Captchas broken by Stanford Researchers

[nsane.forums]

A Stanford research group has shown that Captchas aren't really that great at differentiating between human and computer. However, many websites aren't very worried.

Are you sure you're not a robot?

Captchas, those fun little letter-guessing mini-games that have become ubiquitous throughout the anti-robot web, are not as robot-proof as you might think. A team of Stanford researchers created a tool called DeCaptcha that uses algorithms to reconstruct the letters and numbers in a Captcha into a computer readable form. While ranges of success vary from implementation to implementation (25% for Wikipedia, 70% for Visa), Elie Bursztein, a researcher on the team, claims that if even 1% of the Captchas are breakable, the whole system needs to be thrown out.

According to Bursztein, Captchas (which stands for "Completely Automated Public Turing Test to tell Computers and Humans Apart") aren't nearly as secure as the computing public thinks they are. "Most Captchas are designed without proper testing and no usability testing. We hope our work will push people to be more rigorous in their approach in Captcha design."

Blizzard, when approached on the subject, countered that Captchas were never meant to be the ultimate security tool against bots. While the vulnerabilities exposed by the Stanford team are serious and will hopefully be investigated in due course, there is no one security barrier that will protect from every threat. Captchas, along with complex password rules, email verification and a slurry of other known and unknown security processes running in the background, create a flexible and layered security system that is able to mitigate as many threats as possible. Captcha is only one tool in many websites' security arsenals, so don't stop using Visa or Blizzard because Captcha isn't perfect.

View: Original Article

[bob1234]

I just hope any changes don't make it even harder to decipher them. It's terrible that bots can crack it, but I only have about a 70% chance of reading them on the first shot, and sometimes have to reload over 5 times before I can make out the correct code. They need to design a better system, not make the letters/numbers more obscure. I know other options exist out there currently, so hopefully they go with something that isn't human-proof as well as bot-proof.

[Lite]

I fully agree, some of those captcha's are almost impossible to read.

I'm looking forward to seeing the progress of KeyCaptcha - its pretty unique and kinda cool. (its been around for a bit of time now, but doesn't seem to have much of an impact)

[x3r0]

I think it is time for "drag-and-drop" captcha to replace the old captcha like the one being used in safelinking website

[voidoid]

I also find some of them very hard to read but interestingly I find that my "reading" is almost always accepted even when I am really just guessing.

[Nemesis]

ive been a few letters off and its still let me through, the problem with security measures is the companies have to protect the user/consumer from themselves. and most of the time they arent too bright so getting through the security has to be easy as well. easy and secure dont usually mix.

[mrsmith]

I hate those damn things. I seek out sites that dont employ captchas such as Mediefire. Sometimes I dont even bother dnlding the file if I have to type in the captcha.

[shought]

I think the best way to counter bots signing up is to ask a question which is specific to your site (for instance for nsane.forums: "What is the first word of our site slogan? (Hint: it's in the header/logo right below nsane.forums.)" any non-bot should be able to answer that and no bot would be able to answer that.).

Then there's still the problem of having actual people signing up but having bots do the posting, I don't think there's any way to fix that (other than IP ban lists, but those aren't 100% either).

[SoftChip]

How about a mix of shapes and captchas combined? Like "What animal, what color, and what word do you see?"

Stuff that really has to be analysed by our brain... "Where are you when you see this?" and show a speed limit sign... Show that same sign in multiple weather conditions and ask about the road conditions, etc...