CAPTCHA are Not a Security Measure

    Thomas Rutter

    Every so often an article or blog post pops up somewhere on the internet about how wonderful image-based (or even sound-based) CAPTCHA are for the security of web forms. I am going to point out why using CAPTCHA for security is a crazy idea, and why using it for spam control is also flawed.

    CAPTCHA image with twisted letters

    The first major problem with CAPTCHA is that they are often thought of as a security measure, when in fact they are not. A CAPTCHA is a crude (automated) way of telling humans and computers apart. It does not, and cannot, test whether a user can be trusted or not. If you are using CAPTCHA for security, you are working on the false assumption that humans can be trusted while computers (bots) cannot.

    If your security strategy is something along the lines of “If it’s a human, we can trust them”, then you have a lot of problems.

    Thankfully, most people realise that CAPTCHA are not about security at all, they’re simply one of many ways to try and cut down (but not eliminate) automated form submissions.

    So, the first basic problem of the CAPTCHA is that it is too often thought of as a security measure when in fact it is not. Thinking of CAPTCHA as a security measure is equivalent to thinking of all humans as trustworthy.

    The second major problem with CAPTCHAs is that they are relatively easy to exploit. While a single human can only look at a certain number of images per hour, a number of humans, with a lot of time on their hands, can look at thousands of them per hour. And if the internet has taught us anything, it’s that there are a lot of humans on the internet with a lot of time on their hands. So, while a CAPTCHA will slow one human down, it won’t slow hundreds of humans down.

    This is why the ‘free porn exploit‘ works. This is the idea that CAPTCHA images are scraped from a site and shown on the attacker’s site. On the attacker’s site is a form instructing its visitors to identify the letters in the image in order to gain access to free porn. All the attacker needs to do is drive a whole bunch of people wanting free porn to that form and he gets the solutions to a whole lot of CAPTCHA, which he can then submit to the original site(s) – automatically – for his dirty work.

    It doesn’t have to be porn, of course – that is just a popular way of illustrating this CAPTCHA flaw. Any time a human wants something, or even is a little bit bored, you can ask them to fill out a form. Get free jokes in your inbox, fill out this form. If you get many humans working against a CAPTCHA it makes the CAPTCHA ineffective.

    The third major problem with a CAPTCHA, and one which isn’t really anything to do with security but I’ll mention it anyway, is that by its very nature it impedes usability and accessibility.

    CAPTCHA weed out humans with good eyesight and a graphical browser from the rest. The benefit of CAPTCHA are due to their accessibility hinderance. If you made a CAPTCHA more accessible, it would make it less effective. What about alternatives? For blind users, you could read out the numbers in a sound file. Now you’re relying on the user having the right sound player plugin installed. Sound also takes longer to download, and more can go wrong. What about sighted people who prefer to use text mode browsers, or who hide images because they have a very low bandwidth?

    CAPTCHA also harms usability. It takes time and effort for even a person of good eyesight to pass a CAPTCHA. It’s a hassle and an annoyance.

    The easiest way to improve accessibility would be to remove the CAPTCHA, because the purpose of CAPTCHA is to reduce accessibility.

    If a CAPTCHA is so bad, what are the alternatives?

    If you are using CAPTCHA as an attempt to fight security problems, you need to reconsider your approach. CAPTCHA are broken as a security measure. Unfortunately, I believe the best alternative is to consider security issues in the planning stage of an application, rather than after the spam or attempted exploits start pouring in. It is easier to design a secure application that to make an insecure application secure, and part of this is deciding what not to include in your application.

    Where CAPTCHA are used to reduce spam, they may be replaced by other methods. In my experience, a lot of online comment or form spamming is by humans who have a lot of time on their hands and something to sell, or promote. Again, due to the second big problem with CAPTCHA (see above), we see how the CAPTCHA is ineffective against multiple humans with a lot of time on their hands.

    One possible method for dealing with the problem would be to use Bayesian spam filters. Bayesian filters work equally well on human- and robot-submitted spam.