Has CAPTCHA Been "Broken"?

A recent Wall Street Journal describes Ticketmaster's problems with online scalpers:

This is a companion discussion topic for the original blog entry at: http://www.codinghorror.com/blog/2007/11/has-captcha-been-broken.html

Here’s an alternative type of captcha, pretty much impossible for a program to defeat. Seems to work great for the women, not so well for the men: http://www.hotcaptcha.com/

This example of bad CAPTCHA’s in unfortunately just one of many examples in which programmers just invent their own amateur algorithm based on nothing more than their gut feeling and pray for the best…

It shows that software engineering really isn’t engineering at all in many cases.

p.s. Is your own “orange” CAPTCHA a joke or what?

I’m a computer graphics programmer (with a number of publications to my name) and if you paid me a couple grand, I could write software to decode Google’s captchas. It would take no more than a couple weeks.

I often see glib claims like this, and I’ll say the same thing to you that I mentally say to all of them: SHOW ME. Heck, if it’s so easy, why don’t you show the entire class?

I’ll tell you what’s easy: making ridiculous claims in a comment box on a web page.

scalpers are evil, profiteering bastards, to be sure.

No. Ticketmaster are evil monopolists. As for selling tickets for higher than some artificial price printed on the paper, that’s just something the venues and Ticketmaster wish they could figure out how to get involved in. Why not have a concert and auction off all the tickets? Have no “face value” on any ticket, and just let the market decide how much they are worth. Don’t you believe in capitalism?

It’s no surprise Yahoo captchas are unbreakable: In most cases, they are just plain unreadable even to my human eye.

Yahoo has implemented them lately to access games.yahoo.com and I must say it’s a real frustration when you enter the games site. OK, we no longer have porn ads in the rooms’ common chat boxes but frankly the price to pay is expensive to me.

As you wrote, Google just proves that unbreakable doesn’t have to be a synonym of unreadable!

The difficulty is the use of NON-LINEAR transforms. Not any of the baloney you suggest.

Linear Transforms are easily reversed even if they are destructive. Non-linear transforms require non-linear methods which are more difficult to implement.

Essentially you need at least an undergraduate degree in stats or CS to get much success with the non-linear transforms.

Please stop suggesting stupid captchas like the cat captcha. Captcha Generation is a HARD AI PROBLEM. This means it is hard to generate new classes of captchas just as it is a HARD AI PROBLEM to solve them.


Is there a reason why the captcha on your comments section is always ORANGE? and its not even trying to be hard to decipher - it is using a standard font.


"it is simultaneously the most readable and the most hellishly difficult to OCR correctly"
Most attractive, too. I’d use Google’s CAPTCHAs as a desktop background. But why are Google’s so much harder to crack than TicketMasters? Both seem to use warped writing. Is it the colours, the way they warp the image, or something I’m not getting?
Next up by Google: G-CAPTCHA. Actually, is it possible to copyright CAPTCHA technology?

"That’s just something the venues and Ticketmaster wish they could figure out how to get involved in."
Well, that’s blantantly not true, because it’s not like scalpers are doing anything clever. They’re just taking advantage of the time limit to distort the market.

"Don’t you believe in capitalism?"
Haven’t you heard of the Wall Street/DotCom Crash? How about Enron?
Capitalism works based on trust. Driving demand by hoarding until the last minute isn’t good for anybody but the seller. An excellent book on market economics is “The Wisdom of Crowds” by J.Surowiecki.

Jeff, mind telling us how good you think your captcha is? :slight_smile:
The gothic letters don’t seem that difficult to OCR.

Good post Jeff. In fact, it is possible to break EVERY CAPTCHA, that is readable. Do you know how? Hackers insert image with captcha from the site they want to break into some other site where there are a lot of visitors willing to receive some content for free (after passing fake registration with CAPTCHA from the site being hacked).

I liked the captcha I saw where you had to choose the three attractive women out of 8 shown. Of course there’s the problem with individual definitions of attractiveness, but if I had to choose between trying to decode Hotmail’s god-awful mish-mash of pixels and looking at 3 hot girls…

++Serge Wautier
I’ve had a flickr account - but after changing my user to a yahoo account (and forgetting the password) I am not able to access my flickr account any more.

It’s nice to fight the bots - but it’s dumb to fight the humans

Jeff has written about why it is a static captcha before. He was getting a lot of comment spam and after implementing this simple captcha, it eliminated 99% of the problems (most bots don’t bother to try to defeat it since they are based on spamming on a massive scale). There’s no reason to work any harder than that if it solves your problem.

Same principle applies here as in the article. A simple captcha for protecting against comment spam is enough protection for Jeff, but not nearly enough for Ticketmaster.

Jon Raynor wrote: “If these tickets are being sold online, isn’t there a credit card involved? Couldn’t you print something on the ticket that would correspond to the users credit card, like a bar code or something similiar? That way, the card that bought the ticket would have to be presented when the ticket was presented at the box office

Pushing someone’s card through a credit reader at the gate should take that much longer than taking the ticket.”

Hmm. So how do I…
1)…give away or sell my tickets (at face value, of course) to an event that I can’t attend, for some unforeseen reason?
2)…buy more than 1 ticket with a single credit card? Sure, this might work if EVERYONE in the group shows up at the same time and meets outside the gate. What about very large groups (schools, churches)?

Seems kind of inconvenient and anti-free market. You’re telling my that I can’t even GIVE AWAY something I purchased legally with my own hard-earned money. I guess we are used to seeing this with certain operating systems, computer applications and video games.

Vitaly: that might work in many situations, but tickets to popular concerts will sell out in minutes–there’s no time to wait for someone to come along and break a captcha for you, even if it’s just 30 seconds.

Jeff, mind telling us how good you think your captcha is? :slight_smile:
The gothic letters don’t seem that difficult to OCR.

Here is a function I’ve crafted to return the correct value for the box (based on my experience reading this website).
String CodHorCAPTCHADecode()
return “orange”;

In the end Ticketmaster themselves are evil and need to be investigated for the fees they add to a ticket. The last time I went to buy tickets from them their fees we’re more than the price of tickets. I once tried to get around this by phoning the bar directly, they informed me that I would still need to pay the fees. Some sort of evil agreement they have with Ticketmasters.

I so want Google (or Amazon) to setup a competing site…they could destroy them.