IRONIC, isn鈥檛 it. Those distorted words that websites have you type to prove you aren鈥檛 a machine are in fact easy for software to decode, mainly because words are chosen with little insight into how secure they are.
鈥淢any websites use CAPTCHAs, and there are a lot of designs floating around,鈥 explains Elie Bursztein from the in California. These mimic the original puzzles developed by Luis von Ahn and colleagues at Carnegie Mellon University in Pittsburgh, Pennsylvania.
Bursztein and colleagues decided to investigate how the different methods fared across as many sites as possible to work out how to make them more effective.
Advertisement
The team鈥檚 software, aptly named Decaptcha, works in stages. First it removes lines through letters, then it isolates each of the warped letters. Each character is processed to make it more legible, and software reads the letters and assembles them into the original word.
The team tested their software on 15 sites, including Google, eBay and Wikipedia. Schemes are usually deemed secure if they can be broken less than 0.01 per cent of the time. Bursztein easily cracked many of the CAPTCHAs he studied, breaking the likes of eBay 37 per cent of the time and Wikipedia 25 per cent of the time. The only sites to resist attack were Google, and sites using Google鈥檚 more recent iteration, reCAPTCHA. The team presented their work this week at the in Chicago.
鈥淭he only sites to resist attack were Google, and sites that use its software reCAPTCHA鈥
鈥淭hese results are very useful,鈥 says of the . 鈥淭hey鈥檝e considered more or less all the text-based CATPCHA schemes in use at the moment, and they鈥檝e managed to create an approach that is both generic and robust.鈥
Perhaps more important is the warning it provides. 鈥淚 find it surprising that websites try to come up with their own CAPTCHA designs,鈥 Bursztein says. 鈥淭hey should be using something that is proven instead.鈥
For those keen to go it alone, Bursztein has some practical advice: vary word length and character size. The most reliable trick is to collapse letters together so they overlap, making it difficult for software to pick them apart. He also suggests using a limited set of characters: using more characters marginally increases security, but it makes the puzzles irritating for humans to use.
If you are concerned that these findings hamper your online safety, Bursztein suggests quite the reverse. 鈥淲e鈥檙e now working with some of the companies we attacked to help them sort out their problems,鈥 he explains.