Building a better spam-blocking CAPTCHA

New approaches may give the CAPTCHA antispam technology a second chance

1 2 3 Page 3
Page 3 of 3

The core idea, as the developers explain on their site, is that image recognition is a harder problem for computers to solve than text recognition, making the Imagination system more secure than text-based CAPTCHAs. In fact, the developers welcome attempts to crack the system: "If you think a robot can also pass our test without random guessing, give it a try and we'd love to know how far your robot can get."

Unfortunately, color-blind users are likely to face problems with the Imagination system. (Blind and hard-of-sight people, of course, will have problems with all image-based CAPTCHAs.)

Image-based CAPTCHAs still aren't in widespread use. A few simple ones, such as KittenAuth, are starting to see use. (For example, some phpBB online forum systems are using KittenAuth.) With KittenAuth, users are presented with a grid of 12 pictures of animals and then asked to pick out, for example, the ones containing -- you guessed it -- kittens.

KittenAuth CAPTCHA
KittenAuth CAPTCHA

Microsoft Research has taken the same idea for its ASIRRA (Animal Species Image Recognition for Restricting Access) technology. ASIRRA uses a larger pool of images from, but otherwise this Web service CAPTCHA is essentially a KittenAuth clone. While to my knowledge no major sites are currently using ASIRRA, Microsoft has made PHP, Python, C#, Perl, VisualBasic and JScript code available, as well as a WordPress plug-in -- so it shouldn't be long before multiple Web sites are giving ASIRRA a try.

Sneaky CAPTCHA tricks

Stephen Moseley, a Web designer and developer at media production company Hannisdal Express has a sneaky way of stopping CAPTCHA bot attackers: incorporate a hidden field with CSS (Cascading Style Sheets). The field is coded so that human users never see it. Bots, however, read the page's code and note that there is a field to be filled in, and proceed to do so. That, of course, is enough to mark the visitor as a potential cracking program rather than an actual user.

"The bots should fill it in, and if you compare the inputted value to the value you start with, you can quit execution right there," says Moseley. "You do, however, have to make sure to label this so that people with screen readers can understand not to fill it in. I've used this on some nonhigh traffic forms and it works pretty well. It probably won't stop serious spam bots for a large site, though."

Moseley also suggests using simple math problems in CAPTCHA tests. As he explains, though, this approach has two problems: "possible discrimination against the mentally handicapped and the fact that you would need to make the questions random (i.e., you don't want it to always be 2 + 2)."

The bottom line

What all these variations on CAPTCHA mean for Web administrators is that CAPTCHA will continue to be useful. However, the old, simple CAPTCHA systems are hopelessly obsolete.

And even the improved CAPTCHA strategies may not be useful for long. Carnegie Mellon's von Ahn believes that, for the immediate future, image-based CAPTCHAs will be effective. Eventually though, within 50 years at the most, von Ahn thinks that computers will be bright enough to solve any form of CAPTCHA.

But what about right now? To secure a Web site in 2009, companies would be well advised to look at reCAPTCHA, which comes with a wide variety of application and programming plug-ins and an open API (application program interface). With these, no matter what software you're running on your Web site, you should be able to easily add reCAPTCHA protection to your Web-based applications.

Looking ahead, you should start following image-based CAPTCHA technologies. They promise to have a longer effective life.

All that said, it should also be kept in mind that, even as bot-based CAPTCHA attacks are held at bay, there's no effective defense against humans breaking CAPTCHAs for money. All that any CAPTCHA system, or any other security measure, can really do is slow down would-be crackers.

At the end of the day, Web security must be concerned not only with keeping out attackers, but with minimizing the damage they can cause when they have broken into a site.

Steven J. Vaughan-Nichols has been writing about technology and the business of technology since CP/M-80 was cutting edge and 300bit/sec. was a fast Internet connection -- and we liked it! He can be reached at

Copyright © 2009 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon