Why CAPTCHA is not a security control for user authentication

An example of CAPTCHA

CAPTCHA stands for "Completely Automated Public Turing test to tell Computers and Humans Apart". Typically this control involves a word verification via an image that is not machine readable via OCR and requires a human user in front of the computer recognizing it and entering in on the site. Typically this is an effective control to prevent spam-bots to register automatic information to a web site and stop automated posting to blogs or forums, whether as a result of commercial promotion, or harassment and vandalism. CAPTCHA it also has been deployed to protect systems vulnerable to e-mail spam, such as the webmail services of Gmail, Hotmail, and Yahoo.

Unfortunately there is a mis-understanding of this control is designed for and some sites use it as "custom" authentication factor to verify that the image word recognition challenge has indeed entered from the human that was intended to. In this case, CAPTCHA acts like a “placebo” security control for the user: it will let the user think that the site can be trusted since the site is intended to validate him as trusted user (not true!). CAPTCHA is not a valid control for authentication, is just a weak control that is vulnerable to several attacks such as social engineering. For example CAPTCHA challenges can be redirected to other users and have the images recognized to pass the test intended for the user http://www.avertlabs.com/research/blog/index.php/2007/11/01/the-captcha-challenge/

Again do not be confused on what this control is about: CAPTCHA is not an authentication control!. Is an OK control to prevent automated positing of contents to a site meant to collect information from un-authenticated users such as visitors.

Also, if you implement this control for verify a visitor posting to your site instead of a bot positing, be careful to implement it securely: most of this controls are vulnerable to insecure implementation due to unsecure session management (e.g. re-using an invalidated SessionID associated with a known recognized image, no word challenge change at fault attempt).

Some CAPTCHA attacks are due to reliance on a small library and weak hashes (e.g. MD5s) that can be collected by an attacker and broken using a rainbow table. So use a large library of images and employ strong hashes (e.g. HMAC) with random seed to prevent rainbow table attacks.