|
|
|
|
|
|
by jere
4930 days ago
|
|
|
In your link, their first attempt at breaking reCaptcha seemed to yield a 17.5% success rate. I was referencing wikipedia, which stated a 60% success rate against Microsoft's captcha and a 30% success rate against Google's catpcha: http://en.wikipedia.org/wiki/Captcha#Computer_character_reco... Those papers may be a few years old and the state of the art may be different. But after an initial look I'm missing the reason that, compared to these captchas, you think that "3% is awful." >If a CAPTCHA can be solved or guessed in an automated fashion then attackers can just throw more (likely compromised) machines at the problem at little cost. I'm not ready to buy this. I would think every captcha is going to have some failure rate, even if it is extremely low. If attacks were absolutely free, then it wouldn't matter what the attack success rate was. Computers are fast, but not infinitely fast. Bandwidth is cheap, but not infinitesimally cheap. |
|
|
Random guessing gives you 3%, which is worse than random guessing on either the MSFT or reCAPTCHA.
This is far worse though. A simple loop over the 30 positions, running the output through an OCR engine would give you nearly 100%.
FWIW, I wrote the paper and AFAIK was the first person to break reCAPTCHA. I worked on the original MSFT Passport/Hotmail CAPTCHA system and improved MySpace's CAPTCHA which took spammer registrations from ~1,000,000/day (automated) to a few thousand (manual) in late 2007.