Captchas are currently the best way to protect sites from bots. If you have signed up for any site, or filled out any form on the web recently, you most likely ran into a captcha. For those who don’t know what a captcha is, here is a brief explaination of what they are. Captchas are visual parts of a web site, which determine if the user is a human or a bot. A basic captcha will ask a simple question, like what is 3 + 5. Most of the time, a captcha will contain numbers, letters, or even words either on a background which makes the characters hard to read or the characters are distored. The user must then put in the correct charcters or phrase in order for the script to determine if the user is a human or a bot. Other captchas will ask the user to compare images, and ask a question based on those images. These types of captchas may ask that you pick out the image of a cat, when all the images but one are of dogs.
For the most part, captchas have been very reliable. Although bots can get by the most basic captcha, the more common captchas have been harder for bots to get by. Bot programmers had to go as far as designing seperate programs to work with the bots. These programs will display a captcha to a user and ask them to solve it. Then the user will be rewarded for their rewards. Recently, SecurityLabs has stated that bots have been able to by pass Google’s Gmail captcha. This has caused some people to start worring since Gmail’s captcha has been one of the harder ones to break, and one of the last free email account captchas to be broken. This may not seem like a big deal but most sites that use captchas also require an email address for additional security. So in theory, if the site only allowed Gmail accounts, then the bot would have to get passed Gmail’s captcha then the site’s own captcha before finishing a form.
A normal with Google, once they found an isuse, they choose to put a team of talented engineers on the case to solve it. CNET is reporting that Google has created a new theory for captchas based on images. In Google’s new captcha theory, the user must rotate an image to the correct vertical position. The theory (PDF) stated, “Previous research has shown that humans can achieve accuracy rates above 90% for rotating high resolution images to their upright orientation, and can achieve a success rate of approximately 84% for thumbnail images.” So in theory (which is what this is) the idea seems to work, and seems very simple. Create an image, offset it and when the image’s offset is back to zero degrees, then the user is a human. That is until you start thinking about the images. The report stats that images which use humans can’t be used because there is software which can detect human faces, and use this to determine the orentiation of the image. Google itself has used similar software to blur faces on Google Maps, as proof that face recognition can be done. The theory goes on to describe to more types of images, one in which there is very little difference in the top and bottom of an image. The other type of image the theory states should be used is a complex image for bots to determine but easy enough for humans to determine. For an example, they have an image of a colorful parrot on a branch.
There are two really interesting points on how Google finds the images to use in this process. The first one, believe it or not is based on their search engine. To create a database of images for the second part of their testing, Google states they “collected from the top 1,000 search results for popular image-queries”. From here they used software to determine what images were to easy for bots to be able to determine the orientation on, and which ones were two hard for humans. From there Google did case studies to determine how reasonable it was to implement the captcha system. The results of their test showed that the 11 (or 68.75%) out of the 16 users tested actually preferred their captcha over the currently popular text based system.
In the future, Google states that they would like to see a 3D based image system implemented into the captcha. Google also stated that their captcha can be easyily implemented into portable devices, especially those devices that have a touch screen interface. So it seems that if Google has their way, in the near future there maybe a new set of captchas on the web, and from the results – less frustrated users.