A Security Analysis of Text-based Captcha Schemes

Abstract

Captcha has become a standard security mechanism to protect many services and resources on the Web. A Captcha challenge is created and validated automatically by computer to distinguish whether the user’s identity is human or an automated program. Thus, it should be easy to solve by humans and very difficult to solve by automated software. The majority of current Captcha schemes on the Internet are principally based on distorted text challenges. However, text-based Captchas usually have many shortcomings in terms of security, usability, or the balance between them. That is, to resist attacks from auto-recognition programs, the text in the image has to be distorted and camouflaged. However, too sophisticated distortion may also degrade the readability for humans. It is thus critical for a Captcha scheme to be well balanced between usability and security. In this paper, we discuss security aspects and various attacks on currently used text-based Captcha schemes. The discussion included the different types of Captcha attacks, followed by defensive and offensive techniques commonly used by Captcha designers and attackers, respectively, to achieve their various goals, as well as describing the various dedicated research efforts to break Captcha schemes, have been explored. At the end, this paper discusses a list of desirable properties that are preferred in any robust Captcha scheme. We expect this work will provide good aspects for Captcha developers to avoid many design flaws.