by Constantine von Hoffman

Researchers’ Ability to Break CAPTCHA Highlights Need to Customize All Security Systems

Nov 02, 20113 mins
Data and Information SecurityData BreachEncryption

Despite the team's success, CAPTCHA remains a sound and useful security feature if implemented correctly, i.e. not exactly like everyone else does. By intelligently customizing any system you make it significantly harder to break.

Researchers have cracked CAPTCHA, a program widely used to foil bots. One of the reason for the success is simiilar, flawed implementations of the CAPTCHA program. This shows how important it is to customize any off-the-shelf security system as much as possible.

A team from Sanford University says their Decaptcha program was able to defeat 66 percent of captchas on Visa’s payment site; 70 percent at Blizzard Entertainment; 42 percent on Reddit and 35 percent on Slashdot. a quarter of the ones used by Wikipedia; along with those on a handful of other sites including CNN, eBay, Digg, and In fact, the only Captchas that resisted Decaptcha were those belonging to Google.


CAPTCHA (Completely Automated Public Turing Test to tell Computers and Humans Apart) uses a question-and-response system to determine if it is dealing with a person or a program.   Users have to type a piece of text that is stretched, curved, jumbled, multicolored, slanted, crossed-out, or reversed. It frequently irritates users (this one in particular) who are allegedly human and still can’t decipher the text.

Of course  the researchers – Elie Bursztein, Matthieu Martin and John C. Mitchel – aren’t going to release their program but it is a safe bet that someone else will create their own version soon, if it hasn’t been done already. (There is also an audio version of Captcha. The team cracked that earlier this year.)

Despite this CAPTCHA remains a sound and useful security feature if implemented correctly, i.e. not exactly like everyone else’s. By intelligently customizing the system you make it significantly harder to break. The researchers point out this is exactly why Google’s Recaptcha system “remains unbroken even-though it is in use for more than four years.”

(See Seven Ways to Make CAPTCHA Safer)

This same principle should be applied to any security system or application. Each variation you can come up means one more new challenge facing an intruder. You can’t wait until you know a system or application has been broken in order to implement changes. By the time you learn about it the hackers will likely have already come and gone.

Evolution shows that species thrive when they can survive in many different environments. This means each species develops variations peculiar to its own needs. That also makes each variation less susceptible to any one particular virus or infection.  Now, do you want to make it easier or harder for that virus to get you?