By Luis von Ahn, Manuel Blum, and John Langford
You’ve probably seen them—colorful images with
distorted text in them at the bottom of Web registration
forms. CAPTCHAs are used by Yahoo, Hotmail, PayPal and How lazy
many other popular Web sites to prevent automated regis- cryptographers
trations, and they work because no computer program can
currently read distorted text as well as humans can. What do AI.
you probably don’t know is that a CAPTCHA is something
illustration by Jean-François Podevin
This is trial version COMMUNICATIONS OF THE ACM February 2004/Vol. 47, No. 2 57
more than just an image with distorted text: it is a Carnegie Mellon found a way to stuff the ballots by
test, any test, that can be automatically generated, using programs that voted for CMU thousands of
which most humans can pass, but that current com- times: CMU’s score started growing rapidly. The
puter programs cannot pass. Notice the paradox: a next day, students at MIT wrote their own voting
CAPTCHA is a program that can generate and program and the poll became a contest between vot-
grade tests that it itself cannot pass (much like some ing “bots.” MIT finished with 21,156 votes,
professors). Carnegie Mellon with 21,032 and every other
CAPTCHA stands for “Completely Automated school with less than 1,000. Can the result of any
Public Turing Test to Tell Computers and Humans online poll be trusted? Not unless the poll requires
Apart.” The P for Public means that the code and that only humans can vote.
the data used by a CAPTCHA should be publicly Another application involves free email services.
available. This is not an open source requirement, Several companies offer free email services that have
but a security guarantee: it should be difficult for suffered from a specific type of attack: “bots” that
someone to write a computer program that can pass signed up for thousands of email accounts every
the tests generated by a minute. This situation
CAPTCHA even if they has been improved
know exactly how the by requiring users to
CAPTCHA works (the prove they are human
only hidden information before they can get a
is a small amount of ran- free email account.
domness utilized to gener- Yahoo, for instance, uses
ate the tests). The T for a CAPTCHA of our
“Turing Test to Tell” is design to prevent bots
because CAPTCHAs are from registering for
like Turing Tests . In accounts.
the original Turing Test, a Some Web sites don’t
human judge was allowed to ask a series of questions Figure 1. Can you read three want to be indexed by
to two players, one of which was a computer and the words in this image? search engines. There is
other a human. Both players pretended to be the a HTML tag to prevent
human, and the judge had to distinguish between search engine bots from reading Web pages, but the
them. CAPTCHAs are similar to the Turing Test in tag doesn’t guarantee that bots won’t read the pages;
that they distinguish humans from computers, but it only serves to say “no bots, please.” Search engine
they differ in that the judge is now a computer. A bots, since they usually belong to large companies,
CAPTCHA is an Automated Turing Test. We delib- respect Web pages that don’t want to allow them in.
erately avoid using the term Reverse Turing Test (or However, in order to truly guarantee bots won’t
even worse, RTT) because it can be misleading— enter a Web site, CAPTCHAs are needed.
Reverse Turing Test has been used to refer to a form CAPTCHAs also offer a plausible solution against
of the Turing Test in which both players pretend to email worms and spam: only accept an email message
be a computer. if you know there is a human behind the other com-
puter. A few companies, such as www.spamarrest.
Applications com are already marketing this idea.
Although the goal of the original Turing Test was to Pinkas and Sander  have also suggested using
serve as a measure of progress for artificial intelli- CAPTCHAs to prevent dictionary attacks in pass-
gence—a computer would be said to be intelligent if word systems. The idea is simple: prevent a com-
it passed the Turing Test—making the judge be a puter from being able to iterate through the entire
computer allows CAPTCHAs to be useful for other space of passwords by requiring a human to type the
practical applications. passwords.
In November 1999, for example, the Web site
slashdot.com released an online poll asking which Examples of CAPTCHAs
was the best graduate school in computer science— CAPTCHAs further differ from the original Turing
a dangerous question to ask over the Web. As is the Test in that they can be based on a variety of sensory
case with most online polls, IP addresses of voters abilities. The original Turing Test was conversa-
were recorded in order to prevent single users from tional—the judge was only allowed to ask questions
voting more than once. However, students at over a text terminal. In the case of a CAPTCHA, the
This is trial version
February 2004/Vol. 47, No. 2 COMMUNICATIONS OF THE ACM
CAPTCHAs are similar to the
Turing Test in that they distinguish humans
from computers, but they differ in that the
judge is now a computer.
computer judge can ask which side does the iso-
any question that can be lated block belong in Fig-
transmitted over a com- ure 3? (Answer: the right
puter network. side.)
GIMPY and OCR-based PIX. PIX  is a pro-
CAPTCHAs. GIMPY  gram that has a large
is one of the many database of labeled
CAPTCHAs based on the images. All of these
difficulty of reading dis- images are pictures of
torted text. GIMPY works concrete objects (a horse,
by selecting seven words a table, a house, a flower).
out of a dictionary and rendering a distorted image Figure 2. Everything on the The program picks an
containing the words (as shown in Figure 1). GIMPY left is drawn with thick lines, object at random, finds
while everything on the right
then presents a test to its user, which consists of the is drawn with thin lines. six images of that object
distorted image and the directions: “type three words from its database, pre-
appearing in the image.” Given the types of distor- sents them to the user
tions that GIMPY uses, most humans can read three and then asks the question “what are these pictures
words from the distorted image, but current com- of?” Current computer programs should not be able
puter programs can’t. The majority of CAPTCHAs to answer this question, so PIX should be a
used on the Web today CAPTCHA. However,
are similar to GIMPY in PIX, as stated, is not a
that they rely on the dif- CAPTCHA: it is very
ficulty of optical charac- easy to write a program
ter recognition (the that can answer the ques-
difficulty of reading dis- tion “what are these pic-
torted text). tures of?” Remember that
Bongo. Another exam- all the code and data of a
ple of a CAPTCHA is CAPTCHA should be
the program we call publicly available; in par-
BONGO . BONGO ticular, the image data-
is named after M.M. base that PIX uses should
Bongard, who published be public. Hence, writing
a book of pattern recog- a program that can
nition problems in the answer the question
1970s . BONGO asks “what are these pictures
the user to solve a visual of?” is easy: search the
pattern recognition database for the images
problem. It displays two series of blocks, the left and Figure 3. To which side does presented and find their
the right. The blocks in the left series differ from the block on the bottom label. Fortunately, this
those in the right, and the user must find the char- can be fixed. One way for
acteristic that sets them apart. A possible left and PIX to become a
right series is shown in Figure 2. After seeing the two CAPTCHA is to randomly distort the images before
series of blocks, the user is presented with a single presenting them to the user, so that computer pro-
block and is asked to determine whether this block grams cannot easily search the database for the
belongs to the left series or to the right. The user undistorted image.
passes the test if he or she correctly determines the Sound-based CAPTCHAs. The final example we
side to which the block belongs. Try it yourself: to offer is based on sound. The program picks a word
This is trial version COMMUNICATIONS OF THE ACM February 2004/Vol. 47, No. 2 59
this approach has the beneficial side
effect of inducing security researchers, as
well as otherwise malicious programmers, to
advance the field of AI.
or a sequence of numbers at random, renders the A good example of this process is the recent
word or the numbers into a sound clip and distorts progress in reading distorted text images motivated
the sound clip; it then presents the distorted sound by the CAPTCHA in use at Yahoo. In response to
clip to the user and asks users to enter its contents. the challenge provided by this test, Malik and Mori
This CAPTCHA is based on the difference in abil-  have developed a program that can pass the test
ity between humans and computers in recognizing with over 80% accuracy. Malik and Mori’s algo-
spoken language. Nancy Chan of the City Univer- rithm represents significant progress in the general
sity in Hong Kong was the first to implement a area of text recognition, and it is extremely encour-
sound-based system of this type . aging to see such progress. A CAPTCHA implies a
It is extremely important to have CAPTCHAs win-win situation: either the CAPTCHA is not bro-
based on a variety of sensory abilities. All ken and there is a way to differentiate humans from
CAPTCHAs presented here, except for the sound- computers, or the CAPTCHA is broken and a use-
based CAPTCHA, rely on the user being able to see ful AI problem is solved. c
an image. However, since there are many visually
impaired people using the Web, CAPTCHAs based References
on sound are necessary for accessibility. 1. Ahn, L. von, Blum, M., Hopper, N.J., and Langford, J. CAPTCHA:
Telling humans and computers apart. In Advances in Cryptology, Euro-
Unfortunately, images and sound alone are not crypt ‘03, volume 2656 of Lecture Notes in Computer Science, (2003),
sufficient: there are people who use the Web that are 294–311 .
2. Ahn, L. von, Blum, M., Hopper, N.J., and Langford, J. The
both visually and hearing impaired. The construc- CAPTCHA Web page; www.captcha.net.
tion of a CAPTCHA based on a text domain such as 3. Bongard, M.M. Pattern Recognition. Spartan Books, Rochelle Park, NJ,
text understanding or generation is an important 1970.
4. Chan, N. Program Byan; drive.to/research.
open problem for the project. 5. Coates, A.L., Baird, H.S., and Fateman, R.J. Pessimal print: A Reverse
Turing Test. In Proceedings of the International Conference on Document
Analysis and Recognition (ICDAR ’01), Seattle, WA, 2001, 1154–1159.
Lazy Cryptographers Doing AI 6. Lillibridge, M.D., Abadi, M., Bharat, K., and Broder, A. Method for
Modern cryptography has shown that open or selectively restricting access to computer systems. U.S. Patent
intractable problems in number theory can be use- 6,195,698.
7. Mori, G. and Malik, J. Recognizing objects in adversarial clutter—
ful: an adversary cannot act maliciously unless he Breaking a visual CAPTCHA. In Proceedings of the Conference on Com-
can solve an open problem (like factor a very large puter Vision and Pattern Recognition, June 2003.
8. Naor, M. Verification of a human in the loop or identification via the Tur-
number). Similarly, CAPTCHAs show that open ing Test; www.wisdom.weizmann.ac.il/\~naor/PAPERS/human.ps.
problems in AI can be useful: adversaries cannot 9. Pinkas, B. and Sander, T. Securing passwords against dictionary
vote thousands of times in online polls or obtain attacks. In Proceedings of the ACM Computer and Security Conference
(CCS ’02), ACM Press, 161–170.
millions of free email accounts unless they can solve 10. Turing, A.M. Computing machinery and intelligence. Mind 59, 236
an open problem in AI. (1950), 433–460.
In the case of ordinary cryptography, it is
assumed (for example) that the adversary cannot fac- Luis von Ahn (email@example.com) is a graduate student in the
tor 1024-bit integers in any reasonable amount of Department of Computer Science at Carnegie Mellon University.
time. In our case, we assume the adversary cannot Manuel Blum (firstname.lastname@example.org) isScience at Carnegie
Professor in the Department of Computer
the Bruce Nelson
solve an artificial intelligence problem with higher Mellon University.
accuracy than what’s currently known to the AI John Langford (email@example.com) is a research associate in the
community [1, 2, 5, 6, 8]. This approach has the Toyota Technological Institute at Chicago.
beneficial side effect of inducing security researchers,
Permission to make digital or hard copies of all or part of this work for personal or class-
as well as otherwise malicious programmers, to room use is granted without fee provided that copies are not made or distributed for
advance the field of AI (much like computational profit or page. To copy otherwise, tothat copies bearpost on servers orthe full citation on
commercial advantage and
this notice and
to redistribute to
number theory has been advanced since the advent lists, requires prior specific permission and/or a fee.
of modern cryptography). This is how lazy cryptog-
raphers do AI. © 2004 ACM 0002-0782/04/0200 $5.00
This is trial version
February 2004/Vol. 47, No. 2 COMMUNICATIONS OF THE ACM