simple security

As a follow-up to my previous post explaining what a CAPTCHA is, this post is about breaking CAPTCHA.

To break a CAPTCHA there are basically two options. Either come up with some fancy algorithm that does with image analysis and character recognition or simply show the CAPTCHA to a human, and have him/her tell you what the mangled text in the CAPTCHA really is. It seems that spammers prefer the latter option which is not only simpler to implement but also offers better reliability. Here is an example of what they do:

1. Spammer creates a free porn site with the only catch being that users have to enter the text off a CAPTCHA before they can view images.
   
2. That CAPTCHA is fetched from sites like Yahoo and displayed inline on their porn site.
   
3. The moment a user keys in the sequence of characters, they programmatically feed it to the CAPTCHA entry box on the free email provider's site and open a new email account. The interesting thing to note here is that spammers dont have any way to really know whether the user entered the correct word or not.
   

Free porn sites attract a lot of people and so spammers are able to generate as many throwaway email addresses as they need.

The seemingly trivial task of identifying the mangled text in an image, is very difficult for computers. Apart from spammers, some CAPTCHA crackers are also scientists . Breaking a CAPTCHA programmatically has important implications in the field of artificial intelligence and optical character recognition.

However difficult the generated CAPTCHA image, if you involve humans to solve the problem under false pretense (as in the above example) then it can be always defeated.