Researchers Devise a Better Way to CAPTCHA

Complicated CAPTCHAs can keep you from logging in to websites protected by those annoying squiggly letters. Thankfully, researchers have found a new way to let you in while keeping the spam bots out.

Credit: University of Alabama at Birmingham

How annoying are CAPTCHAs? You know, those squiggly letters in a box that are designed to prove you are a human — or not? Very annoying, though Google, which controls CAPTCHAs, has made them easier to work with.

Now researchers have devised a much cooler way to achieve the same goal, using game-like puzzles that are easy for people to solve, but difficult for a spam bots to figure out.

Nitesh Saxena, a professor of computer science at the University of Alabama at Birmingham, led a team that investigated the security and usability of this next generation of CAPTCHAs based on simple computer games.

Instead of using hard-to-read letters or numbers, the researchers used various puzzles composed of moving images. For example, in a “ship parking” challenge, the user has to identify the boat in a set of moving objects and drag-and-drop it to the available “dock” location. Or the user might simply be asked to match shapes. (See below.)

captcha game University of Alabama at Birmingham

That’s pretty simple for a human, but it might be difficult for a bot, according to the researchers. Also, its game-like nature may make the process more engaging for the user than conventional text-based CAPTCHAs, they said in post on the university’s website.

Not only are CAPTCHAs annoying, they’re vulnerable to attacks.

“In traditional CAPTCHA systems, computers may have a hard time figuring out what the distorted characters are — but trained humans can do it in seconds,” Saxena said. “The trouble is that criminals have figured out that they can pay people — a penny or less per time — to sit in front of a screen and ‘solve’ CAPTCHAs to let them do what they want. This is known as a CAPTCHA relay attack.”

A few years ago, Stanford University researchers created a program called Decaptcha. It was so powerful that it was able to bypass 66 percent of CAPTCHAs on Visa's payment site; 70 percent at Blizzard Entertainment; a quarter of the ones used by Wikipedia; and many more CAPTCHAs on a handful of other sites including CNN, eBay, Digg and

It’s not clear when or even if Saxena’s method will find its way to the public Web. Let’s hope it's sooner than later.

To comment on this article and other CIO content, visit us on Facebook, LinkedIn or Twitter.
NEW! Download the State of the CIO 2017 report