1. Introduction
A CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans
Apart) is a program that generates and grades tests that are human solvable, but intends to be
beyond the capabilities of current computer programs [1]. This technology is now almost a
standard security mechanism for defending against undesirable or malicious Internet bot
programs, such as those spreading junk emails and those grabbing thousands of free email
accounts instantly. It has found widespread application on numerous commercial web sites
including Google, Yahoo, and Microsoft’s MSN.
The most widely used CAPTCHAs are the so-called text-based schemes, which rely on
sophisticated distortion of text images aimed at rendering them unrecognisable to the state of
the art of pattern recognition programs. The popularity of such schemes is due to the fact that
they have many advantages [ 4], for example, being intuitive to users world-wide (the user
task performed being just character recognition), having little localization issues (people in
different countries all recognise Roman characters), and of good potential to provide strong
security (e.g. the space a brute force attack has to search can be huge, if the scheme is
properly designed).
A good CAPTCHA must be not only human friendly, but also robust enough to resist to
computer programs that attackers write to automatically pass CAPTCHA tests (or challenges).
Early research suggested that computers are very good at recognising single characters, even
if these characters are highly distorted [6]. Table 1 shows characters under typical distortions,.