CAPTCHA is really an Abbreviation for Completely Automated Public Turing test to tell Computers and Humans Apart

CAPTCHA is meant to thwart one specific category of attacker: automated dictionary/Brute-Force trial-and-error with no human operator.

There is no doubt that this is a real threat, however there are ways of dealing with it seamlessly that don't require a CAPTCHA, specifically properly designed Server-Side Login throttling schemes.

Know that CAPTCHA implementations are not created alike; they often aren't human-solvable, most of them are actually ineffective against bots, all of them are ineffective against cheap third-world labor (according to OWASP, the current sweatshop rate is $12 per 500 tests), and some implementations may be technically illegal in some countries (see OWASP Guide To Authentication).

If you must use a CAPTCHA, use Google's reCAPTCHA, since it is OCR-hard by definition (since it uses already OCR-misclassified book scans) and tries very hard to be user-friendly.

We Personally, find CAPTCHA annoying (Poor User Experience), and use them only as a last resort when a user has failed to login a number of times and Server-Side Login throttling schemes are maxxed out. This will happen rarely enough to be acceptable, and it strengthens the system as a whole.

Password Statistics#

Stanford University conducted an interesting study examining just how effective CAPTCHA is at minimizing that friction.

A few takeaways:

  • 3 people looking at the same CAPTCHA agreed on the reading only 71% of the time.
  • Average time to solve a text-based CAPTCHA was 9.8 seconds.
  • 3 people listening to the same audio CAPTCHA came up with the same value only 31.2% of the time.
  • Average time to solve an audio CAPTCHA was 28.4 seconds.
  • Time to solve was even longer for Non-native English speakers

Using Secret Questions#

Do not implement 'secret questions'. The 'secret questions' feature is a security anti-pattern.

More Information#

There might be more information for this subject on one of the following: