Stanford Researchers Breach Captcha Security Codes

Captcha is no surety of safety, demonstrated a group from Stanford University, thwarting the best guard we have against automated attacks. Captcha is supposed to be breakable only by humans, but not by bots or any other automated machines. A word or phrase, written in a style that cannot be read by a text editor is the method to achieve this. Users have to enter this code in order to gain access. It was developed at Carnegie Mellon University by a graduate student in 2000. Captcha is actually a fancy acronym for a bland sentence Completely Automated Public Turing Test to tell Computers and Humans Apart.


The Decaptcha

Stanford Security Laboratory post-doctoral researchers Elie Bursztein, Matthieu Martin and John C. Mitchell busted that myth as they created a tool, named DeCaptcha, that breaks codes 13 out of 15times. The sites used for testing were high-profile sites like CNN, Visa, eBay and Wikipedia. Bursztein says:

For example, our automated Decaptcha tool breaks the Wikipedia scheme… approximately 25% of the time. 13 out of 15 of the most widely used current schemes are similarly vulnerable to automated attack by our tool. Therefore, there is a clear need for a comprehensive set of design and testing principles that will lead to more robust captchas

The principle for the working for Decaptcha is simple it just reduces background noise, breaks strings into single characters and recognizes the pattern. It achieved varying degrees of success at various sites. It broke Visa’s 66% of the time and eBay 43% of the time. Wikipedia clocked in at 25% in the rate of being breached.

The team shared a report elucidating the strengths and weaknesses of the Captcha method. The link is given below.

Report link:

Google Untouched!

There is, however, some good news for those seeking online security. Google was unbeatable and so was reCAPTCHA. reCAPTCHA is an improved version of Captcha, which makes it more difficult for bots to recognize patterns by warping and twisting words into strange forms readable only by humans. Google now owns reCAPTCHA, which it acquired in 2009. On these two cases, Decaptcha scored no breaches.

Not yet breached!

The bottom line is that Captcha needs to be upgraded. Next time you feel smug about getting in a site by correctly typing in the captcha code, think twice. There are some smart computer programs sharing the same cyberspace!

Report on strengths and weaknesses of Captcha:

Published by

Debjyoti Bardhan

Is a science geek, currently pursuing some sort of a degree (called a PhD) in Physics at TIFR, Mumbai. An enthusiastic but useless amateur photographer, his most favourite activity is simply lazing around. He is interested in all things interesting and scientific.