back to article Report: Popular CAPTCHAs easily defeated

Security researchers have discovered the vast majority of text-based anti-spam tests are easily defeated. Computer scientists from Stanford University discovered 13 of 15 CAPTCHA schemes from popular websites were vulnerable to automated attacks. The CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans …


This topic is closed for new posts.
  1. Captain Scarlet

    Yes but

    I find the most effective ones also make it impossible for me to read, endlessly pressing refresh for new images until i get a readable one and Bam still wrong.


  2. Tsung

    Where do I get this software?

    Some CAPTCHA's are so blurred I have difficulty reading them, when they provide the audio version I have difficulty hearing the numbers/letters against the noise. I'd hate to think how anyone with serious hearing / sight issues get on.

    1. Anonymous Coward
  3. Anonymous Coward
    Anonymous Coward

    Annoying things...

    When I see a Captcha in use on a site, I distrust the security of that website. Using such an awkward system seems like a pointless sticky plaster to me. Surely it would be better to count the number of failed logins? Or check the speed of data entry?

    The worst sites I find are those who use the Captcha on every login. At least wait until I have failed with my password before insisting I type in such an awkward looking image.

    And those sites who use them at the bottom of a page full of data entry nearly always loose my trade. Nothing worse than having to fill in a WHOLE page of data again because of a mistyped captcha.

    I hope more of this research helps kill off Captchas permanently.

    1. ArmanX

      The problem is...

      ...there isn't a better solution. If you want an automated way to allow anonymous or otherwise login-free data entry, you need some way to keep the spam bots out. And there just isn't a good way to do that. Apart from reCaptcha, it seems.

      1. Nun of Thee Above

        Well, yeah, but. . .

        "The problem is... there isn't a better solution"

        Yeah, but like he said:

        "Nothing worse than having to fill in a WHOLE page of data again because of a mistyped captcha."

        How effing easy is it to create a web form that can REMEMBER what you just typed? And how effing stupid is it to abuse your customers by not doing that simple nicety? One of my pet peeves also. Sheesh!

        1. Anonymous Coward
          Anonymous Coward

          CTRL+A CTRL+C are your friends

          If your extended wibblings are so painful to reproduce, "select all" and "copy" is always a canny idea before you "enter" :-)

    2. Anonymous Coward
      Anonymous Coward


      I don't think you read any of my post did you? I was most upset about when these appear on a LOGIN page. What is the point? If you don't trust your own security, then adding a captcha isn't going to stop the hacker.

      If you are running a website without the need for a login, then put that captcha onto a separate submission page or something. There is no excuse for making me retype ALL of my data again and again because the website is badly made.

  4. Oninoshiko

    I thought the standard restponce was

    to put up a porn site, and require periodic filling in of these to get at the goods. Why pay Indians in peanuts, when I can get NEETs to do it for free?

  5. Anonymous Coward
    Anonymous Coward

    Which version of google's CAPTCHA was this?

    Anyone know?

    The one they were using when I last had to go through a Google CAPTCHA a year or two back was brutal. I failed repeatedly, then tried the audio one, and failed on that twice before getting it. I was 1 failure away from asking a friend to register the account for me! I'll bet the computers had trouble with that one - either that, or I'm not a human.

    I just went to see what they have now, and it's much more human-solvable than it was, and doesn't 'look' very hard to machine read.

  6. ScissorHands


    Any fule that uses jDownloader know that the only safe CAPTCHA is ReCAPTCHA.

  7. Pete Spicer

    This is nothing new, and to be honest nothing we didn't already know (if you're running a discussion forum, that is)

    I wonder if the report author was aware that Google now owns reCAPTCHA.

    Also, the report author is almost certainly not aware of a side issue which makes this redundant anyway: there is an entire industry forming in Asia that will for the princely sum of 1 USD proceed to solve 1000 CAPTCHAs for you. Spamming, then, needn't be quite so expensive.

    That said, it's also well known that most of the CAPTCHAs are written by people who have never tried to actually solve them themselves, and figure that text + noise + distortion = profit. Which it doesn't, especially with the power of OCR improving all the time.

  8. Laie Techie


    It is time to move past image-based CAPTCHA. image-based CAPTCHA doesn't work for blind people or those with images disabled and are increasingly easier for computers to solve.

    We need a CAPTCHA which is accessible, easy for humans, and near impossible for computers. My own site has a bank of hundreds of questions and acceptable answers. This makes sure my posters have enough intelligence to productively participate, but does discriminate somewhat against people without a strong grasp of the English language. This bank supports multiple correct answers to account for alternate spellings, writing numbers out in numerals or words, etc. You would be surprised that no bot has correctly answered the question "Is ice hot or cold?"

    Another approach would be to place a honeypot - something which looks like a CAPTCHA in the HTML code but doesn't appear when rendered by a browser. Bots would attempt to solve the CAPTCHA, but humans (not seeing the puzzle) would leave it blank. This approach will only work as long as it is in the minority or if it sometimes displays a true CAPTCHA to its visitors.

    1. Helena Handcart

      The problem is that sites like Wolfram Alpha and TrueKnowledge can answer these questions quite easily. I tried "Is ice hot or cold?" ( and got a sentence that contains the word "cold". It wouldn't take much work to extract the answer you need, especially if you allow some leeway with spelling and so on.

      1. Old Handle

        One solution to the problem Ms. Handcart pointed out, is to use trivia known to your target audience, but too inconsequential for inclusion in these general databases. For example a the forum about a game might use a question like "What color is the main character's hat?" An easy question for anyone who'd played it, or even seen the box art presumably, but it requires more context awareness than computers can muster as yet.

    2. Anonymous Coward
      Anonymous Coward


      Your 2nd solution is to put a captcha in the html but ask the browser to not display it (which would have to be a tag in the html).

      So let me see, the bot has to be good enough to try to solve the captcha but dumb enough to not check the browser hideme tag around it??

      I'd stick to your colouring in books mate

    3. Ammaross Danan

      Fail and fail again.

      First, if a website is going to be targeted (like GMail or the comments form for a WordPress page), it is first going to be viewed by the programmer to extract the basic requirements and makeup of the page. Sometimes this can be automated if your program can sniff out <form></form> tags and interpret. However, if the program isn't aware of the particular CAPTCHA method used, it can't effectively defeat it. The CAPTCHA could be cat and dog pictures for all the program knows. It, at best, would find common CAPTCHAs such as reCAPTCHA and the like, based on basic elements, such as external links or structure/naming.

      Next, your CAPTCHA is good for your corner of the internet, but if you roll it out en masse, it will fail. Automated attacks using the fore-mentioned chatter-boxes (Wolfram Alpha, et al), or even easier: brute-force collection of your questions and a few hours of simple answering for an automated catalog. Security by obscurity fixes some. It's similar to those who think their self-grown encryption is actually better than AES or the like.

  9. Liassic

    Better than humans... success rate at entering CAPTCHAs correctly is about 33%

  10. <user />

    Not shocked

    It defeated Recaptcha - I can't fucking read those things 95% of the time.

  11. Jess

    WIsh there was a browser add-on to do that

    so you can actually get past the damn things

  12. Shane8

    Defeats computers...and also humans!

    Decaptcha is better than me at solving CAPTCHA's where can i get it ?!?!

  13. Anonymous Coward
    Anonymous Coward


    Comcast pissed off. I had to do a passwordf reset and the first CAPTCHA they gave me was a German word. I hit new and they gave me some thing in Hebrew. WTF? Whats next Japenese ?

    1. ArmanX


      What, you don't know what smiley-face, smiley-face, square, airplane, 5-pointed-star, balloon means?

  14. Anonymous Coward
    Anonymous Coward

    Recaptcha doesn't work for me

    I run a forum which uses Recaptcha and I reckon I get 20-30 bot applicants every single day. I have to run second level checks against the IPs and email addresses to weed this crap down to acceptable levels and then wait a week before emailing out activation codes to the remainder. 3 levels of security for this bloody problem.

    I think the only way to stop bots is to personalize every site in some way such that an automated attack simply doesn't work. It won't stop the attacks against the big targets but it might give respite against all the small fry. How to personalize every site? I'd suggest that forum software should implement a simple challenge / response language that allows someone to pose a question, perhaps relevant to the forum and reject answers which are incorrect. e.g. you sign up for an evolution forum and the question might be "Replace the hyphens to complete the name" - "Charles D--win". And so on.

    1. ArmanX

      Way too easy.

      A quick google shows that about the 5th answer in the list is the correct answer, and it's the first one with the right number of letters. reCAPTCHA actually has it right - it starts with something that computers can't read. Not perfect, but then, computers can read more things than people, these days...

      1. Notas Badoff

        You meant the Google autosuggest?

        That is, typing in "Charles D" and currently "Charles Darwin" is the first suggestion. But entering "Charles Dnnwin" gets you "Did you mean Charles Darwin?" and the first link is to the WP article for Charles Darwin.

        For that matter, for "Is ice hot or cold" the first link is to the answer at : "Cold.duh."

        I'm afraid knowledge-based tests are passé, we have Google to substitute for brains.

    2. Ben 42

      I had the same experience with reCAPTCHA. When I investigated, I found discussions that suggested reCAPTCHA had been broken with a pretty solid success rate by one of the forum spam bots. I switched to a custom question and answer system that required a certain amount of reading comprehension in order to answer (one says to leave the answer blank, for example), and so far it has worked great.

  15. Anonymous Coward
    Anonymous Coward

    Latest news: academics reproduce years-old results.

    e.g. PWNTcha, since 2004.

    1. Old Handle

      Yes... but

      They defeated the captchas from 2004 in 2004, this year the defeated the capchas from 2011, which are presumably tougher.

      1. Anonymous Coward
        Anonymous Coward

        So the 2004 captchas were defeated in 2004.

        And the 2011 captchas were defeated in 2011.

        So of course the 2012 captchas will remain undefeated for all time?

  16. John Latham

    Lateral thinking...

    Maybe the solution is to design a task which is so unbearably illogical as to be computationally intractable and so deeply frustrating that a human CAPTCHA-beater would go completely insane if forced to complete it more than once. Something a bit like arranging an overdraft over the phone with a high street bank.

  17. Bucky 2

    I always liked KittenAuth.

    First because--you know--kitties.

    Second because it's not an obnoxious misspelling of a word.

  18. This post has been deleted by its author

  19. Anonymous Coward
    Anonymous Coward

    CAPTCHA is only the First Step

    CAPTCHA should not be your only line of defense. Scan posts, messages, etc, for signs of spam. You can even rely on a service like Spam Assassin.

  20. Jon B


    You only have to guess one word on reCaptcha though? The known word, and the other one that's being crowdsourced to find out what it is - surely you can just type anything for that one. It's normally pretty easy to tell which word is which.

  21. Winkypop Silver badge

    I hate captcha

    The site I run uses Google.

    We get more complaints about our captcha test than we get for general complaints *

    * or we would if they could get past the captcha.

  22. TheOtherHobbbes

    They should

    package it as an ad-supported web app for those people who need AI help to get past a CAPTCHA.



    A CAPTCHA is not a Turing test. By definition, a Turing test is exactly the opposite of a CAPTCHA.

  24. Michael Wojcik Silver badge

    And the pointless arms race continues...

    "the Stanford team suggest several approaches towards making CAPTCHAs harder to beat"

    You only need one: don't use CAPTCHAs. They're largely useless, annoying to users, and have an idiotic name.

    They were never a good idea, and have proven useful only for their moderately interesting impact on image processing and economics.

This topic is closed for new posts.