Can CAPTCHA Be Broken? (and what can we do about it)
The shortest and most straightforward answer to this question is: YES! Given enough time and effort, absolutely every single CAPTCHA implementation can be broken. This has been most prominently shown in the past by high-profile Captcha-breaking incidents such as the Ticketmaster, Yahoo and Microsoft Captcha cases (among others).
CAPTCHA Is Not Perfect
Much of this can be explained by the "arms race" between defenders and attackers, which is a normal phase of development in the formative years of any security solution. And even when the underlying technology matures and reaches an acceptable level of basic security, some elementary constraints remain. With Captcha protection, as with all security solutions, risk can only be decreased – but there is no such thing as a single security measure that is 100% safe.
However, once these basic facts have been established, we can begin to realistically assess the effectiveness of Captcha as a security measure. Just because somebody could theoretically spend a lot of resources to create a bot that bypasses a large enough percentage of any individual Captcha implementation challenges, doesn't mean that they will do so.
...But It Can Be Useful
People, including Internet criminals, do things for a reason. The most common reason behind automated form submissions is spamming – i.e. spreading a huge amount of nonsense and hoping enough people will fall for it to pay off to the spammer. Knowing the adversary is half the battle, and once we know what the attackers are after, we can prepare to defend against them.
One of the points of using any kind of protection in the first place is to make would-be attackers have to expend effort and resources to bypass it. Think about the lock on your front door: it can also be broken, given enough time and effort (or a large enough power tool), but it still provides adequate protection. Locking your door doesn't 100% ensure that nobody will ever enter your apartment without your permission – but it helps a large deal, because it means they will have to try to pick or break the lock, and that takes time and risks attracting attention.
Benefits of Using BotDetect CAPTCHA Protection
CAPTCHA Discourages Casual Attackers
Using a Captcha challenge during form submission significantly reduces the number of potential attackers on your website. Captcha ensures that every beginner hacker and simple-minded bot randomly posting garbage can't break your web forms – just like the lock on your front door ensures that every random passer-by can't take a stroll through your bedroom.
CAPTCHA Points Out Dedicated Attackers
Even if you encounter a dedicated attacker who is specifically trying to bypass the Captcha on your site, you will be able to respond. If somebody requests thousands of Captcha images or sounds per minute from the same IP address, you can block that IP for progressively longer time periods. If somebody does the same from multiple addresses or IP ranges, you can report a DDoS attack to your ISP, etc. Captcha is not an absolute security measure to end all other security measures, but another useful tool in the webmasters' security toolbox.
To continue the door lock allegory, if you found somebody fiddling with your lock, you would call the police. If you found scratches on the lock, showing that somebody was tinkering with it, you would pay extra attention to your apartment during the next few days. You wouldn't call the lock an inadequate security measure because somebody was trying to bypass it – it did exactly what it was supposed to.
CAPTCHA Can Be Adapted to Match the Challenge
You can always change the Captcha generation algorithm if the one you were using previously is broken (if somebody broke into your apartment, it's only sensible change the locks afterwards). Our product provides multiple Captcha image and sound styles – 60 image and 10 sound styles in the latest version, and we still plan to add more.
It's highly unlikely that a hacker will spend his entire time trying to break new Captcha styles as you change them. On the other hand, Captcha security is our business. Every day we work hard on improving the existing Captcha styles and inventing new and better ones.
High-Security CAPTCHA Protection Is Available
Instead of using a single Captcha style to generate the challenges, you can drastically increase safety by randomizing it: using a Captcha code of random length, a Captcha image drawing style and Captcha sound generation style randomly selected from a pool of possible choices...
Beside the Captcha code actually used, an attacker will then also have to recognize which of the many Captcha generation possibilities is he dealing with. This makes the attack significantly harder, and often just not worth the effort. Our product supports this functionality out-of-the-box, and comes with code examples showing how to implement such Captcha randomization.
If Everything Else Fails...
You can always count on our immediate support in case of persisting attacks!
Further Reading
To make sure you are using Captcha protection effectively, you should also consider the other Captcha best practices.
Current BotDetect Versions
-
BotDetect ASP.NET CAPTCHA
2019-07-22v4.4.2 -
BotDetect Java CAPTCHA
2019-07-22v4.0.Beta3.7 -
BotDetect PHP CAPTCHA
2019-07-22v4.2.5