Outsmarted: Captcha security not much of a gotcha article tells that a team of Stanford University researchers has bad news to report about Captchas, those often unreadable, always annoying distorted letters that you’re required to type in at many a Web site to prove that you’re really a human. Captcha is often used to defend against malicious ‘bots, including operators of botnets who try to automatically create accounts on Web e-mail services to send spam.
Many Captchas don’t work well at all. More precisely, the researchers invented a standard way to decode those irksome letters and numbers found in Captchas on many major Web sites. Fortunately for normal users and the owners of those web sites the researches have no plans to release their Decaptcha. This gives the Captha users some time to fix their systems before the “bad guys” can work out their own decaptha program (trust me, it will happen sooner or later).
The major problem according to the researches is that most Captchas are designed without proper testing and no usability testing and are fundamentally unable to fully guarantee application security. Capatcha was always doomed to degrade over time, so they need to evolve. Even there are considerable problems, Captchas are still useful for protecting against certain threats.
Google’s slanted-red-letters Captcha (used in Gmail) and the fuzzy-lettered ReCaptcha was found to be pretty secure against the attacks (everything else tested much less secure). Free ReCaptcha is used by what Google estimates to be over 100,000 Web sites including Twitter, Facebook, Craigslist, Ticketmaster, and Microsoft. If you are looking for Captcha solution, try fuzzy-lettered ReCaptcha and do try to make your own weaker solution. For more details read The Robustness of Google CAPTCHAs paper.