Abstract
CAPTCHAs have been deployed ubiquitously by web sites to combat automated malicious programs. Security against web bots and usability to legitimate users are two main goals that have to be simultaneously satisfied when designing a useful CAPTCHA scheme. However, there exists a well-known and intricate trade-off between these goals. So far, balancing this trade-off remains an art rather than a science, as we do not have any automated tools to evaluate the security and usability of CAPTCHAs and then to configure the CAPTCHA generation engine accordingly. In this position paper, we propose a general framework called Captchæcker that aims to solve this configuration problem by automating the security-usability analysis of CAPTCHAs. The proposed framework will allow dynamic reconfiguration of a CAPTCHA scheme after its securityusability goal is changed or its security is compromised due to an attack.