A Security Analysis of Captchas with Large Character Sets

Abstract

Captcha, which can prevent computer programs from attacking websites, has been the most important security technology for many years. The most popularly deployed Captcha is the text-based scheme. The vast majority of the existing text Captchas are designed with English letters and Arabic numerals. Recently, text Captchas with large character sets are being increasingly popular. From the perspective of attackers, larger character set means greater solution space and better theoretical security. However, the security of Captchas with large character sets in real world has never been studied comprehensively. In this article, we introduce a simple, fast, and effective deep learning method to attack these newly emerging Captchas. Taking 11 Chinese Captchas as representatives, we ran our experimental attack on each of them. Our attack achieved high success rates, ranging from 34.7 to 86.9 percent at an average speed of 0.175 seconds on these schemes. All of the results show that the Chinese text Captcha can be easily broken, demonstrating that text Captchas with large character sets are also insecure in existing forms. As a substitute, we proposed a 3D image-based scheme combining semantic comprehension and dragging action. The preliminary experimental results show that it is more robust than current text-based schemes.