24

If we know CAPTCHA can be beat, why are we still using them?

A 35% to 90% success rate like wikipedia is stating means software is better at solving CAPTCHAs then I am.

sup
  • 381
  • 3
  • 13
  • 4
    Some previous discussion on CAPTCHA might be a nice read http://security.stackexchange.com/questions/26094/why-do-we-need-captcha-in-what-case-we-should-use-it – Ali Ahmad Jan 08 '13 at 03:53
  • 1
    Its important to point out only some versions of CAPTCHA can be beaten. CAPTCHA model is always going through revisions to make it harder for software to solve the challenge. In some cases a human can't even solve it, I had to attempt a CAPTCHA challege 30 times, before I got it right. – Ramhound Jan 09 '13 at 15:37
  • Check out this cool page - Contains range of captchas which serve some useful purpose. https://sites.google.com/site/suhasprojectprofilesite/webpage/captchaswithapurpose – Manish Apr 15 '13 at 07:06

3 Answers3

30

CAPTCHAs are a trade-off between the patience of the attackers, and the patience of the normal users. Even if they can be beaten, they still serve their purpose if they slow down attackers sufficiently to discourage at least some of them, while not frightening too many potential users.

Of course, as is customary in IT, a lot of systems are used and deployed and adopted because of cargo cult. CAPTCHAs are fashionable and this is sufficient to ensure their widespread usage.

Polynomial
  • 133,763
  • 43
  • 302
  • 380
Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
  • 10
    Best way to think of it, imo, is as a way to prioritise your time. If you can block 85% of automated bots with a CAPTCHA, that means you only have to do manual work for the other 15%, rather than all of them. – Polynomial Jan 08 '13 at 07:11
  • But couldn't there be a better way of blocking attackers? Is there any that is existent? –  Jan 08 '13 at 22:54
  • there is no automated turing test so there is no way to block all automated attackers – ratchet freak Jan 08 '13 at 23:51
  • 2
    Lets not forget crowd-sourcing! Just set up a free porn site with strategically placed remote CAPTCHAs and have your visitors solve them to remove them. – lynks Apr 15 '13 at 12:24
23

Everything (everything) in security is balanced against cost. The purpose of CAPTCHA, just like the purpose of encryption, the purpose of physical security, the purpose of passwords, and the purpose of virtually every other security measure[*] is to increase the cost of circumvention, not to make circumvention impossible.

The intention is, specifically, to increase the cost of circumvention to above the value of circumvention. A good example of an effective application is captchas on blog comments. If comments can be posted by low-cost automated processes, then spam is inevitable; the value of the spam comments outweights the nearly negligible cost. But introducing a CAPTCHA step dramatically increases the the cost in both computer resources and (more importantly) software availablity to such a point that attempting to solve this problem does not make financial sense for the attacker.

As a result, CAPTCHAs, despite their relatively unsophisticated approach, typically eliminate nearly 100% of blog spam for most sites.

--
[*] - Except for 256-bit symmetric keys. That's just plain and simple impossible to brute-force at any price given the current limits of thermodynamics.

Community
  • 1
tylerl
  • 82,665
  • 26
  • 149
  • 230
  • +1 for mentioning the solution cost and importance of measuring their cost/drawback – happy Jan 09 '13 at 06:35
  • 1
    Side point: The conjecture than 256-bit AES cannot be broken relies on "assuming ...the best known attack against [it] is still brute-force" ([same source](http://security.stackexchange.com/a/25888/2264)). – Eliah Kagan Jan 09 '13 at 08:33
  • 1
    @EliahKagan yup. That's why I said "impossible to brute-force" instead of "impossible to break", even though the latter sounded better, it's not technically accurate. – tylerl Jan 09 '13 at 16:23
  • The value to a spammer of posting on a blog's comments is in many cases apt to be sufficiently low that forcing a spammer to do even a few seconds' worth of targeted work in order to spam a blog would make the effort unprofitable unless the spammer could sell a machine-readable list of blogs and how to spam them; the value of such a lists to purchaser could be quickly undermined if bloggers change their pseudo-Captcha questions when spamming is detected. – supercat May 04 '15 at 17:16
4

CAPTCHAS are often used by sites not requiring an account (username, password). The content may then be trivially copied and used by another site. A CAPTCHAS is the equivalent of a deadbolt. It sends the thief to the neighbor's house instead of yours, because yours is slightly harder to break into.

this.josh
  • 8,843
  • 2
  • 29
  • 51