Tutorial :what can be used instead if captcha is insecure?


As far as I read from here, the fact that captchas are not 100% secure.what can be used instead of captcha? As a programmer what do you think? how to solve this issue?

Edit: thanks for all answers.


This is an unsolved problem, and will become more unsolved as time passes. The better the OCR tools get, the smaller the gap between humans and computers, and the harder it will be to tell them apart. Eventually, computers will be indistinguishable from humans, and then the game will be up.

If your server wants to make sure that a human is at the other end of a TCP pipe, there isn't a turing-test in existence that won't eventually be defeated (and there probably never will be one). CAPTCHA is doomed, it's just a matter of how soon.

Of course, that doesn't mean it's all over as far as human authentication is concerned. It just means that automated turing tests, as convenient as they are, won't be an effective way to achieve this for very much longer.


  • Captcha involving human reflexion (like calculation, really simple question, and the like).
  • Session tokens
  • randomly generated hidden input which requires to be null, on the server side generate a random identifier, keep it in a session for a while. If the input is filled and not null, then it might have been filled by a robot, do your users will fill an hidden input ?

I think it really depends on what you are trying to control over the use of captcha.


Further explanation of a suggestion made by Boris:

randomly generated hidden input which requires to be null

The idea is that your form contains several invisible inputs, their type should probably not be set to hidden, but they should be invisible to a human (e.g. set width or height to 0). The initial content of these fields should be empty. If a human fills out the form, the field will be empty, because the human cannot see the field in order to enter anything into it, but if a bot fills out the form the field will (possibly) not be empty, because bots usually just blindly enter something into every field.

Thus, you can distinguish between a bot and a human based on whether the content of this field is empty.


Although captchas can be broken, Capthca's only add to security reCapthca is very good, and a trained OCR like Tesseract is going to have very limited success in breaking it. However, there are outfits that use Human Computation to break them for pennies. But this makes attacks against your system more expensive, and thats the best you can hope for. Cryptography can be broken with brute-force. All password hashes are breakable, but we still use them because it makes it harder for the attacker.

Most of the "solutions" on this thread are "Security Though Obscurity" and you should be wary of these quick fixes to a very complex problem.


Captcha's are used to determine that an actual human being is doing the request, not a machine. Captcha's and captcha-like systems will upgrade, and so will the technology to break them.

So how do you proof that you're talking to a human and not a computer? You could for instance require users to engage in a chat session and have small conversation. There's no AI nowadays that pass the turing test.

So the answer is, no system is perfect. Don't try to solve this issue, but try to find a way to reduce the impact of this.


In the long run government could run openid servers as digital passports for their citizens. It would be a clean way to identify human beings and prevent sockpuppeting.


At the moment on my website I opted for simple questions. Some questions I've used in the past:

  • What is two to the power of one?
  • What is 2+2? (this one was hacked though so don't use it)
  • What is the name of this website domain?
  • What is the sum of two and two?

Some other nice ones could be

  • type in 'stuff' to this box as a spam check
  • What does 1337 look like? (using only letters)
  • the current year is?


The best way I can think of is using something unconventional, like a special hidden field that should be null (or another specific value) that robots will mess with.

If some robot maker adjusts his robot for your site, you'll have to quickly change the captcha to something different. It will (hopefully) take a good while before another robot maker adjusts his robot for your site.

Basically, it's a security through obscurity that has to constantly change to remain obscure.

This won't work very well if someone is specifically targeting your site.


Its just an idea, id used that in my application and works well

you can create a cookie on mouse movement with javascript or jquery and in server side check if cookie exist, because only humans have mouse, cookie can be created only by them the cookie can be a timestamp or a token that can be validate


Gets the coordinates of the mouse, determine whether the coordinates have changed, you can determine whether it is a robot.

Then encrypt the coordinate data.

Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Next Post »