Well I have 22 million reasons why this is a stupid method. Anyone want to buy an email list?

Examples:

I’m sure they received complaints and they changed it again, this time altering the thickness of the background lines and dropping the dictionary words, this new version also seems to only produce ~1% human unsolvable.

More Examples:

My past technique would no longer work. While it is definitely better, it still has the weakness of a consistent font and placement. If I wanted to break it again, I could take samples of colors from the areas I know would not be letters, remove them, and train the OCR to the font they use. I won’t be demonstrating how because ultimately I want to continue to use digg and they are obviously aware of the problem now.

Now onto another CAPTCHA that will be 100% breakable…

Digg’s CAPTCHA Weaknesses:

1. Dictionary Words
2. Same background
3. Same Font
4. No deformations
5. All lowercase letters
6. Constant colors

Tools

• gocr – a GPL Optical Character Recognition program
• ImageMagick – for command time image editing
• Perl – to tie everything together

Sample Size
100 images with 95 different words with an average word length of 5.3 letters.

First Test
Just dumping all the images through gocr yielded 26% correct responses. Not too shabby. It yields some easily manipulated results:

• = groUDS
• = single
• = t’ o.l,i.c,e ‘. . .’.’. ”,
• = be.cause.

Looking at the results I’m sure that we could improve the results with a little string manipulation.

Tweaking output
We can mess with the output to yield better results

• Convert all output to lowercase
• Remove non letter characters
• Spell checker

The first two yield 53% correct responses; just with this simple tweak we are able to get more correct guesses than incorrect. With adding the first guess of a spell checker it bumps the accuracy to 67%

Tweaking input

• Removing boarder
• Adjusting contrast and brightness
• Using edge detection

So becomes

Since we are already over 2/3rds accurate we don’t need to adjust the input of every image, just the results that aren’t dictionary words. Part of them problem is that while one adjustment will improve results for one image, it will degrade the results for another. My solution was to try 10 variations, run them through the OCR and then spell check. I then had the program pick the solution with duplicate results, in the case of a tie or no duplicate I had the program pick the one with the fewest number of variations. This method resulted in the final accuracy of 88%.

Problems with this technique
While these quick results have come close to becoming usable, they are still a far cry from 100% accuracy. Since digg uses a consistent font I could train gocr for problematic letters (such as p) also given that in 100 images I received 5 sets of duplicate words I would estimate their dictionary is only a couple thousand and could hand tweak the results.

Other resouces

• PWNtcha – a project to build a captcha decoder
• Breaking a Visual CAPTCHA – the breaking of EZ-Gimpy CAPTCHAs

Disclaimer
I did contact digg last week to let them know I would be publishing this and offered them the opportunity to have it delayed while the upgraded their CAPTCHA. I haven’t heard from them as of now. I still offer them the opportunity to contact me and I will temporarily remove this article.

Update:
~30 hours after I posted this they have changed the nature of their CAPTCHA, I will be writting a follow up soon … here is my reponse