CAPTCHAs Got You Down? You’re Not Alone.

The other night, before teaching my online class, my web conferencing software suddenly asked me to complete a CAPTCHA. Many websites use a CAPTCHA, or Completely Automated Public Turing test to tell Computers and Humans Apart, to guard against automated login requests from computerized agents. Without some kind of protection, a hacker could enlist a network of “bots” to guess millions of passwords against the website until they guess the right one, or he could simply use them to flood the website’s login page with so much traffic that it is unable to respond to legitimate requests. Some CAPTCHAs ask you to type letters that have been obscured or rotated, to choose which of a set of pictures matches a particular description, or to rotate a picture into its correct orientation. Regardless of their technique, they are an annoying but thus far necessary tool for keeping websites accessible and properly authenticated.

Well, in this instance, time was ticking. Class was supposed to start in two minutes. I typed in my username and password, thinking I had plenty of time to get the conference started, and then, up popped the CAPTCHA. I usually don’t have much problem solving them, but this one … this one would be my nemesis for the next ten minutes! It started innocently enough: it asked me to identify all pictures that showed a storefront. Some of the storefronts appeared in plain view, and others were obscured by trees. But some of them looked like bazaars or open-air markets, and I started to wonder whether those could technically be called storefronts. One could have been a library or a store, and I began to wonder whether a library qualifies as a store for knowledge; such is how my crazy mind works. I started picking what I thought were matching images, but, as I did, some would disappear and slowly be replaced by others. Then, all of a sudden, all of the storefronts would vanish and be replaced by crosswalks. My new challenge was to identify crosswalks, but some of them were obscured, and some were actually overpasses, and again they would disappear and reappear randomly. I began thinking whether there was a hidden camera in my office, with people far away watching me and laughing as I struggled in vain for ten minutes to get past this crazy thing that was simply supposed to prove that I’m not a machine.

Eventually, I opened up a different browser and tried logging in again. This time, the CAPTCHA didn’t reappear when I entered my username and password. I was victorious! No CAPTCHA, no problem. In the end, I did manage to get past the CAPTCHA, but only because I had the ingenious thought to move from Chrome to Firefox just so I could log into the site. Human 1, Machine-Catching CAPTCHA 0, thanks to Firefox.

This is not an isolated incident. It appears that I am not alone in my CAPTCHA complex. In fact, for some CAPTCHAs, the human pass rate is just 33%, whereas software with custom image recognition algorithms designed to pass such tests can do so 99.8% of the time.

If CAPTCHAs really are designed to distinguish humans from bots, shouldn’t they actually reward you for failing the test? Of course, a failure-based CAPTCHA wouldn’t work very well, as the bot would then be redesigned simply to guess poorly, well enough to seem human in its imperfection, but not perfectly correct, and therefore wrong enough often enough to seem human. But if the challenges have gotten so advanced that humans are having a very difficult time solving them, something is clearly wrong with how they are being designed and implemented. They are now seriously impacting the usability of websites.

The Turing Test is a well-known way to identify artificial intelligence. Conceived by Alan Turing, the test involves having a human subject interview a human and a computer. If the interviewer can’t tell which is the human and which is the computer, then the computer has exhibited artificial intelligence. The problem with the Turing Test today is that it is getting more and more difficult to distinguish between man and machine. As artificial intelligence and machine learning have advanced, computers have gotten better at acting and responding humanly. Not only does this have implications for how to describe artificial intelligence, but it has the more practical consequence of making any method that uses the Turing Test to distinguish between human intelligence and machine intelligence less and less useful. Such is the case with the CAPTCHA.

It is time to start moving away from using CAPTCHAs to protect websites and employ, instead, a distributed verification service. When you enter your credit card information into a site today, it is quite common for it to be verified by a third-party provider that specializes in the task. We need a similar verification service for personal identity.

One way to implement this is to have on file a set of twenty or more security questions and answers for each person. A website that wants to be protected by the verification service would ask it to send three security questions at random from the list that you have stored with the service. It would present those questions to you. When you type your answers, the web browser will hash them (i.e. transform them into an unreadable code) and send them to the web site you are trying to access. The web site would then forward the hashes to the to the verification service so that it can compare them with the hashed answers it has on file. The verification service would then send back its decision to the website on whether you should be allowed in. The website would then react accordingly, either letting you in if you passed the test or perhaps giving you another chance to answer another set of three questions.

Since you would transmit your answers hashed rather than in plain text to the web site, it would not be able to capture and store them, thus making them confidential to just you and the verification service. Since you would choose and answer the questions, it is something that only you should be able to pass, and it wouldn’t require tremendous mental gymnastics to do so.

The burden of this approach is entirely up front: you have to answer at least twenty security questions when you sign up with the verification service. But you’ll never have to feel dumb and at the mercy of a CAPTCHA again. After my latest experience, I think that’s worth it.

About Ray Klump

Associate Dean, College of Aviation, Science, and Technology at Lewis University Director, Master of Science in Information Security Lewis University http://online.lewisu.edu/ms-information-security.asp, http://online.lewisu.edu/resource/engineering-technology/articles.asp, http://cs.lewisu.edu. You can find him on Google+.

Leave a Reply

Your email address will not be published. Required fields are marked *