Adventures in Bad CAPTCHA Design
I was just trying to register for a forum today, and came across a CAPTCHA that looked like this (this isn’t the one that I actually failed, but it was generated soon thereafter):
Seems pretty easy, right?
Only one problem: it’s case-sensitive. That is, uppercase and lowercase matter.
“X” and “x” look virtually alike, except for size. “O” and “o” do as well. Same with “S” and “s”. And when the characters are distorted in size to begin with… good luck.
Let’s see… that’s five characters that are ambiguous in this particular CAPTCHA… which makes 25 = 32 different possibilities for how this CAPTCHA should be entered.
Oh, no, wait… that third character could also be a zero. That means there are not 32, but 24 * 3 = 48 different possibilities.
Did nobody actually test this before rolling it out?