Asirra is a web service developed by a Microsoft Research team to replace Captcha as an HIP. (If you don’t know what Captcha is, click here). Asirra uses pictures of cats and dogs to distinguish between an automated bot and a human. The visitor should distinguish between the cats and dogs correctly to continue in the sign-up page (or wherever you use Asirra). Currently Asirra is given as a web service and anyone can implement it in their websites by pasting some code provided by Microsoft.
The research team claims that Asirra is secure because they use a “large” database of cats and dogs. The pictures are obtained from the Petfinder website. They also claim that the database contains more than 3 million pictures. Now how useful is the product? Can it really be used instead of Captcha?
The fact is that Asirra is not a mature product. And the implementation can be resource and bandwidth heavy. Downloading 12 medium sized images can be a real irritaion for your visitors. Instead they will fill Captchas for you happily (Use it only if you really need something like a Captcha; Otherwise avoid both). Also, Asirra uses so much screen space in your website that it can be very to tricky to use in your website template. And what about people with accessibily problems? You will have to give them an audio captcha. There can’t be an audio Asirra. It would be so easy to break.
How secure is Asirra? Microsoft researchers claim that the implementaion is secure. They give some reasons for this too. We have been hearing this for almost all software products. We will just wait for someone to show how the implementaion is not secure. Meanwhile, what about attacking the database? It is a pretty straight forward task. Implement Asirra in your website, save the images (or just hashes) to your server along with the solution of the visitors. If you have a website with enough traffic, this could break Asirra within weeks. What if spammers use large amounts of websites for this? Think of some porn website doing this. We have heard about this stuff before in connection with the captcha.
Then there is another research project called Inkblot. The basic idea is that when you are shown an image of an inkblot and told to assosiate it with an object or word. This association can be used to uniquely identify each person and can act as a password. But you must solve enough inkblots for this.
The idea sounds rediculous to me. What in this world is Microsoft Researchers thinking? Do they think that this is better than using passwords? I would rather remember 10 passwords than solving a series of inkblot tests in all the websites I visit.
Microsoft, please stop funding these researchers. Yes, I agree we must encourage research in all fields. But it must not be an excuse to follow some foolish ideas and finally come up with some half-baked security product. May be Microsoft could use the researchers in patching up Vista or getting IE8 out in time.
PS: Asirra spots a ‘adopt me’ link on every picture of a cat or dog. That in turn will really help the animals. That is a good idea.
Great!!! I could’nt agree more.
money getting wasted…
Cat or dog? That means a bot has a 50% chance of entering the website simply by guessing.
Recently I got fed up with the Captcha appearing over-and-over at Yuwie. Every 5 messages I send to friends, I have to enter a Captcha word. What irritates me is that I get it right each time and I am still forced to enter it again in the future! They should monitor users that are trusted so that they never have to enter Captcha after their initial visit and registration. It becomes irritating after a while, and there are already programs that distinguish Captcha phrases faster than humans.
Employ some children. Pay them a few dollars each day. Have them manually go through comments and delete spam. This way give children a decent job (no more lemonade stands) and we don’t anger the frequent website visitors.
It s funny actually
if this is the case , i wont be able to login to any of my accounts
moods change and so does our thinking
[...] Another blogger seems to take a dim view of Asirra, but I think his main criticism (being able to defeat the CAPTCHA by enlisting users of a legitimate site and storing the results keyed to an image hash) is something that could be addressed in several different ways. I thought about cropping and rotating the images, and then, after a brief search, found this paper whose results suggest that those may be viable options to defeat image hashing algorithms. This is definitely another “arms race” situation where spammers will keep developing new techniques to defeat “human authentication,” but I think Asirra is a pretty decent idea, and, like I said earlier, a lot more fun than a traditional CAPTCHA. [...]
I’m sorry but Marcin, your math is terrible.
If there was only ONE photo of a cat or dog, then the bot would have a 50/50 chance of guessing it right. But if you actually looked at the photo or read the post, there are TWELVE pictures of dogs and cats.
So one picture = 50% guessing correctly, two pictures = 25%, etc, etc. Take that out to all 12 pictures and you end up with over 4000 different combinations. So that means by blindly guessing, the bot has a fraction of a percent of getting it right, NOT a 50% chance.
Do you really think that would make a captcha that easy?
I don’t think the Asirra image problem (cat vs. dog) would be too difficult to solve. I think a neural network could learn to discriminate between the two in most cases. Granted, doing it 12 times perfectly presents high odds, but still I think there’s a good chance of defeating it.
I almost wonder whether Microsoft wants a system which it can crack but which others assume they cannot.
Has anyone actually seriously tried to break Asirra?
Marcin,
“What irritates me is that I get it right each time and I am still forced to enter it again in the future! They should monitor users that are trusted so that they never have to enter Captcha after their initial visit and registration”
That is true. But the problem is that spammers can exploit this too. It is always a cat-mouse race.
Ralph,
Nobody seriously uses Asirra. So nobody is trying to crack it yet I think.