A Second Chance for CAPTCHA?
So with all that, can CAPTCHA be saved? According to Carnegie Mellon computer scientists, the answer is yes. The first of their redesigns of CAPTCHA, according to Luis von Ahn, a professor of computer science at the university, is the aptly named reCAPTCHA .
This system, von Ahn said, works in conjunction with the Google Books Project and the Internet Archive , two projects that are converting paper books to digital format using OCR software. As explained above, OCR software often doesn't read words accurately. When the projects' OCR programs flag a word as unreadable, it's saved as an image and used on the Web as a CAPTCHA test.
This has two positive results. First, these CAPTCHAs are already known to be resistant to OCR attacks, making Web sites that use reCAPTCHA less vulnerable to CAPTCHA crackers. Second, human users are decoding the words that the book projects' OCR software can't read, and thus helping to complete the two projects' accurate conversion of older books to digital formats.
How does reCAPTCHA know that the human got a word right? By using a control word, where the system already knows the correct spelling, along with the unknown word. Von Ahn explains, "If a user enters the correct answer to the control word, the user's other answer is recorded as a plausible guess for the unknown word. If the first three human guesses match each other, but differ from the OCRs' guesses, the word is marked as correct and becomes a potential control word."
The Carnegie Mellon crew is also looking at image-based CAPTCHA. The first of these, ESP-PIX , requires users to pick a word that describes all four objects in an image. The newest of them, SQ-PIX , requires users to first pick out the right image from three and then trace the outline of the object within the image. For example, you might see an image of a cat, one of a flower and one of a balloon, with the instruction "Trace all balloons."
These tests do have their shortcomings. For starters, what is clear to the designers may not be clear to users. In the ESP-PIX test, for example, the answer "girl" for three images of adult women and one of a young girl doesn't make much sense. And the SQ-PIX test may require a degree of manual dexterity that not all users have. My editor, who is right-handed but uses a trackball with her left hand, found that the test failed her more often than it passed her. However, these are works in progress; Carnegie Mellon doesn't have a scheduled completion date.
Carnegie Mellon isn't the only group looking at image-based CAPTCHA. Penn State developers are working on Imagination CAPTCHA . In this system, a user must first pick out the geometric center of a distorted image from a page that's filled with similar overlapping pictures.
If you get that right, you're presented with another carefully distorted image and asked to pick a word to describe what you're seeing. The Imagination system is based on ALIPR (Automatic Linguistic Indexing of Pictures), an automated image-tagging and searching technology.
The core idea, as the developers explain on their site, is that image recognition is a harder problem for computers to solve than text recognition, making the Imagination system more secure than text-based CAPTCHAs. In fact, the developers welcome attempts to crack the system: "If you think a robot can also pass our test without random guessing, give it a try and we'd love to know how far your robot can get."
Unfortunately, color-blind users are likely to face problems with the Imagination system. (Blind and hard-of-sight people, of course, will have problems with all image-based CAPTCHAs.)
Image-based CAPTCHAs still aren't in widespread use. A few simple ones, such as KittenAuth , are starting to see use. (For example, some phpBB online forum systems are using KittenAuth.) With KittenAuth, users are presented with a grid of 12 pictures of animals and then asked to pick out, for example, the ones containing -- you guessed it -- kittens.
Microsoft Research has taken the same idea for its ASIRRA (Animal Species Image Recognition for Restricting Access) technology. ASIRRA uses a larger pool of images from PetFinder.com , but otherwise this Web service CAPTCHA is essentially a KittenAuth clone. While to my knowledge no major sites are currently using ASIRRA, Microsoft has made PHP, Python, C#, Perl, VisualBasic and JScript code available, as well as a WordPress plug-in -- so it shouldn't be long before multiple Web sites are giving ASIRRA a try.