CAPTCHA is Dead, Long Live CAPTCHA!

In November 2007 I called these three CAPTCHA implementations "unbreakable":

This is a companion discussion topic for the original blog entry at:

Well. CAPTCHA are often not understandable for old people.
And since they are generated with computers, it seems possible that a way to reverse it with a computer exists.

I really prefer clever and hand made captha :
“What is the first name of Jeff Johnson ?”
"What is the year of the end of 2nd world war(1939-1945) ?"
And so on … If you create hand-made silly question, then all the spammers will be defintively blocked. There is no software which is able to understand a question.

Somewhere I’ve read that using hidden inputs as bot traps can be effective. If something was entered into the hidden fields, it must be a bot. The bot isnt going to render the page to determine if a textbox is hidden. You’d probably have to constantly randomize the field names on high profile sites though

What about language barriers?

Also your site uses CAPTCHA! :slight_smile:

what about using some CJK charactors?
there are ten thousands of charactors.
perhaps, it need longer time to break.

of course, a human must be a chinese, japanese, or korean.

On .Net Rocks, I heard them talking about “invisible Capta”, which was something to the effect of your trivia questions. The whole thing had to do with having an invisible Div with a small math problem that would only be answered by Javascript enabled browsers, which would root out all bots, or something to that effect.

Another solution : stop using these damn registration pages and use OpenID. Of course there will be openid spam server but it’s easier to control and ban them.

When will we actually hit the spammers where it hurts ? And by hitting, I mean prosecution. Yes they are in various countries that do not necessarily care, but maybe, just maybe, we can make them care ? I would think the WTO is for that kind of things…

And it is even Web 2.0 enabeled… Isnt that great?

Here is the link :

a href=""

I think Bots will have a hard time breaking that one


And here is the link to the article where I found it… I know its “old” but i found it quite interesting…

The text on the Google CAPTCHA breaking page suggests that they pay humans to solve the CAPTCHAs. I’m not sure if this is true or not.


If you are unable to recognize a picture or she is not loaded (picture appears black, empty picture), just press Enter.

In no case do not enter random characters!

If there is delay in downloading images, exit from your account, refresh the page and go again.

The system tested in browsers:
Internet Explorer
Mozilla Firefox

Before each payment deemed by pictures checked Admin. We pay only correctly recognized pictures!

So what if the CAPTCHA turns into an intelligence test? Let’s not have dumb people make comments either :slight_smile:

Oh, damn. I can’t spell “orange.”

My Freakonomics thing tells me “CipherTrust has analyzed the effectiveness of various kinds of spam. It turns out that pornography is far and away the most effective spam, with a click-through rate of 5.6 percent. The next-best click-through rate is pharmaceuticals, at 0.02 percent.”

The only way to solve spam forever is to stop people opening spam messages.

Best dumb-butted responses so far:

Pay $1 for all the (stupid) websites that ask for your info.

  • The reason I give fake email addresses is because I don’t want spam, and I don’t want dodgy website having my credit card neither. Gee let me pay to comment on forums? I’m already annoyed that I have to sign up in the first place.

Give up your identity, SSN, credit card, etc

  • Why should you really know who I am? Spammers will still have fake ID’s, while honest people pay the price.
  • Do I trust you with that information. Do I trust your security and data retention policies?

Limit the number of emails for new accounts.

  • Sure, but for how long. Spammers will then create accounts, have their fake accounts send a few ‘real’ messages, and after a period of time resume full-time spamming. All you did is introduce a temporary delay.

All internet advertising must be PAID advertising

  • I’m sure someone paid the spammer, so ipso facto stupido. Do you think spammers are doing it gratis?

Universal ID

  • Who manages this, and can you be sure that their captcha works? You’re just pushing the problem up a level, and making one large target instead of many small targets.
  • Conventiently you also get universal tracking of habits and selling my information to … spammers. Thanks! Where’s my tinfoil hat?

Charge people per email:

  • Great idea. Maybe I already do pay you retard. I pay for hosting. I pay for internet service. I pay for bandwidth.

PS Banks don’t use captcha. They have secure offline processes in place to set up your internet banking so that even their employees can’t fake the system out. Multi-level authentication isn’t captcha.

I read the Websense report on Google’s CAPTCHA last week. I was under the impression that it wasn’t broken in the sense that machines were solving the CAPTCHAs automatically (via machine vision or whatever), but by duping humans to solve them (unknowingly, on a different site) in order to make money or get access to free porn (

As I understand it, the hard part about breaking Google’s CAPTCHA was the bot getting the image to human eyes, and getting a response back to Google before the process timed out.

If this is the case, changing the CAPTCHA from a reading test to an intelligence test probably won’t make much difference. The hard part is surely making the authentication process robust against this kind of attack?

Asirra has no chance to success
Users are usually dumb with the willing to be even more dumber.
If You start to forcing them to use brain they will rather search for ‘X’ button insteed of on the photos of cats…

However ASCII art is available on Drupal CMS and i’ve started to using it some time ago.
Seems to be fine for now.


Another good thing is to use javascript along with captcha, even simply onmouseover effect above the captcha image (like : display captcha image when moise is above ‘fake’ captcha image)
Bots usually don’t do that
or use splitted captcha images with different z-index, animated gif’s (or just backgrounds)

Just use your imagination

Well, as you say: “perhaps proliferation and evolution of many different CAPTCHA techniques is the most effective prevention”.

However, many of these CAPTCHA alternatives you mention are broken much easier than your average “type the characters from the picture” CAPTCHA. So, how about just sticking with the image CAPTCHAs, but using much more randomness in your rendering - i.e. there’s no need to distort the picture heavily, you just need to have a bunch of different not-so-distorted, easily readable CAPTCHA variants?

If you have a bunch of different algorithms (each requiring a different cracking approach), and switch them randomly (requiring the bot to be able to distinguish between them), bots will not get far.

Of course, coming up with continuous variations in your CAPTCHA rendering can be a part-time job on it’s own, but is only necessary if you’re a high-profile target - for most websites in existence, changing a broken CAPTCHA algorithm for a different one is going to be enough to solve your problems for a long while… Unless you have a cracker who’s REALLY keen on spamming your site and your site only, enough to change his cracking approach every time you change the protection, even if it will never pay off (and as we know, most spammers are in it for money).

Let’s face it: if you’re Google, or Microsoft, or Yahoo - any of those “alternative” methods will be broken much faster than a new CAPTCHA rendering algorithm. Something to think about…

I was under the impression that it wasn’t broken in the sense that machines were solving the CAPTCHAs automatically (via machine vision or whatever), but by duping humans to solve them (unknowingly, on a different site) in order to make money or get access to free porn

If that’s the case, then Google’s CAPTCHA generation algorithm isn’t broken after all. These human farms would work against ANY turing test.

Does anyone know for sure?

That is excellent food for thought. Distinguish a type of animal, bloody brilliant! At least then the captcha would be fun!

As with all anti-abuse measures, CAPTCHAs have to evolve to keep up; this is the nature of adversarial systems like anti-spam and anti-virus. They’ll be broken eventually, by a sufficiently-determined attacker.


‘Of course there will be openid spam server but it’s easier to control and ban them.’

Great hand-waving assertion there, acemtp :wink: Same way it’s easier to control and ban mail servers originating spam in SMTP-land?