Published on Computerworld Blogs (http://blogs.computerworld.com)

Can CAPTCHA be saved?

By Steven J. Vaughan-Nichols
Created Apr 23 2008 - 4:08pm

You may not know the term, "CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart)," but you've used it.

You may not, however, be using it for much longer. Every time you've had to puzzle out the letters and numbers from a distorted, scrambled jumble before you can sign up for a new Web services account, such as Live Hotmail, Yahoo Mail, and Gmail or post a story on an online discussion systems like Digg [1], you've used CAPTHCHA.

It's meant to make sure that you're a real person and not a bot seeking to spread malware and spam. For a while CAPTHCHA worked. If you're like me, you found it annoying, because there were times when you couldn't tell the difference between 's' and 'S' either. Still, even though it was, and is, a pain, I was willing to put up with it since it actually did help block spammers.

The key word above is 'did.' In late 2007, hackers started getting some success against CAPTHCA schemes. By January 2008, Yahoo Mail was cracked [2]; Hotmail was crunched [3] in early April; and Gmail was cut open [4] in April.

None of the CAPTHCA cracking program really seems to be that good. But, then, they don't have to be. Web security firm Websense [5]'s resident CAPTHCA expert Sumeet Prasad explained in a blog posting [6] that while only 10% to 15% of each attempt on Hotmail is successful, a CAPTHCA cracker system only needs six seconds for every attack.

I think we can safely presume that there are other CAPTHCA crackers for the other major free e-mail systems with about the same level of efficiency. Since no ISP or spam-blocking service in its right mind is about to try to blacklist Gmail, hotmail or yahoo e-mail accounts, it looks to me like CAPTHCA will soon be in the security junkyard of obsolete technology.

Or, maybe not.

Developers at Penn State have applied for a patent on a novel new kind of CAPCHA that they're calling IMAGINATION. It, in turn, is based on ALIPR (Automatic Linguistic Indexing of Pictures [7]). This is an image-based system. In it, you're first required to pick out the geometric center of a distorted image from a page that's filled with similar overlapping pictures. Then, if you get that right, you're presented with another carefully distorted image and asked to pick a word to describe what you're seeing.

Frankly, when I first read about the idea, I wasn't impressed. Then I tried it. Now, I am impressed. You can give it a try too at their sample ALIPR page [8].

It's a radical retake on the CAPCHA idea. The core idea, as the developers explain on their site, is that the "IMAGINATION System … requires solving a harder AI problem, that of image recognition, in order to break. Therefore, in principle, the system is more secure than text-based CAPCHAs, with image recognition being a harder problem, and the 'space' of images being much larger." In other words, as they explain on the results page once you've passed the test, "If you think a robot can also pass our test, give it a try and we'd love to know how far your robot can get."

That's mighty darn confident of them to throw down a challenge that way, but they've reason to feel sure about this system. I don't see the IMAGINATION CAPTCHA system being broken for at least a couple of years.

For now, my only worry about this system prolonging CAPCHA's usefulness for security isn't whether today's hackers can break it-I doubt they can-but how people with color-blindness will do with it.

If color-blindness isn't a problem, I think IMAGINATION has the potential to become the new online security system of choice. And, that's a good thing, the old-line CAPCHA still being used today is useless and needs to be retired as soon as possible.


Source URL:
http://blogs.computerworld.com/can_captcha_be_saved