Fun with RadCaptcha for ASP.NET AJAX and OCR software

Monday, April 19, 2010 by ASP.NET AJAX Team | Comments 5
?
Email to a friend

A friend of mine was evaluating OCR software and finally decided to go with FineReader. I was curious what would happen if we put the RadCaptcha control in. Will the advanced OCR manage to decode it or not? At first he showed me a test run with the RadCaptcha demo description, to get an idea of the basic output:

 Recognized Image

 Naturally, the captured description text was no problem - only a few characters were misread but then corrected with the spellcheck. Next, the real test was performed:

CAPTCHA test 1  CAPTCHA test 2

 These were only a couple of the results, but there is no need to post the rest of the tests - none of the RadCaptcha images were recognized by the OCR software. Here are the CaptchaImage settings used in the tests:

  • Background Noise Level: Low /default value
  • Line Noise Level: Low /default value
  • Font Warp Factor: Low /Medium is default value

As you can see, it cannot get any easier than this.

On a different note, the first Q1 2010 Service Pack release for our ASP.NET AJAX controls is out now. The RadCaptcha control received an update to its audio feature - the control will attempt to play the audio file directly in the browser via HTML5 audio or the QuickTime plug-in where available. You can "hear" the difference on our updated online demos.

?
Email to a friend
Posted in: RadCaptcha ASP.NET AJAX

5 Comments

  • Daniel 20 Apr 2010
    This post feels highly misleading. Of course a generalized OCR solution will have difficulty with simple CAPTCHAs, since that is not its intended use. A much more interesting question is whether or not software designed to attack CAPTCHAs (and to specifically attack the RadCaptcha) can successfully read the image. Considering that plenty of more complicated CAPTCHAs have been cracked, I would be very surprised if the RadCaptcha were significantly more difficult to crack.

    I'm disappointed that this article has been posted, as it gives a very false sense of RadCaptcha security. Yes, it's a nice and simple widget to integrate into a site, and it's one that I personally use. However, publicly making implicit claims about the security of the RadCaptcha using such poor and misleading evidence should not be acceptable.
  • Jeff 20 Apr 2010
    Daniel, does "Fun with RadCaptcha" sound like "it's the most secure captcha control on the market"? Other than that I also think that you should test RadCaptcha some other way although I have no idea how. I guess people who attack captchas don't sell their "products" online.
    Still... kudos for your efforts.
  • ha 20 Apr 2010
    Mr Stratev please google "Crack CAPTCHA" then tell me RadCaptcha is "unbreakable".
  • Vassil Terziev 20 Apr 2010
    Guys, I don't think anyone has made claims that RadCaptcha is unbreakable. No Software is unbreakable and we would never make such a misleading claim. People break into the systems of the millitary which are highly secure so if some "bad hacker" wants to break our little captcha, by all means he will be successful. But it's all about the skill level and the resources required.

    We're talking about a simple way to protect your blog from spammers, not how to secure your corporate IT environment with a captcha:) Let's not miss the "fun" part of Stoyan's blog.
  • Stoyan Stratev 21 Apr 2010
    Daniel and ha,
    I apologize if my post seemed misleading to you. I was not trying to imply that the RadCaptcha control is unbreakable - I am fully aware that this is not true. No CAPTCHA control is crack-proof, even the ones used to protect Google and Yahoo's email services have already been broken. Whether it is with an image recognition algorithm or by unsuspecting customers of shady "adult" sites, any CAPTCHA protection can be circumvented.

    That being said, I wish to explain why I made this post - strictly for fun and driven by the "what if?" curiosity. I have always wondered what would happen when you put a CAPTCHA in a commercial OCR, even though the software is not designed to work specifically with such images. Remember that such software has existed for more than 20 years and the character recognition algorithms in it are very sophisticated. When the opportunity presented itself, I decided to ask my friend to do some tests.

    On the question of security, my position is that one should never rely on a single solution alone. For example, in our control the CAPTCHA image can be combined with other protecttion strategies such as hidden textboxes, minimum submission time, etc. We also try to provide as many configuration options for the image itself, because having different options will make it harder for a generic algorithm to solve it.

Add comment

  1. Formatting options
       
     
    		 
    		 
     
       
  3. (optional, emails won't be shown on public pages)
  4. (optional)
Read more articles by ASP.NET AJAX Team - or - read latest articles in Developer Tools
RSS Feed
Bloggers Archive Tags