Mark Burnett has a few good articles on my single favorite love-to-hate security measure, the CAPTCHA. Check the articles out here and here. They do a good job at explaining some of the high level problems with CAPTCHAs but don’t be fooled, this is only the tip of the iceburg as I’m sure Matt would agree. If you look on sla.ckers there is post after agonizing post where people are building and then breaking CAPTCHAs.
Jeremiah had a good post on this a year ago describing what makes an effective CAPTCHA. I’d like to go one further. I have actually never seen said mythical beast. I’m not even sure it can be done with the technology we have at our disposal. What I’m getting at is this. People have deficiencies and those deficiencies must be dealt with for them to be able to solve a puzzle. Some deficiencies are pretty dibilitating and include blindness. Okay, so we have audio CAPTCHAs to augment that issue. Then we have colorblind people. They too can use the audio CAPTCHAs.
Then we have things like pwntcha, pron proxies and a whole host of other ways to “break” CAPTCHAs in a way that they were not intended. Bummer. It’s getting to the point, where I cannot even fathom what a good CAPTCHA would look like. Everything is either far too hard for people to solve, or far too easy for computers to solve. The stuff that’s in the middle is usually bad for both. I’m up for an experiment. Can anyone point to a good example of a CAPTCHA anywhere on the Internet - one that meets all the rules outlined by Jeremiah’s post?