"Typocaptcha" - an alternative to CAPTCHA?

Question

We all hate CAPTCHAs, but to some applications they're a necessary evil. Today I wondered if there's a better alternative we just haven't thought of yet. I considered the dilemma: how do you create something that is indecipherable to a computer, but readable to a human?

Then I remembered an email doing the rounds years ago along the lines of:

I cdn'uolt blveiee taht I cluod aulaclty uesdnatnrd waht I was rdanieg: the phaonmneel pweor of the hmuan mnid. Aoccdrnig to a rseearch taem at Cmabrigde Uinervtisy, it deosn't mttaer in waht oredr the ltteers in a wrod are, the olny iprmoatnt tihng is taht the frist and lsat ltteer be in the rghit pclae. The rset can be a taotl mses and you can sitll raed it wouthit a porbelm. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe. Scuh a cdonition is arppoiatrely cllaed Typoglycemia.

In case you can't read the above:

I couldn't believe that I could actually understand what I was reading: the phenomenal power of the human mind. According to a research team at Cambridge University, it doesn't matter in what order the letters in a word are, the only important thing is that the first and last letter be in the right place. The rest can be a total mess and you can still read it without a problem. This is because the human mind does not read every letter by itself, but the word as a whole. Such a condition is appropriately called Typoglycemia.

This is called Typoglycemia, and although it wasn't actually researched at Cambridge, there is an element of truth in that people find it surprisingly easy to read.

Could Typocaptcha be the future? Read these three questions:

• Wihch anmial is bgeigr - a fox or an eplthneat?
• Waht aianml is siad to nverr freogt?
• Waht tpye of aimnal was Wlat Dsi'enys Dmbuo?

In case you haven't guessed it, the same answer to all three questions - is:

elephant

There are millions of possible combinations of questions, but before getting into the 'how', it all boils down to user experience.

Would Typocaptcha result in a better or worse user experience when compared to CAPTCHA?

P.S. I am aware that this would not be very accessible to visually impaired users, much like CAPTCHAs aren't.

Answer 1

Ironically, I could not get by myself what bgeigr meant, but almighty Google helped me out:

So this captcha is quite easy for computers to guess, yet may be hard for humans.

And bear in mind that Google is using an error model for common typos (letters replaced by those adjacent on the keyboard etc.) If you program your computer to only consider anagrams, it will easily reach 99-ish percent accuracy.

Answer 2

Why would this be indecipherable to a computer? Since each word has the correct letters, but they are scrambled, it would seem very easy for me for a computer to crack the correct order of the letters by comparing it to known words. Which defeats the whole point of having this extra barrier.

Secondly, how would this affect folks with dyslexia or other reading disabilities? Because I would think this would be even harder on them than captchas (someone with actual dyslexia please chime in!). It's true that captchas affect vision-impaired folks, but this could be a bother to additional disabilities (obviously that is my initial thought and user research would be needed).

I totally agree that captchas should be improved, but I am not sure if this would accomplish that purpose.

Answer 3

This is not effective for keeping out a targeted attack by someone who uses a word list, such as /usr/share/dict/words, to solve your anagrams. A task like "unscramble the words in standard input, assuming the first and last letters are correct, given a word list file for the language" is probably so straightforward that it'd make a good puzzle for our Code Golf site. Sorting out words that are already anagrams, such as could and cloud, could be done with an n-gram database derived from the Project Gutenberg corpus. Then the attacker sees each clue, makes a database of correct responses with the help of Mechanical Turk, and gains the technical ability to spam your site.

If an English proficiency test like this is effective for anything, it'd be for shutting out human users who happen to live in the wrong country. If you have a license to offer your service only to customers in (say) the United States, then someone coming in through a VPN who's not a native English speaker is less likely to actually be a U.S. resident. So it might be useful for the sign-up page of an Internet music or video streaming service, which are markets that are still heavily balkanized by decades-long exclusive territorial distribution contracts. In fact this technique has been seen in the wild: Two levels of the first WarioWare game for Game Boy Advance were typo tests in Japanese, which made it hard for people who downloaded an infringing copy to play through until Nintendo released the English version of the game to the North American market later.

Answer 4

tl;dr

A good captcha would need (ideally) to offer the best possible protection (difficult to get for a computer) and ease of use (easy to get for a human). But captchas aren't good at this and "typoCaptchas" doesn't seem to improve them. Questions can be rearrenged quite easily and then if the question is easy enough for people is probably easy enough for google:

Captchas are still difficult for humans

Taken from How Good are Humans at Solving CAPTCHAs? A Large Scale Evaluation. Stanford University :

Overall, we found that captchas are often harder than they ought to be, with image captchas having an average solving time of 9.8 seconds and three-person agreement of 71.0%, and audio captchas being much harder, with an average solving time of 28.4 seconds, and three-person agreement of 31.2%.[...] Using the data collected from Amazon’s Mechanical Turk, we identified a number of demographic factors that have some influence on the difficulty of a captcha to a user. Non-native speakers of English were slower, though they were generally just as accurate unless the captcha required recognition of English words. We also saw small trends indicating that older users were slower but more accurate.

I'm sure everyone can remember at least one time being sure that what you're typing matches perfectly with the captcha, but it results to be wrong. So first, it's stepping in users' way and later making them feel stupid, something that of course they don't like.

Here a Google's site about classic CAPTCHA's security:

While the new reCAPTCHA API may sound simple, there is a high degree of sophistication behind that modest checkbox. CAPTCHAs have long relied on the inability of robots to solve distorted text. However, our research recently showed that today’s Artificial Intelligence technology can solve even the most difficult variant of distorted text at 99.8% accuracy. Thus distorted text, on its own, is no longer a dependable test. One advantage of the recaptchas is that they've been helping to digitalize books.

Classic Captchas vs TypoCaptchas

I find similar problems between them, but I don't think typoCaptchas presents a solid advantage:

1. You'd still have to read and interpret a question (instead of one/two words) which doesn't fix the problem for the visually impaired.
2. You'd additionally have to know/recall the answer (here you are introducing a new variable and more cognitive load). You have to deal with internationalization too.
3. You'd have to type it correctly. This could be better in the sense that you could let the user introduce typos (as @rybo111 mention in the comments).e.g.: elefant instead of elephant.
4. You can't use them as a medium of digitalization.
5. They doesn't seem to be hard for bots from the beginning.

There's a new option

Google has recently developed a new reCaptcha, that improves the ease when it's possible:

However, CAPTCHAs aren't going away just yet. In cases when the risk analysis engine can't confidently predict whether a user is a human or an abusive agent, it will prompt a CAPTCHA to elicit more cues, increasing the number of security checkpoints to confirm the user is valid. Captchas are still difficult for humans

Answer 5

I couldn't believe that I could Macaulay uesdnatnrd what I was radioing: the phenomenal power of the human mind. According to a research team at Cambridge Nerviness, it doesn’t matter in what order the letters in a word are, the only iprmoatnt thing is that the first and slat letter be in the right pilau. The rest can be a tootle mess and you can still read it outhit a problem. This is useable the human mind does not read nervy letter by itself, but the word as a whole. Such a condition is appropriately called Hypoglycemia.

The above is how a spell checker sees your example paragraph. The key thing for a CAPTCHA is that it is easy for humans, but difficult for computers. It appears that this "typocaptcha" is reasonably easy for computers to deal with, which means that the difficulty for humans is irrelevant.

Answer 6

No. I do not thing this is a good alternative to captchas. There are several goals that I think need to be achieved in order to be considered as an alternative.

---

As Seamless As Possible

When designing a captcha or a captcha alternative, it's very easy to lose sight of this goal. You have to keep in mind that we're purposely blocking users from doing what they wanted to do. We're creating a wall. This wall should be as low as possible while still achieving the other goals. If the process for getting through is too much of a hassle, then the user will move on.

---

Easy To Complete

One of the defining characteristics of captchas is that very little prior knowledge is needed. Even people that know little English can complete them. Asking the user to complete puzzles or answer trivia makes a larger wall for the user to climb. This almost invariably means that some users are going to leave. What's worse is that users that do want to get in might not know the trivia. No matter how easy you think it is. Not to mention that it won't work for many disabilities or disorders such as dyslexia. Popular captchas have a button that allows an audio captcha as an alternative and I'm not sure how this alternative captcha would be made to complement that.

---

Blocks Non-Humans

This is the entire reason why captchas exist. It's important to not only consider what computers are able to do today but to also consider what will be possible in a year, five years, and even ten years. While the captcha alternative you are suggesting would have probably worked five to ten years ago or more, that's just not true anymore. This is a problem that computers are not only able to solve, but that they're pretty good at.

While I don't know of any programs built to handle this particular idea, there are many programs available that handle many parts. We have spell check, predictive text, search engines (that will likely be able to answer the trivia more often than humans), and translation software. As a programmer, I don't see this alternative stopping me.

---

In short, I think this is harder for humans and easier for robots.

Answer 7

Would Typocaptcha result in a better or worse user experience when compared to CAPTCHA?

It doesn't really matter. CAPTCHAs are a hurdle for humans. Which is the intent...they are meant to be a hurdle...hopefully one a human can jump but not a computer. But regardless, hurdles are a bad user experience so if there's a way to do it without the hurdle, don't redesign the hurdle, but just get rid of it.

Would your idea of a CAPTCHA be better than the scrambled letters? Or picture versions? Or any of the other types of CAPTCHAs? For some, probably. For others, maybe not (say, anyone with dyslexia or speaks a different native language).

Plus, it likely is less effective at preventing computers from getting by it as, after all, this is basically what a spell/grammar checker is.

Answer 8

This would be incredibly easy for a computer to determine. The thing is to not go head-to-head with a computer on its own turf. A hacker can go through millions of permutations per second. Any form of l337 speak or other variation would be decoded in a heartbeat. Literally. (If that).

EDIT:

A program will check to see if the word is in a dictionary. If not it will do the typical substitutions. There are 30,000 words in a decent dictionary. If there are 20 variations of each word (much less than that) there would be 600,000 "words" to check. At a million+ guesses a second it would take how long to go through a paragraph? 1 second?

If questions like "What type of animal was Walt Disney's Dumbo?" are asked then the human attackers will have to put into the database. Bear in mind that there are millions of people born outside the US and using your website who could not answer that question. That is a major usability issue.

The question "which one is bigger a fox or an ekdjior" would be trivial for any algorithm.

• The phrase "which one is bigger" is determined to be a comparative.
• Check dictionaries.
  
  • A fox is in a dictionary.
  • An ekdjior is not in dictionary)
• Therefore a fox is bigger.

Your opponent is not some dumb computer. It's a tool. Your opponent is a team of very smart people who are using a tool to get to a place they want to go.

Answer 9

Just to expand on the effect of using a word list, the following Python code prints a summary of how many possibilities there are for each of the words in your example text:

import collections

with open('words.txt', 'rb') as infile:
    allwords = set(line.strip() for line in infile)

def key(word):
    word = word.lower().translate(None, '.,:;-?')
    if not word:
        return None
    return len(word), word[0], word[-1], ''.join(sorted(word[1:-1]))

words_by_letters = collections.defaultdict(set)
for word in allwords:
    words_by_letters[key(word)].add(word)

def findword(word):
    return words_by_letters[key(word)]

if __name__ == '__main__':
    message = """
    I cdn'uolt blveiee taht I cluod aulaclty uesdnatnrd waht I was rdanieg: the phaonmneel pweor of the hmuan mnid. Aoccdrnig to a rseearch taem at Cmabrigde Uinervtisy, it deosn't mttaer in waht oredr the ltteers in a wrod are, the olny iprmoatnt tihng is taht the frist and lsat ltteer be in the rghit pclae. The rset can be a taotl mses and you can sitll raed it wouthit a porbelm. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe. Scuh a cdonition is arppoiatrely cllaed Typoglycemia.
    """
    print sorted(collections.Counter(len(findword(word)) for word in message.split()).items())
    for word in message.split():
        result = findword(word)
        if len(result) != 1:
            print word, len(result), result

result (using some word list I found by searching):

[(0, 2), (1, 90), (2, 5)]
cluod 2 set(['could', 'cloud'])
uesdnatnrd 2 set(['unstranded', 'understand'])
mttaer 2 set(['matter', 'mettar'])
frist 2 set(['frist', 'first'])
bcuseae 2 set(['besauce', 'because'])
arppoiatrely 0 set([])
Typoglycemia. 0 set([])

That is to say, only 2 words were not deciphered at all, and one of those is because of a mistake in the original message ("appropriately" contains 3 Ps). 5 words have multiple solutions but probably would not be that difficult to guess with high confidence based on context and the frequencies in English of the alternatives. 90 words (some of them duplicates) were unambiguously identified.

Your three questions put together:

[(0, 4), (1, 21)]
eplthneat? 0 set([])
nverr 0 set([])
Dsi'enys 0 set([])
Dmbuo? 0 set([])

So it's failed on two more typos and two proper nouns.

As others say, the anagrams are considerably harder for non-native English speakers to read. Even a few minutes work makes them not all that much harder for robots to read. Even if it's a good test of English proficiency in humans, it's not a very promising CAPTCHA technique. Answering natural-language questions is way harder than dealing with this amount of obfuscation, so the hard part of solving your CAPTCHAs isn't the novel part ;-)

Of course, you can do more to obfuscate the English (for example by introducing intentional typos of the kind my trivial code failed to solve). But firstly I haven't even tried to use a spellchecker, so a robot can do much better than I have so far, and secondly it's not clear at this point how much of that you can do before even native-English humans fail to solve the puzzle too.

Answer 10

As a person who speaks English as a second language and live in an english speaker country I couldn't read the text , imagine plenty of user have same situation, and if some one use this captcha for bank , they can't use their bank account any more, so I think it's more difficult to comprehend for people than computer.

Answer 11

http://www.anagram-solver.org/?letters=eplthneat
http://wordsolver.net/solve#!q=eplthneat

Anagrams are no threat to AI.
But if you would replace, add or remove some of the letters — it would no longer be an anagram thus only decipherable by complex guessing algorithms which would also be true for humans as well though.