Since I started doing research on CAPTCHA security two years ago, I have relentlessly collected samples of all the different schemes I have encountered. In this blog post, I want to share with you five of the most crazy, funny, and interesting schemes I collected.
The acronym CAPTCHA (herein referred to as captcha, for readability) stands for “Completely Automated Public Turing test to tell Computers and Humans Apart.” In essence, a captcha is a short automated test that can be passed by a human but not by a computer. It is the main defense used by web sites to prevent automated abuses such as spam. One thing that I enjoy the most is looking at all the crazy ideas that people come up with to create captchas. While most of these wacky captchas are either very insecure or/and terrible experiences for users—they are nevertheless fascinating. Every time I am doing a talk on the subject, I share some of my favorite examples at the talk’s beginning, as it always generates a great reaction from the audience and a couple of laughs. So, I hope you, too, will enjoy looking at them.
Let’s start with the “math” captcha, found on an unknown Russian web site. I always wondered why Russians were so good at math, but with this type of captchas, I think I got my answer :) This kind of captcha is obviously terrible for humans, that is, unless you run a math site. (I wonder if a math site was ever targeted by a botnet attack—it just doesn’t seem likely)
This geometric captcha from the Cogent website is the little brother of the math captcha—it is equally challenging for humans and equally ineffective. This captcha is completely insecure because if you answer at random, you have a 1-out-of-6 chance (15%) of being right, which is of course way too high to ensure a good level of security. To make the matter worst for humans, you have only 30 seconds to answer it.
This fancy drag and drop captcha asks you to drag an object to the “bin” located on the right. It was developed for the PHPBB captcha contest and uses JQuery. This captcha is ineffective because the test pool doesn’t have enough elements to prevent the attacker to learn all of them. Moreover the probability of being right by guessing at random is very high (20%). This captcha takes an interesting approach by trying to make things “fun” for the user. Designing a captcha that is both fun and secure would be a huge win for web-site security.
In the “hot or not?” captcha, the user is presented with nine pictures and needs to find the three “hot” people among them. There are, of course, a male version and a female version. As you could have guessed the captcha use pictures from the famous site hot or not. Three interesting concepts are used in this design. First, the design address the issue of having the attacker learning all the images by using a large pool of images that quickly increase due to the hot or not site popularity. Secondly, the captcha engages users by presenting him or her with “pleasant” or “interesting” pictures. Finally, the “meet me” button helps monetize the website. Despite its appearances, this captcha is probably not very secure because all you have to do is pick the blonde girls and the ones showing the most skin.
The trend toward monetizing captchas is very interesting and worthy of its own post—look for that post incoming weeks.
Last but not least, let’s look at the Assira captcha, aka the cutest captcha ever. It is well known that people loves puppies. (Yes, you do—don’t deny it :) ) To leverage this fact, Microsoft researchers teamed up with petfinder.com to create the ASIRRA (Animal Species Image Recognition for Restricting Access) scheme that asked users to distinguish between cats and dogs, believing that it was a hard task for computers. But Philippe Golle proved them wrong a year later. Nevertheless, the cute captchas are great because they help pets finding a new home, so hopefully one day a captcha scheme will be secure and will do the same.
The idea of using interesting/pleasant images as captchas offers many interesting possibilities, so Daniele Perito, several people from my lab, and I have been working on our own take at this. As soon as we have a good prototype, I will post a link so you can play with it and let me know what you think. I am sure dozens more examples of entertaining captchas are floating around the web; so if you find interesting/fun/surprising captchas, please send them my way. You can let me know by twitter, e-mail, or comments. Thanks for reading this blog post!