06.02.2008

Captchas

I can’t stand CAPTCHAs.  It’s not that they are unsightly, clumsy, or a resource hog (which are all true at times).  The main reason I don’t like them is that they are really poor at serving their intended purpose: thwarting automated processes.

ZDNet does a great job at summarizing how ineffective the Microsoft CAPTCHA effort really is by recapping a recently published research paper entitled “A Low-cost Attack on a Microsoft CAPTCHA“.  The ZDNet summary of the paper:

In this paper, we analyze the security of a text-based CAPTCHA designed by Microsoft and deployed for years at many of their online services including Hotmail, MSN and Windows Live. This scheme was designed to be segmentation-resistant, and it has been well studied and tuned by its designers over the years. However, our simple attack has achieved a segmentation success rate of higher than 90% against this scheme. It took ~80 ms for our attack to completely segment a challenge on a desktop computer with a 1.86 GHz Intel Core 2 CPU and 2 GB RAM. As a result, we estimate that this Microsoft scheme can be broken with an overall (segmentation and then recognition) success rate of more than 60%. On the contrary, its design goal was that “automatic scripts should not be more successful than 1 in 10,000″ attempts (i.e. a success rate of 0.01%). For the first time, we show that a CAPTCHA that is carefully designed to be segmentation-resistant is vulnerable to novel but simple attacks. Our results show that it is not a trivial task to design a CAPTCHA scheme that is both usable and robust.

90% failure rate compared to an intended failure rate of .01%.  That’s downright bleak and unfortunately representative of how easy captcha is to defeat even on other platforms.

While I am sure text-based CAPTCHAs are eventually on the way out, the battle for their replacement should be interesting.

Comments

Add a comment