Last week I was talking with my brother about his new website, which we are in the process of building (actually, we’re in the process of preparing for the process of building the site). Our discussion ranged far and wide, and we got onto the topic of the challenge-response tests known as CAPTCHAs. This is a rather repetitively redundant acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart.” If you use the internet regularly you probably see these all the time—those images of distorted text that you have to decipher before you can submit a comment, sign-up for a service, etc. I have to fill them out whenever I want to comment on certain blogs that I visit regularly. I understand why they are used, and I don’t begrudge those who use them their security and freedom from comment spam, but they sure are annoying.
The idea behind most CAPTCHAs is that the distorted text will be easily decipherable to humans but impenetrable to computers. That’s the theory, at least. In reality, there are computerized methods out there for breaking certain CAPTCHAs, and a lot of times the text can be very hard to read for humans. Maybe it’s just me, but I find I often have to look very closely to decipher some CAPTCHAs, and even then I get them wrong sometimes. I’m not really too concerned about being mistaken for a computer, but it is something of a nuisance when I want to leave a comment on a friend’s blog.
So I got to thinking: there must be a better way. I’m not the only one to ask this question, of course. WordPress, for example, has a plug-in that asks users to answer a simple arithmetic question. Another project (by the people behind the original CAPTCHA) shows four related images and then asks the user to choose the word that they have in common. The former is clever and simple enough, while the latter seems overly complex (and at the same time limited to a finite list of key words). I started thinking about other ways to solve the problem, and I came up with an idea. Of course, once the idea entered my head, it refused to leave until I implemented it. So I dove back into PHP and the GD library of image functions and came up with a quick script that generated the random images I wanted. The next day I integrated this into a test page that made use of the image.
Now, before I show you the result, I feel I should clarify a couple of things: 1) I did not do extensive research on challenge-response test methods, so for all I know this has already been done, and 2) this is more of a proof of concept than a fully designed test. OK, now that I’ve gotten the requisite disclaimers out of the way, go take a look. (You may have to reload the page to get a new image after clicking the “return to test” link.)
The image draws on a source text file, takes five consecutive words at random from this text, and then chooses one of those words at random to highlight in red (the first word is never highlighted—this is my half-baked attempt at foiling OCR bots who might start reading and input the first thing they find). I chose an actual English text for my source (and a very short one at that—only 128 words), but it could easily be a random list of dictionary words. The point is that they are real words and they are not distorted, making them very easy to read and recognize.
The theory behind this method, of course, is that humans will be able to easily read and follow the instructions, whereas a computer will (hopefully) not. I realize that it would be relatively simple to write a program to defeat this particular test, but I think the basic idea is sound. The problem with most current CAPTCHAs is that we are letting the computers choose the playing field. That is, we’re turning human beings into OCR programs by making them sit there and do what computers normally do, just better. But there’s more to the human mind than pattern recognition. Although my implementation is a rather simple example, it could easily be made much more complex and still be accessible to the average user (barring visual impairment, of course). For example, each word could be a different color, and the instructions could change to request a random color.
Maybe I haven’t seen this type of CAPTCHA around because current technology would foil it far too easily—like I said, I didn’t do a lot of research on this. But I feel that it’s time we started moving in this direction. Rather than trying to beat computers at their own game, we should just refuse to play with them. The day may come when we will design an AI advanced enough to fool all Turing tests, but until then, we should take advantage of our superior intellect and reasoning. Challenge-response tests should draw on human reasoning skills that are beyond the reach of current AI. CAPTCHAs should be as painless as possible for us, even as they make life difficult for those who would try to foil them.
Of course, I am no expert in AI, encryption, OCR software, or any of the myriad fields involved here, so it’s quite possible that I am talking out of my butt and my challenge-response test is completely worthless. Still, it was a fun little coding challenge, and it took my mind off everything else I have to think about these days, so at least it was good for something.