undefined | Better HN

0 pointsjwilkins13y ago0 comments

What do you mean by 'some of the best'? If a CAPTCHA can be solved or guessed in an automated fashion then attackers can just throw more (likely compromised) machines at the problem at little cost. 3% is awful.

http://bitland.net/captcha.pdf

0 comments

2 comments · 1 top-level

jere13y ago· 1 in thread

In your link, their first attempt at breaking reCaptcha seemed to yield a 17.5% success rate. I was referencing wikipedia, which stated a 60% success rate against Microsoft's captcha and a 30% success rate against Google's catpcha: http://en.wikipedia.org/wiki/Captcha#Computer_character_reco...

Those papers may be a few years old and the state of the art may be different. But after an initial look I'm missing the reason that, compared to these captchas, you think that "3% is awful."

>If a CAPTCHA can be solved or guessed in an automated fashion then attackers can just throw more (likely compromised) machines at the problem at little cost.

I'm not ready to buy this. I would think every captcha is going to have some failure rate, even if it is extremely low. If attacks were absolutely free, then it wouldn't matter what the attack success rate was. Computers are fast, but not infinitely fast. Bandwidth is cheap, but not infinitesimally cheap.

jwilkinsOP13y ago

CAPTCHA comes from "Completely Automated Public Turing test to tell Computers and Humans Apart". These tests don't fulfill that requirement.

Random guessing gives you 3%, which is worse than random guessing on either the MSFT or reCAPTCHA.

This is far worse though. A simple loop over the 30 positions, running the output through an OCR engine would give you nearly 100%.

FWIW, I wrote the paper and AFAIK was the first person to break reCAPTCHA. I worked on the original MSFT Passport/Hotmail CAPTCHA system and improved MySpace's CAPTCHA which took spammer registrations from ~1,000,000/day (automated) to a few thousand (manual) in late 2007.

j / k navigate · click thread line to collapse