Chances are, you've seen a
Captcha. You probably had to fill one out to sign up for an account somewhere. Chances are less likely that you've had to implement a Captcha. Chances are even more less than likely that you've actually looked into whether the Captcha can be defeated or not.
The answer is yes,
Captchas can be defeated. Even the best of them have flaws. They are being defeated by using the same algorithms that are used to track people in video cameras. For those of you who are 3D vector mathematics wizards, if that's even the proper name for it, I direct you to
research done at the University of Berkeley. For the rest of us, it is enough to understand that it can be done.
The Human Barrier
In Berkeley's research, they used the "Gimpy" Captcha engine, which is used over on
Yahoo. They claim that their algorithm has been able to
break the Captcha 92% of the time. Another group,
PWNtcha, has been able to break many other Captcha mechanisms in practice and have made their code publicly available.
The underling theme is that
it is only a matter of time before all of the Captchas are broken. The problem is that a Captcha must be able to be solved by a Human. This puts a limit on the level of difficulty possible and, in my opinion, renders Captchas a poor choice for defense against bots in the future.
A Better Captcha
A great alternative to Captchas is a similar idea but using pictures of objects and requiring a human to interpret them. A good example is
Better Than Captcha (BTC). While this may not be perfect and may be slightly more trouble for the end-users to figure out (as it did me), it is sure to be a much better system then text based Captchas.
