- Security Center
- English ▾
Captivated by CAPTCHAs
CAPTCHAs - you love to hate them. Those pesky little images with quirky letter that you usually have to try two or three times before you actually can prove that you are a human and not a script trying to act as one. Apart from the embarrassment of having your human status questioned, it is also a time drain for no appearent reason to you as a user.
It should be obvious why automated scripts are a problem to us web developers though. We love when humans use and like our services. We loathe when bots and scripts use up the resources we alloted for humans (unless there is a human user benefiting on the other side of the chain, like with a mash-up). Yes, guilty as charged - we discriminate against machines.
What is the alternatives to the dreaded letter/number captcha then? Well, Microsoft have designed a cute captcha task where you have to tell cats and dogs. But even though it helps to take away some of the embarrassment and actually introduces some fun (animals on the internet is always funny), it still serves as a time drain.
And it is still subject to being busted open by the most flexible and foolproof way to crack a captcha:
The Internet has plenty of Mechanical Turk communities (like Amazon's) where you can pay really small bucks to get menial HITs (Human Intelligence Tasks) carried out. Another approach is to simply use a web site with high traffic (most likely adult in nature) or a piece of malware (like last years "Melissa") to which you can feed the captcha you want to crack and get a response within seconds. The lesson? You can always count on people's sex drive or greed to break any boundary.
What to use instead of captchas then? I personally believe that the best we have right now is a mix of techniques (preferably ones that don't discomfort or put the burden on the user), such as behavior based heuristics (checking for common bot behavior) or ip-based timeouts (although done wrong, they might cause a lot of trouble for the users). And if you can ask for something else than human status, like which social sphere the user belongs to, then you are much better off. But if anyone have any bright ideas how to disrupt the mechanical turkers, I'm all ears!