dark mode light mode Search Menu
Search

CAPTCHA

Becky Stern on Flickr

If you are cynical, you might think Captchas are a useless technology designed to torment the innocent to protect the guilty. The guilty would be evil people who hack websites, create fake accounts, and wreak havoc online.

Here’s a fun offbeat Captcha that tries not to frustrate you with distorted letters and numbers. Do you think it would be hard for software to figure out this puzzle?

concepts-sweetcaptcha-example
An Offbeat Captcha

What Exactly is a Captcha?

Captcha is an acronym for Completely Automated Public Turing Test To Tell Computers and Humans Apart. Seriously. It’s designed to protect websites from malicious software. The term was coined in 2000 by Luis von Ahn, Manuel Blum, Nicholas Hopper, and John Langford at Carnegie Mellon University. They used the term to describe any method designed to thwart malicious software bots which create fake website accounts, send spam, and other harmful actions.

It turns out Captchas are one example of artificial intelligence. They are a form of the Turing test which, in theory, tries to tell the difference between a human and software. In fact, in writing this article, I found Turing tests so interesting I wrote an article about them for this issue.

But back to Captchas.

They pose tests only humans can understand. The most common test is spelling random combinations of letters, characters, and numbers which are often twisted almost to the point of being unreadable. The audio versions also include background noise with a distorted voice.

There are more complicated and odd versions, too. The example above asks you to drag and drop images on to another, for example, to put an image of three tomatoes into a blender to make tomato soup. While silly, probably it is more of a challenge for a computer to understand: the computer would have to translate the task, then identify each image, then reason which image goes where onscreen based on the task.

Other Captchas ask you to add numbers or type the answer to a question.

How are Captchas implemented? Turns out a number of companies and individuals offer solutions anyone can buy or add to their site. Perhaps the most common is Google’s reCaptcha which is free along with code samples. I found it easy to add reCaptcha to a client’s site written in the PHP language, for example. You don’t have to be an advanced coder, which is the point.

Do Captchas Work?

Captchas work because, for the most part, they reduce bad behavior online. It’s harder to write software to order hundreds or thousands of tickets to an event, for example, which you then sell at a higher price. Anyone who has watched an event sell out in minutes can relate. In terms of security, Captchas also prevent the creation of bogus accounts at Gmail and other online email services which are then used to send spam. Put another way, they are better than nothing.

Do Captchas really work? I could not find reports on how well or poorly they work. I did find an interesting article that describes how they hacked a state of the art video Captcha offered by NuCaptcha, a company that charges a lot of money and puts a lot of thought into their service. For example, they use techniques to determine your trustworthiness (presumably third party cookies used by advertisers, among other methods) and, therefore, how complicated a Captcha to present to you. The article describes in gory detail how a machine could pull apart a well-designed Captcha and decipher it.

So it would appear, in many cases, Captchas exist to torment the innocent while making the lives of the guilty only slightly more difficult.

Are There Better Alternatives?

There are more interesting alternatives to Captchas. For example, Google offers a free phone app which generates a random number every minute. The number is unique based on your phone hardware and other details. Websites use code to interact with Google servers to validate the number you enter based on the random number the phone app generates. This type of solution is two-factor authentication or two step authentication. And, like reCaptcha, it is free.

But Google isn’t the only source for two-factor authentication. It would be interesting if there was a standard for two-factor authentication which would work with all applications regardless of which phone application you use. People have taken a version of Google’s work to create an open source project.

Would We Miss Captchas?

Sadly, trading Captchas for two-factor authentication would eliminate a great source of humor. I found a Yahoo! Answers post where someone asked:

Okay! i’m trying to sign up for a fansite for Earthbound/Mother fans called Starmen.Net. i try to register, put in my username and password, and it says “Captcha failed” in a red box at the top! what does that mean? Does it mean that username/password is taken?

One nice person answered:

There should be another box to authenticate that your not a robot and are human….the box should contain a series of letters or numbers….and if there not entered into the Captcha…then you will get that fail warning every time…..

And one comedian answered:

It means that your application was rejected. They don’t want you.

Another website offers code you can put on your site which generates characters and numbers impossible for anyone, human or computer, to type. It’s a wonderful if frustrating prank.

And there’s this comic from xkcd:

xkcd-a_new_captcha_approach
Good Question: Can Software Bots Lie?

If Captchas go away, so will a rich source of online humor. Auto-generated numbers and two-factor authentication are not remotely funny.

Learn More

Captcha

http://www.captcha.net/
http://en.wikipedia.org/wiki/Captcha
http://computer.howstuffworks.com/captcha.htm

Time to Kill Off Captchas

http://www.scientificamerican.com/article/time-to-kill-off-captchas/

Google reCaptcha

http://www.google.com/recaptcha

NuCaptcha

http://www.nucaptcha.com/demo
http://www.elie.net/blog/security/how-we-broke-the-nucaptcha-video-scheme-and-what-we-propose-to-fix-it

SweetCaptcha

http://sweetcaptcha.com/

Google Authenticator

http://code.google.com/p/google-authenticator/
http://en.wikipedia.org/wiki/Google_Authenticator

Open Source Google Authenticator Projects

https://github.com/kaie/otp-authenticator-android
https://fedorahosted.org/freeotp/

xkcd: A New Captcha Approach

https://xkcd.com/233/