Here’s a demo of the captcha generation I have so far — the script talks to a mini web service to get the data. I’ll add more options to the web service and then make it available. [Update: the ‘demo’ is now just the way I screen comments on this blog.] Interestingly, although I have fond feelings for the gd image library, nothing I needed for doing nice image distortion turned out to be there, at least in the PHP-bundled version — I had to do it at the pixel level.
John’s comment led me to think more about accessibility. As I said in a comment, if an individual running a site decides that inaccessibility to bots is more important for that site than accessibility for some humans, I’m not going to stand in judgement (someone else will do that for me, I’m sure). But I guess that if you’re writing code that multiple people might use for bot-screening, it would be irresponsible not to include some alternative to images. So I’m thinking of adding an “alt text” captcha, most likely some kind of MadLibs-style description of a number. (Instead of blocking the visually-impaired, it would block people who can’t do any arithmetic in their heads — bug or feature?) The difficult part is in coming up with obfuscation that couldn’t be easily reversed by parsing it.
If captcha generation becomes more widespread, I wonder if open source would help confer some abuse resistance. I mean, if MSFT used a particular style of capture for single-signon, there’d be a lot of incentive to defeat it. But imagine lots of captcha servers, each run by someone who likes to mess around occasionally with the obfuscating code… is it ever going to be worth trying to beat them all?