Everyone is in this arms-race. Those who make CAPTCHAs, and those who want to crack them.
The solution for the former is simple: Animate them. I’m not talking about making a 6-frame looping GIF, whereby the cracker can steal a frame and crack at THAT, I’m talking about an animation where any one frame doesn’t have all of the information- Even each of the frames looked at on their own doesn’t have all of the information, but the sum of viewing them makes it obvious.
There are 6 frames to the CAPTCHA on the right. The number “4” and letter “K” are normal – if a cracking algorithm ripped these frames apart, they could trivially determine those. But the 8 is made of two frames- both of the letter “O”… The “X” is made up of two frames- one a “foreslash” the other a “backslash”. I’m not going to claim that this exact CAPTCHA is uncrackable, but the concept – spending more than 45 seconds in the Gimp- will yield a product that cannot be beaten by non-morphing algorithms, and I don’t see the CAPTCHA-cracking-clique getting that sophisticated for a few more years at least.
Go Forth And Code.
UPDATE 5/11: A colleague challenged that this could be beaten by a simple “flattening” algorithm, thus looking at all the frames at the same time. Again, the simple animation I made wasn’t meant has a true example, merely the gist. Introducing multi-color backgrounds, “erasing” parts of previous frames with future frames, among other techniques, would nullify the “flattening bypass”.