If CAPTCHAs are decommissioned what comes next?

Summary:CAPTCHAs sound like a great idea. Give humans a little test to verify they aren't machines, verify an account and thwart hackers.

CAPTCHAs sound like a great idea. Give humans a little test to verify they aren't machines, verify an account and thwart hackers. But CAPTCHAs no longer offer a good defense to thwart malicious hackers. So what's next?

Last week, Websense noted that Google's Gmail CAPTCHA was busted. A few weeks before that incident Microsoft Windows Live Mail's CAPTCHA defense fell to spam bots. Meanwhile, some humans can't get through the CAPTCHA system. Add it up and you get the worst of both worlds: CAPTCHA (Completely Automated Turing Test To Tell Computers and Humans Apart) doesn't keep hackers out, but does hamper real live humans.

Gunter Ollmann, a researcher at IBM's ISS unit, tackles the CAPTCHA issue. He points out that CAPTCHA's used to be a good defense against automated attacks, but don't stand a chance against today's malware. Ollmann writes:

CAPTCHA's were a good idea, but frankly, in today's profit-motivated attack environment they have largely become irrelevant as a protection technology. Yes, the CAPTCHA's can be made stronger, but they are already too advanced for a large percentage of Internet users. Personally, I don't think it's really worth strengthening the algorithms used to create more complex CAPTCHA's - instead, just deploy them as a small "speed-bump" to stop the script-kiddies and their unsophisticated automated attack tools. CAPACHA's aren't the right tool for stopping today's commercially minded attackers.

Ollmann argues that CAPTCHAs can't compete anymore in the hacker algorithm arms race, but skips past the biggest question. If we decommission CAPTCHAs what do we replace it with?

I'm not going to proclaim that I have an answer--I'm rarely the smartest guy in the room unless I'm alone in a Manhattan studio--but it's a question worth asking. A few items to ponder for future discussion:

  • Do we need a CAPTCHA 2.0 system?
  • Is the minor defense that CAPTCHAs provide better than nothing?
  • What should we do to prevent automated attacks?


Topics: Security


Larry Dignan is Editor in Chief of ZDNet and SmartPlanet as well as Editorial Director of ZDNet's sister site TechRepublic. He was most recently Executive Editor of News and Blogs at ZDNet. Prior to that he was executive news editor at eWeek and news editor at Baseline. He also served as the East Coast news editor and finance editor at CN... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.