For the last few years, Captcha, the Completely Automated Public Turing test to tell Computers and Humans Apart, has been one of our main lines of defense against the machines that want to impersonate us.
Recently, though, the various most popular Captcha implementations have been cracked. Bots with character-recognition ability have gotten pretty reliably good at figuring out what the distorted text says. That means they can sign up for Gmail, Yahoo, and Windows Live accounts automatically, and use those accounts for their own malicious purposes – typically to send spam.
Websense has an interesting analysis of the cracking of the Windows Live Captcha.
This has been coming for a while now. Last year I came across this page, which quotes a cracker's prices for automated decoding of various different Captchas. That catalog places Google, Yahoo, and Hotmail in the "very difficult" category – but nonetheless all three have been defeated this year.
The technology is far from dead, of course. The ReCaptcha implementation hasn't been broken to my knowledge. Image-based ones like HotCaptcha and KittenAuth haven't been widely implemented, and may have potential.
(KittenAuth itself has been manually cracked, because its source dataset was very small, and insufficiently fuzzy.)
As long as processing power, et cetera, is finite, just slowing down the bots is helpful, even if we can't block them altogether. But of course the bots will evolve, and so will the tests to stop them. There's no ideal solution. Would you rather be deluged with spam, or have to take a lengthy IQ test every time you post a comment on a blog?
See Also:
