How To Break A CAPTCHA

A CAPTCHA, or Completely Automated Public Turing test to tell Computers and Humans Apart, is what the many online services like email, forums, and free web site hosts use to prevent their services from being misused. Were it not for CAPTCHAS and similar controls, various known and unknown criminals could otherwise easily setup thousands of email accounts, forum memberships, and personal web sites for themselves, and send millions of bits of email spam, post millions of forum spam messages, and publish millions of spam web sites, all in the amount of time that it will take me to write this article. And in March 2009, we see a new frontier in spamming - comment spam.

So thank heavens for the CAPTCHA (from pioneers like Luis Von Ahn), which protects us from the hacking, porn, and spam that would otherwise overwhelm the Internet.

Oh crap. The Internet is already overwhelmed. Maybe CAPTCHAS, actually, aren't accomplishing a thing - except stopping us, the honest Internet user, from setting up an email account, a forum membership, or a free web site, without raising our blood pressure another 20 points in 10 minutes.

No, CAPTCHAS do not work, Luis. Allegedly.

So, Chuck, how do you break a CAPTCHA? Well, I can think of 3 ways.

  1. Expensive high tech automated, CPU intensive, CAPTCHA breaking software. Right. I don't know about you, but my CAPTCHA solving skills are maybe .500 on my best day. How is a computer program going to break CAPTCHAs, reliably?
  2. Semi expensive hiring of personnel intensive CAPTCHA breaking staff (workers, supervisors, managers, communications lines, technology??) in third world countries (5:00). Staff that does nothing but look at CAPTCHAs, over and over, all day? Is that going to be reliable?
  3. Relatively cheap acquiring of volunteer labour, gathered through the Internet, completely ignorant of their role, who just want to look at the dancing pigs. Each volunteer collaborates with 2 or more other volunteers for one CAPTCHA, then is done, and never knows what he just did. Any porn merchant can get all of the volunteers that he needs.

Which is it? Door 1, 2, or 3?

For my money, it's got to be Door 3 - volunteer labour (5:45). Watch the video, and despair.

Human Computation (Luis Von Ahn: July 26, 2006)

No, Luis, this isn't allegedly happening (6:10).

Hacking, porn, and spam distribution is big business (6:20). Hackers, porn merchants, and spammers are making big bucks. Door 3 is the only possibility that makes any business sense. Volunteer labour - that's the trick (6:30).

So, yes, Luis, you could use these games to break the CAPTCHAs (51:10).

>> Top


C.R Jones said...

As per Dancho Danchev's comments from Sept 2007 ( - he claims that for under $50 anyone can purchase some code to foil Hotmail & Yahoo CAPTCHA's. Does this mean that rudimentary CAPTCHA's (like this blog) are useless? Presumably one must have a higher "spam-value" product to worry about such risks.

Chuck said...

CAPTCHA breaking software, that can (for a fee) be upgraded to include new techniques for decoding new attempts by people who use CAPTCHAs to make their CAPTCHAs more complex.

Thereby encouraging the sale of CAPTCHA providing software, also upgradable (for a fee) to include new techniques for protecting against automated CAPTCHA breaking software.

And so on.

Who do you think sells the CAPTCHA breaking software? Who do you think sells the CAPTCHA making software?

Chuck said...

Watch the video.

Carter said...

if anyone is intersted in how i broke some captchas heres some posts ive made on breaking a simple image captcha and why math captchas are easy to break