satisfactory. Cons: running a 24-hour call center is something that’s so expensive that only the five richest kings of Europe can afford it. And it’s another separate-but-equal solution that violates the spirit of an accessible Web.

Limited use and usage tracking

Maybe your system doesn’t really need to provide infinite service to new customers. So you set a limit of ten outgoing mail messages per day, rather than locking down registration. But then maybe you’d have caused 10,000 times more registrations than before. Then comes what I describe as “post-hoc checking”: watch the usage patterns of use of certain accounts, and suspend access of users that match a given pattern. This can be successful, and pretty silent, if you can find artifacts of abusers. But it can also fail with certain users: Joi Ito, for example, was put in “Orkut jail,” a form of post-hoc check, because he had acquired too many new friends too quickly.

Identity systems and biometrics

Passport, Liberty Alliance, and public-key infrastructure solutions are all potential solutions to this (except, of course, for the fact that Passport uses CAPTCHA). So are biometrics, which are going to be built into the Longhorn version of Windows. But single sign-on systems have privacy issues, PKI has the problem that a solution based on it doesn’t exist, and biometrics are going to require hardware to be supported. We expect that the true solution to all of these levels of access will ultimately be found here.

In conclusion, think about what you’re trying to do. As you can tell, there is no easy solution, including CAPTCHA. You may get a quick reprieve from the hackers by implementing CAPTCHA, but that will certainly go away after a while. And in the meantime, you’re going to piss off a whole lot of users. So stop it, please. We need to move beyond the security model of the Club car lock, in which its presence on a steering wheel simply means that it’s not as easy to steal as the next car, which doesn’t have one. Eventually, the thieves realize that they can cut into your steering wheel, and then, you’re back where you started.

5 responses to “Matt Presents: Escape from CAPTCHA”

  1. Secret Tags – An alternative to Captchas?
    Captchas are quite useful to identify real users and bots. While a real user is likely to be able to read and understand the captcha and enter to correct characters into a form field, a bot cannot — at least…

  2. […] Matt May provided a great article on why you shouldn’t use CAPTCHA in 2004. I won’t repeat that, but the most relevant issues for me are that: […]

  3. […] It wasn’t really a huge hole, but I had raised Akismet and other WordPress pluggins as an alternative to CAPTCHA. The point still stands that CAPTCHA is bad and Google could find/create a better way, however, comment spam and sign-ups aren’t the same thing. […]

  4. […] I was aware that people are looking into ways to attack CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) I was not […]

Powered by WordPress (RSS 2.0, Atom)