We’ve known CAPTCHAs are insecure for some time, but now even the CAPTCHA-alternatives (often based on identifying cats from dogs or other animals) have proven insecure. Gmail, Windows Live hotmail and other popular sites were hacked as early as February. Recently another defeat has come in the form of XRumer, a spam bot that posts messages on blogs and through email in order to boost search engine rankings.

What’s the solution? Ars Technica suggests there might not be a good one, in part because malware distributors can go so far as to hire real people to do their dirty work:

Instead of trying to build better CAPTCHA-cracking programs, the malware industry went out and got itself some humans of its own. This effectively bypasses the primary security strength of the CAPTCHA system and leaves it entirely dependent on what we’ll call secondary security characteristics. CAPTCHAs are often complex (particularly these days), which does increase the chance that they’ll be misread (and returned incorrectly), while the font and display of the characters themselves are at least somewhat unfamiliar to the CAPTCHA crackers sitting on the other side of the world.

Sometimes those captcha phrases are pretty incoherent to me too. When I post over at Craigslist sometimes it says I’ve gotten its Captcha wrong, and I end up wondering if secretly I’m a bot?? Apparently not a very smart one either.