First, did nobody read the link thecoalman posted
CAPTCHAs are simply cat-and-mouse. I mean, I image that there was a time when simply putting numbers into an image was good enough (something I could whip together in 5 minutes). Undoubtedly, the spammers will catch up to the CAPTCHA guys. Security professionals vs. hackers. Cryptologists vs. cryptanalysts. So it really goes without saying that "it will be" broken.
At the same time, this is a very strong CAPTCHA. By making the letters 3D, it almost completely counters bots that can only read 2D objects. Humans, however, can read 3D very easily. Just like the battle raged on the 2D plane, I suspect that 3D will become the new standard and that we'll fight on that for a bit.
But I also think that the days of CAPTCHAs are numbered. That is, the days of CAPTCHAs being the sole line of defense for forums. Eventually, the strongest possible CAPTCHA will
be broken. Remember, humans must be able to understand the CAPTCHA too
. If a bot can't read it, but neither can your users, it's worthless. And screen reading technology will eventually catch up to the human eye
. Sorry, but we as a species aren't evolving as fast as our lovely creations.
Let me digress. Remember in elementary school, when somebody would encrypt a message by changing all of the "A"s to "B"s, and the "B"s to "C"s, etc.? This is called the "Caesar Shift", probably because a Roman Emperor came up with this idea. But let's say the United States needs to send a message to its troops in Iraq. Are we going to use the Caesar Shift to protect the data that's protecting our soldiers' lives? Probably not (and no, the Pigpen Cypher won't work either).
I consider the CAPTCHA to be the equivalent of the Caesar Shift. We're sort of at the, "Hey, what if I shift the letters forward by two or three
instead of by one?" stage. The CAPTCHA will, eventually, be broken and will only be useful for stopping script kiddies, not anybody serious. So what is there to do? Make a defense system that evolves. And make it self evolving. The spammers will come out with their own self evolving script. Ours needs to be better. Then they improve theirs. Et cetera.
I predict that this will be in long-ish cycles. Security comes out with something great (the CAPTCHA? Or in encryption's sense, RSA), and spammers are silenced for awhile. Then they come out with something better. And they win for awhile (underpaid-overworked-professional CAPTCHA solvers? OCR?). Back and forth, back and forth.
I'm not saying that CAPTCHAs are worthless. I'm just saying that it's not a smart idea to place your entire stock in them. Simple Machines has three strong anti-bot mods
available at the click of a button to its users. I think phpBB should pony up and do the same. Running a check with stopforumspam.com
might be useful too. I'd also suggest placing minimum post limits (or, minimum verified
post counts for posting a link. Or running the contents of a post up against a check for users not yet proven to be human. Whatever. Just don't rely completely on CAPTCHAs.
Just my opinion