by Constantine von Hoffman

Seven Ways to Make CAPTCHA Safer

Opinion
Nov 02, 20112 mins
Data and Information SecurityData BreachEncryption

Design principles to use when customizing CAPTCHA.

In their paper Text-based CAPTCHA Strengths and Weaknesses, Elie Bursztein, Matthieu Martin and John C. Mitchel give a list of the design principles which ReCAPTCHA uses and which should be used to customize CAPTCHA. 

1.    Randomize: A) CAPTCHA length: Don’t use a ?xed length, it gives too much information to the attacker. B) Character size: Make sure the attacker can’t make educated guesses by using several font sizes and several fonts.

2.    Wave the CAPTCHA: Making the CAPTCHA into a wave shape increases the dif?culty of ?nding cut points in case of collapsing and helps mitigate the risk of the attacker ?nding the added line based on its slope when using lines.

3.    Anti-recognition techniques will strengthen CAPTCHA security, not guaranteeing it. rotation, scaling and rotating some characters and using various font sizes will reduce the recognition ef?ciency and increase the anti-segmentation security by making character width less predictable.

4.    Don’t use a complex character set: Using a large character set does not signi?cantly improve the CAPTCHA scheme’s security and really hurts human accuracy, thus using a non-confusable character set is the best option.

5.    Use collapsing and/or lines: Given the current state of the art, using any sort of complex background as an anti-segmentation technique is considered to be insecure. Using lines or collapsing correctly are the only two secure options currently. Complex backgrounds (Like the ellipses used in some ReCAPTCHA’s) can be used as a second line of defense.

6.    Be careful while implementing: To be effective, anti-segmentation techniques must be implemented very carefully (the paper explains these in detail).

7.    Create alternative schemes: As with cryptography algorithms, it is good practice to have alternative CAPTCHA schemes that can be rolled out in case of a break. Variations of the same battle-hardened schemes with additional security features are likely the easiest way to prepare alternative schemes. This seems to be the strategy of ReCAPTCHA, which has alternative schemes that surface from time to time.