I’d like to talk about CAPTCHA today.

CAPTCHA means “Completely Automated Public Turing test to tell Computers and Humans Apart.” It’s probably more commonly known as something like “That Irritating Blurry Text I Have To Type Whenever I Buy Tickets Online,” but, honestly, between CAPTCHA and TIBTIHTWIBTO, I prefer CAPTCHA.

Here’s the Turing test: you have a human talk to a computer and to another human and try to determine which is which. If the human judge can’t tell them apart, then the computer has passed the Turing test. The test is supposed to determine if an AI can think. (Though Dijkstra said, “The question of whether a computer can think is no more interesting than the question of whether a submarine can swim.”)

But CAPTCHA’s slightly different; it isn’t a true Turing test (some people call it a “reverse Turing test”, but that’s ambiguous). But I’ve always preferred to think of CAPTCHA in terms of cryptography. In crypto, you have to transform plaintext into ciphertext in such a way that it is impossibly inefficient to convert it back without some kind of key. In the case of CAPTCHA, the key to turning the ciphertext (wiggly words) into plaintext (uh, plain text) is human-level cognition, so a sort of cognitive decryption takes place.

Here’s a site I found not long ago that I find incredibly interesting: OCR Research Team. OCR stands for Optical Character Recognition, and these guys analyze CAPTCHAs and create programs to pass them automatically. My favorite part is the List of Weakness, where they show examples of several different CAPTCHAs and describe why they are easy to defeat. They also have an incredibly slick CAPTCHA that they call tEABAG_3D. In terms of security, it’s my favorite.

The really fun CAPTCHAs, though, aren’t text-based at all. A fairly famous new one is called Kittenauth. Basically, it gives you a grid of animal pictures and the name of an animal. Then you pick all the pictures of that animal. It’s a fun twist on CAPTCHA, and I like it a lot. Microsoft has a similar one called Asirra. There’s also ESP-PIX, in which you have to tie all the pictures it shows together with some word. I’m really bad at solving it. See also: the ESP Game.

A favorite of mine (its current implementation doesn’t work, because guessing isn’t that hard, it can likely be solved by a computer, it could be considered NSFW, and it can be difficult for people to solve – wait, why is it my favorite?) is the hotcaptcha. Some people seem to be really bad at solving it, but it’s a fun idea: choose three hotties out of a sea of uglies. With a lot of refinement, it could be awesome.

Here’s a site making a case against graphical CAPTCHAs. A major complaint of theirs is that CAPTCHA should be an ancillary function of authentication, rather than a huge centerpiece-sized element. I think their complaint would be very much addressed by something that conveniently combines authentication and human-proofing.

Vidoop does exactly that; it uses a CAPTCHA for sign-on. What’s interesting is that people tend to associate Vidoop with Sitekey (Bank of America’s phishing deterrent), because it’s associated with banks and pictures, but I think Vidoop has more in common with Kittenauth and tEABAG than it does with Sitekey. It’s hard to overstate how awesome it is that computers are really, really bad at trying to log into your account.

I’m thinking about poking around inside Tesseract sometime, though it’s a little daunting. Does anyone know of a really readable open-source OCR or a link to a good explanation of the way the technology typically works?