About

CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) remains a frontline defense against automated form submissions, credential stuffing, and scraping bots. A weak CAPTCHA - low distortion, predictable character sets, no noise - is trivially defeated by modern OCR engines like Tesseract, which achieve > 95% accuracy on clean text. This generator produces challenge images with configurable distortion intensity d, noise density ρ, and character count n, rendering them onto an HTML Canvas with per-character rotation, scaling jitter, and overlapping interference lines. Characters are selected via cryptographically secure randomness (crypto.getRandomValues), and ambiguous glyphs (0/O, 1/l/I) can be excluded to reduce user frustration without compromising bot resistance.

This tool approximates production CAPTCHA systems but does not implement server-side verification. In a real deployment, the answer must never exist in client-side code. Use this to prototype visual difficulty, generate sample images for testing OCR pipelines, or produce one-off verification codes for low-risk scenarios. The exported PNG can be embedded in email forms or printed documents where interactive CAPTCHA services are unavailable.

Formulas

The total combinatorial keyspace K of a CAPTCHA with n characters drawn from an alphabet of size A is:

K = Aⁿ

For an alphanumeric, case-sensitive set: A = 62. A 6-character CAPTCHA yields K = 62⁶ ≈ 5.68 × 10¹⁰ combinations. Brute force at 1000 attempts per second would require ≈ 1.8 years without rate limiting.

Per-character rotation angle θ is sampled uniformly:

θ_i ∼ U(−d_max, d_max)

where d_max is the maximum rotation in radians. Baseline vertical jitter δy follows the same uniform distribution with amplitude j_max.

Sinusoidal warp applied to the final image displaces each pixel row:

x′ = x + a ⋅ sin(2π ⋅ yh ⋅ f)

where a = warp amplitude in pixels, f = frequency (number of wave cycles), and h = canvas height. This non-linear distortion prevents affine-based OCR correction.

Where: K = total keyspace, A = alphabet size, n = character count, θ_i = rotation of character i, d_max = max rotation angle, a = warp amplitude, f = warp frequency, h = image height.

Reference Data

Parameter	Low Difficulty	Medium Difficulty	High Difficulty	Effect on OCR Resistance
Character Count (n)	4	6	8	More chars increase combinatorial space exponentially
Rotation Range	±10°	±20°	±35°	Breaks OCR character segmentation
Noise Lines	2	5	8	Interferes with edge detection algorithms
Noise Dots	30	80	150	Salt-and-pepper noise degrades binarization
Font Size Jitter	±2px	±5px	±10px	Prevents template matching attacks
Baseline Jitter	±3px	±8px	±15px	Disrupts line segmentation heuristics
Color Variation	Monochrome	3 colors	Per-character random	Defeats single-threshold binarization
Background Noise	Clean	Light gradient	Random arcs + gradient	Prevents simple background subtraction
Character Overlap	0px	3px	6px	Merges connected components, hardest for OCR
Bezier Warp	None	Mild wave	Strong sinusoidal	Non-linear distortion defeats affine correction
Ambiguous Chars Excluded	Yes (0,O,1,l,I)	Partial (0,O)	No exclusions	Tradeoff: user accuracy vs. keyspace size
Charset: Digits Only	10 symbols	10 symbols	10 symbols	Keyspace: 10ⁿ
Charset: Letters Only	26 symbols	26 symbols	52 symbols	Keyspace: 52ⁿ (case-sensitive)
Charset: Alphanumeric	36 symbols	36 symbols	62 symbols	Keyspace: 62ⁿ (case-sensitive)
OCR Accuracy (Tesseract v5)	>80%	30 - 50%	<10%	Estimated; varies by font and preprocessing

Frequently Asked Questions

Removing ambiguous glyphs shrinks the effective alphabet size A. Excluding 5 characters from a 62-symbol set reduces keyspace from 62ⁿ to 57ⁿ. For n = 6, that is a ≈27% reduction in combinations. The tradeoff is improved human solve rate. For low-risk forms, the usability gain outweighs the security cost.

Character overlap and non-linear (sinusoidal/Bezier) warp are the two most effective defenses. OCR engines rely on connected-component analysis to segment individual characters. Overlap merges components, causing segmentation failure. Sinusoidal warp defeats affine-transform correction that OCR preprocessing applies. Noise lines alone are insufficient because modern engines use median filtering to remove them.

No. Client-side CAPTCHAs are inherently insecure because the answer exists in the browser. This tool stores the answer as a base64-encoded string, which deters casual inspection but is trivially decoded. Production systems must validate server-side, issue time-limited tokens, and implement rate limiting. Use this tool for prototyping visual difficulty, generating test images, or scenarios where server-side validation is added separately.

The generator renders at 2× device pixel ratio internally while keeping CSS dimensions fixed. This produces crisp text on Retina and high-DPI displays. Without this scaling, canvas text appears blurry, which paradoxically makes the CAPTCHA harder for humans but can actually help OCR (blurred edges smooth noise). The exported PNG preserves the high-resolution rendering.

Research from Carnegie Mellon (2010) found that 6 characters with moderate distortion achieves the best balance. Human solve rates drop below 80% at 8+ characters regardless of distortion. Meanwhile, 4 characters with full alphanumeric set still provides 62⁴ ≈ 14.7 million combinations, which is adequate when combined with rate limiting (3 attempts per minute).

Yes. Export the image via the Download PNG button. Embed it in HTML emails using a <img> tag with base64 data URI or as an attached file. For PDFs, import the PNG into your document editor. Pair it with a text input field where the recipient types the answer. Verification must happen on your server when the form is submitted. The image dimensions are fixed at the configured canvas size.