Question on reCAPTCHA strength, uptime, and longevity
422 views
Skip to first unread message
John DeRosa
Feb 28, 2008, 6:29:15 PM2/28/08
to reCAPTCHA
My site uses an in-house captcha based on PyCaptcha. We've noticed a
couple of occurrences that make us wonder if some users have broken
it. So, before we spend time to make it stronger, we're thinking
about moving to reCAPTCHA.
I've got two question that I'm hoping the reCAPTCHA powers-that-be
might answer. I assume some others have had these same questions on
occasion...
a) How strong is reCAPTCHA? I've read some informal comments (e.g.,
in http://tinyurl.com/25letw) about how you intend to keep it strong.
But can you quantify its strength compared to other captchas, today?
For example, http://www.codinghorror.com/blog/archives/001001.html
lists some captchas in order of what one Chinese hacker says is their
cracking ease. (Visit the Chinese site, and you'll see a captcha list
ranked in order of cracking difficulty.) Where would reCAPTCHA rank
in this list?
What about other efforts, like http://www.captchakiller.com/?
b) Can you me some idea of what your availability will be over the
next two years? I don't mean predicting outages, but rather what
you're funded for. Is there a guesstimate as to when you might run
out of OCR'd phrases? Or, if you've got funding for four servers for
the next four years, that's a bit different than if you're running out
of money at the end of March...
I think your intent with this is simply _great_. But the devil is
sometimes in the details, and I'm just trying to decide whether to
base our site on it.
Thanks,
John
couple of occurrences that make us wonder if some users have broken
it. So, before we spend time to make it stronger, we're thinking
about moving to reCAPTCHA.
I've got two question that I'm hoping the reCAPTCHA powers-that-be
might answer. I assume some others have had these same questions on
occasion...
a) How strong is reCAPTCHA? I've read some informal comments (e.g.,
in http://tinyurl.com/25letw) about how you intend to keep it strong.
But can you quantify its strength compared to other captchas, today?
For example, http://www.codinghorror.com/blog/archives/001001.html
lists some captchas in order of what one Chinese hacker says is their
cracking ease. (Visit the Chinese site, and you'll see a captcha list
ranked in order of cracking difficulty.) Where would reCAPTCHA rank
in this list?
What about other efforts, like http://www.captchakiller.com/?
b) Can you me some idea of what your availability will be over the
next two years? I don't mean predicting outages, but rather what
you're funded for. Is there a guesstimate as to when you might run
out of OCR'd phrases? Or, if you've got funding for four servers for
the next four years, that's a bit different than if you're running out
of money at the end of March...
I think your intent with this is simply _great_. But the devil is
sometimes in the details, and I'm just trying to decide whether to
base our site on it.
Thanks,
John
reCAPTCHA Support
Feb 28, 2008, 8:39:04 PM2/28/08
to reca...@googlegroups.com
a) How strong is reCAPTCHA? I've read some informal comments (e.g.,
in http://tinyurl.com/25letw) about how you intend to keep it strong.
But can you quantify its strength compared to other captchas, today?
Quantifying the strength of a CAPTCHA is difficult. All we can tell you is that, to the best of our knowledge, reCAPTCHA remains unbroken, despite being used to protect many notorious sites. We monitor our system closely, and can react to attacks very quickly.
For example, http://www.codinghorror.com/blog/archives/001001.html
lists some captchas in order of what one Chinese hacker says is their
cracking ease. (Visit the Chinese site, and you'll see a captcha list
ranked in order of cracking difficulty.) Where would reCAPTCHA rank
in this list?
It would fit among the hardest ones to break -- hopefully harder to break than Yahoo and Google's.
What about other efforts, like http://www.captchakiller.com/?
As far as we understand, captchakiller pays humans to solve the CAPTCHAs. There isn't much that can be done against such manual attacks. The good news, though, is that manual attacks are not of a very large scale, and typically require extremely dedicated attackers (who would be ok paying people real money to solve each CAPTCHA).
b) Can you me some idea of what your availability will be over the
next two years? I don't mean predicting outages, but rather what
you're funded for. Is there a guesstimate as to when you might run
out of OCR'd phrases? Or, if you've got funding for four servers for
the next four years, that's a bit different than if you're running out
of money at the end of March...
We expect to be around for many more than 2 years.
Best wishes,
The reCAPTCHA Team,
John DeRosa
Feb 28, 2008, 9:22:45 PM2/28/08
to reCAPTCHA
On Feb 28, 5:39 pm, "reCAPTCHA Support" <supp...@recaptcha.net> wrote:
> [snip]
I know my questions were somewhat open-ended, and in the case of
strength, I was looking for a confidence reading of your images vs.
the other methods. I appreciate you taking the time to answer them.
I think we'll wind up moving to reCAPTCHA.
Best,
John
> [snip]
I know my questions were somewhat open-ended, and in the case of
strength, I was looking for a confidence reading of your images vs.
the other methods. I appreciate you taking the time to answer them.
I think we'll wind up moving to reCAPTCHA.
Best,
John
John DeRosa
Mar 5, 2008, 8:22:28 AM3/5/08
to reCAPTCHA
On Feb 28, 5:39 pm, "reCAPTCHA Support" <supp...@recaptcha.net> wrote:
> > a) How strong is reCAPTCHA? I've read some informal comments (e.g.,
> > inhttp://tinyurl.com/25letw) about how you intend to keep it strong.
> > But can you quantify its strength compared to other captchas, today?
>
> Quantifying the strength of a CAPTCHA is difficult. All we can tell you is
> that, to the best of our knowledge, reCAPTCHA remains unbroken, despite
> being used to protect many notorious sites. We monitor our system closely,
> and can react to attacks very quickly.
>
> For example,http://www.codinghorror.com/blog/archives/001001.html
>
> Quantifying the strength of a CAPTCHA is difficult. All we can tell you is
> that, to the best of our knowledge, reCAPTCHA remains unbroken, despite
> being used to protect many notorious sites. We monitor our system closely,
> and can react to attacks very quickly.
>
>
> > lists some captchas in order of what one Chinese hacker says is their
> > cracking ease. (Visit the Chinese site, and you'll see a captcha list
> > ranked in order of cracking difficulty.) Where would reCAPTCHA rank
> > in this list?
>
> It would fit among the hardest ones to break -- hopefully harder to break
> than Yahoo and Google's.
Here's another Coding Horror summary of the state of CAPTCHAs:
> > lists some captchas in order of what one Chinese hacker says is their
> > cracking ease. (Visit the Chinese site, and you'll see a captcha list
> > ranked in order of cracking difficulty.) Where would reCAPTCHA rank
> > in this list?
>
> It would fit among the hardest ones to break -- hopefully harder to break
> than Yahoo and Google's.
http://www.codinghorror.com/blog/archives/001067.html.
(I'm not involved with that blog, but he makes some cogent
observations.)
John
Reply all
Reply to author
Forward
0 new messages