BaffleText: a human interactive proof

Internet services designed for human use are being abused by programs. We present a defense against such attacks in the form of a CAPTCHA (completely automatic public Turing test to tell computers and humans apart) that exploits the difference in ability between humans and machines in reading images of text. CAPTCHAs are a special case of ‘human interactive proofs,’ a broad class of security protocols that allow people to identify themselves over networks as members of given groups. We point out vulnerabilities of reading-based CAPTCHAs to dictionary and computer-vision attacks. We also survey the literature on the psychophysics of human reading, which suggests fresh defenses available to CAPTCHAs. Motivated by these considerations, we propose BaffleText, a CAPTCHA which uses non-English ‘pronounceable words’ to defend against dictionary attacks, and Gestalt-motivated image-masking degradations to defend against image restoration attacks. Experiments on human subjects confirm the human legibility and user acceptance of BaffleText images. We have found an image-complexity measure that correlates well with user acceptance and assists the generation of challenges to fit the ability gap. Recent computer-vision attacks, run independently by Mori and Malik, suggest that BaffleText is stronger than two existing CAPTCHAs.