My site uses an in-house captcha based on PyCaptcha.  We've noticed a
couple of occurrences that make us wonder if some users have broken
it.  So, before we spend time to make it stronger, we're thinking
about moving to reCAPTCHA.

I've got two question that I'm hoping the reCAPTCHA powers-that-be
might answer.  I assume some others have had these same questions on
occasion...

a) How strong is reCAPTCHA?  I've read some informal comments (e.g.,
in http://tinyurl.com/25letw) about how you intend to keep it strong.
But can you quantify its strength compared to other captchas, today?

For example, http://www.codinghorror.com/blog/archives/001001.html
lists some captchas in order of what one Chinese hacker says is their
cracking ease.  (Visit the Chinese site, and you'll see a captcha list
ranked in order of cracking difficulty.)  Where would reCAPTCHA rank
in this list?

What about other efforts, like http://www.captchakiller.com/?

b) Can you me some idea of what your availability will be over the
next two years?  I don't mean predicting outages, but rather what
you're funded for.  Is there a guesstimate as to when you might run
out of OCR'd phrases?  Or, if you've got funding for four servers for
the next four years, that's a bit different than if you're running out
of money at the end of March...

I think your intent with this is simply _great_.  But the devil is
sometimes in the details, and I'm just trying to decide whether to
base our site on it.

Thanks,

John

Quantifying the strength of a CAPTCHA is difficult. All we can tell you is
that, to the best of our knowledge, reCAPTCHA remains unbroken, despite
being used to protect many notorious sites. We monitor our system closely,
and can react to attacks very quickly.

For example, http://www.codinghorror.com/blog/archives/001001.html

It would fit among the hardest ones to break -- hopefully harder to break
than Yahoo and Google's.

As far as we understand, captchakiller pays humans to solve the CAPTCHAs.
There isn't much that can be done against such manual attacks. The good
news, though, is that manual attacks are not of a very large scale, and
typically require extremely dedicated attackers (who would be ok paying
people real money to solve each CAPTCHA).

We expect to be around for many more than 2 years.

Best wishes,
The reCAPTCHA Team,

On Feb 28, 5:39 pm, "reCAPTCHA Support" <supp...@recaptcha.net> wrote:

I know my questions were somewhat open-ended, and in the case of
strength, I was looking for a confidence reading of your images vs.
the other methods.  I appreciate you taking the time to answer them.

I think we'll wind up moving to reCAPTCHA.

Best,

John

On Feb 28, 5:39 pm, "reCAPTCHA Support" <supp...@recaptcha.net> wrote:

Here's another Coding Horror summary of the state of CAPTCHAs:
http://www.codinghorror.com/blog/archives/001067.html.

(I'm not involved with that blog, but he makes some cogent
observations.)

John