Design principles to use when customizing CAPTCHA. In their paper Text-based CAPTCHA Strengths and Weaknesses, Elie Bursztein, Matthieu Martin and John C. Mitchel give a list of the design principles which ReCAPTCHA uses and which should be used to customize CAPTCHA. 1. Randomize: A) CAPTCHA length: Don’t use a ?xed length, it gives too much information to the attacker. B) Character size: Make sure the attacker can’t make educated guesses by using several font sizes and several fonts. 2. Wave the CAPTCHA: Making the CAPTCHA into a wave shape increases the dif?culty of ?nding cut points in case of collapsing and helps mitigate the risk of the attacker ?nding the added line based on its slope when using lines. 3. Anti-recognition techniques will strengthen CAPTCHA security, not guaranteeing it. rotation, scaling and rotating some characters and using various font sizes will reduce the recognition ef?ciency and increase the anti-segmentation security by making character width less predictable. 4. Don’t use a complex character set: Using a large character set does not signi?cantly improve the CAPTCHA scheme’s security and really hurts human accuracy, thus using a non-confusable character set is the best option. 5. Use collapsing and/or lines: Given the current state of the art, using any sort of complex background as an anti-segmentation technique is considered to be insecure. Using lines or collapsing correctly are the only two secure options currently. Complex backgrounds (Like the ellipses used in some ReCAPTCHA’s) can be used as a second line of defense. 6. Be careful while implementing: To be effective, anti-segmentation techniques must be implemented very carefully (the paper explains these in detail). 7. Create alternative schemes: As with cryptography algorithms, it is good practice to have alternative CAPTCHA schemes that can be rolled out in case of a break. Variations of the same battle-hardened schemes with additional security features are likely the easiest way to prepare alternative schemes. This seems to be the strategy of ReCAPTCHA, which has alternative schemes that surface from time to time. Related content Opinion Why Bitcoins are Just as Viable as Any Other Currency The true value of any currency is a reflection of how much people believe it's worth, according to CIO blogger Constantine von Hoffman. But it's wise to remember just how fast beliefs can change. By Constantine von Hoffman Apr 15, 2013 4 mins Government Technology Industry Opinion No Surprise: Docs Show Obama Administration Lying About Drones President Obama has repeatedly said drones would only be used against members of al Qaida and allied groups. However, leaked intelligence documents show the administration has been using them to settle political and tribal feuds for at least four yea By Constantine von Hoffman Apr 10, 2013 3 mins Regulation Government Opinion How Big Data Can Quickly Become Big Garbage The bigger the data the bigger the chance of mistakes or inaccuracies. In that vein, a large database used by retailers to screen people accused of stealing from employers is identifying innocent people and could result in major lawsuits, according t By Constantine von Hoffman Apr 04, 2013 2 mins Big Data Opinion Why Crazy Trumps Logic on the Internet The earth is flat. Vaccines cause autism. 9/11 was a government conspiracy. These are just a few of the many ideas that continue to find adherents online despite overwhelming proof that they're not based on fact. CIO.com blogger Constantine von By Constantine von Hoffman Apr 02, 2013 3 mins Government Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe