CAPTCHA and the word superiority effect

Chris Dean's picture

CAPTCHA and the word superiority effect (WSE).

I have noticed facebook and other sites are starting to use real words more often (as opposed to pseudowords &c.) thus making them significantly easier to recognize. Does anyone know if this is on purpose?

Kevin Larson's picture

Using words do make it easier for people to solve the CAPTCHA, but it also makes it much easier for a computer program to solve. Using words is a terrible idea if a site is trying to stop frequent attacks from computer programs, but probably just fine if the site isn’t expecting someone to write custom programs to break your CAPTCHA.

I worked on a project where we investigated how to build a CAPTCHA that would be recognizable by people, but not by computer programs.

Interestingly, computer programs recognize single characters at a higher rate than people. To build an effective CAPTCHA you need to make it difficult for the computer program to segment the location of each of the characters.

eliason's picture

Allowing words instead of pseudowords adds the benefit of the possibility of using scanned texts, so that the decoding can not only verify a human reader, but also as a side effect advance the deciphering of scans. See this page about reCAPTCHA.

joeclark's picture

Keeping in mind, of course, that CAPTCHÆ can be and are defeated relatively trivially and guarantee a site becomes inaccessible to blind people.

There is a general trend toward asking mild skill-testing questions instead (“Is fire hot or cold?”), though this does not solve the problem of hiring Third World workers to solve CAPTCHÆ en masse. It is somewhat amazing we’re still using these relics.

Joe Clark

Kevin Larson's picture

> though this does not solve the problem of hiring Third World workers to solve CAPTCHÆ en masse

This is a variant of the porn monkey attack, where people would answer a CAPTCHA in order to access free porn. While this kind of attack on CAPTCHAs is frequently discussed, no one seems to know of this actually happening. Real attacks do come from computer programs that try to recognize CAPTCHAs.

Syndicate content Syndicate content