Blog‎ > ‎

Websites beware, it's so easy to catch out CAPTCHA

posted 19 Oct 2011, 15:54 by Jamie Condliffe

Ironic, isn't it. Those distorted words that websites have you type to prove you aren't a machine are in fact easy for software to decode, mainly because words are chosen with little insight into how secure they are.

"Many websites use CAPTCHAs, and there are a lot of designs floating around," explains Elie Bursztein from the Stanford Security Lab in California. These mimic the original puzzles developed by Luis von Ahn and colleagues at Carnegie Mellon University in Pittsburgh, Pennsylvania.

Bursztein and colleagues decided to investigate how the different methods fared across as many sites as possible to work out how to make them more effective.

The team's software, aptly named Decaptcha, works in stages. First it removes lines through letters, then it isolates each of the warped letters. Each character is processed to make it more legible, and software reads the letters and assembles them into the original word.

The team tested their software on 15 sites, including Google, eBay and Wikipedia. Schemes are usually deemed secure if they can be broken less than 0.01 per cent of the time. Bursztein easily cracked many of the CAPTCHAs he studied, breaking the likes of eBay 37 per cent of the time and Wikipedia 25 per cent of the time. The only sites to resist attack were Google, and sites using Google's more recent iteration, reCAPTCHA. The team presented their work this week at the Conference on Computer and Communications Security in Chicago.