A Usable and Secure Bengali CAPTCHA
Pith reviewed 2026-06-30 09:07 UTC · model grok-4.3
The pith
Bengali CAPTCHA variants limit automated OCR recognition to 0-20 percent while achieving 56-90 percent human success rates.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
The central claim is that the proposed Bengali CAPTCHA with its six variants exhibits robust security against OCR-based attacks, with average character recognition rates limited to 0-20 percent across 6000 challenges, while demonstrating high usability for 110 human participants with success rates of 56.25 to 90.29 percent and response times of 6.69 to 9.9 seconds.
What carries the argument
The six variants of the Bengali text CAPTCHA design, which use the Bengali script and specific distortions to balance security and readability.
If this is right
- Regional language CAPTCHAs can replace English ones for better accessibility without sacrificing security.
- Websites targeting Bengali users can deploy these to block bots effectively.
- Success rates above 50 percent with short response times make the design practical for everyday web use.
- Low OCR rates suggest the script-specific features effectively thwart current automated attacks.
Where Pith is reading between the lines
- Similar designs could be developed for other non-Latin scripts to broaden web accessibility.
- Future tests with advanced machine learning models beyond basic OCR would be needed to confirm long-term security.
- The approach highlights the need for language-specific security tools in global web infrastructure.
Load-bearing premise
That the OCR implementations tested represent the capabilities of real automated attacks and that the participant group reflects typical Bengali users.
What would settle it
An experiment showing an OCR or machine learning system achieving over 50 percent average character recognition on the Bengali CAPTCHA challenges would disprove the security claim.
Figures
read the original abstract
Text-based CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) have traditionally been a simple, affordable, lightweight, yet very effective security mechanism to distinguish human users from automated bots on the web, serving as a preventive measure against many cyberattacks. However, the dependence on the English script creates usability issues for non-native speakers, limiting accessibility for regional communities where English is not widely understood. In this work, we have proposed and implemented a text CAPTCHA mechanism with 6 variants on the Bengali language, designed specifically for native Bengali-speaking users, which is the first of its kind to the best of our knowledge. Our proposed Bengali CAPTCHA exhibits robust security against automated OCR-based attacks, limited to only 0-20% average character recognition rate across 6,000 challenges (1,000 per variant approx.). Furthermore, our design demonstrates high human usability, evaluated with 110 participants, achieving success rates of 56.25% to 90.29% and average response times of 6.69 to 9.9 seconds across all six variants, thereby standing out among text-based CAPTCHA benchmarks.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The manuscript proposes and evaluates six variants of Bengali text-based CAPTCHAs for native speakers. It claims robust security, with automated OCR attacks achieving only 0-20% average character recognition across ~6,000 challenges (1,000 per variant), and high usability, with 110 participants achieving success rates of 56.25-90.29% and average response times of 6.69-9.9 seconds.
Significance. If the security results hold against capable attacks, the work would address a meaningful gap in accessible CAPTCHAs for non-English users. The empirical usability measurements are a potential strength if the participant pool and attack models are representative.
major comments (2)
- [Abstract / Evaluation] Abstract and Evaluation section: The headline security claim (0-20% OCR recognition rate) cannot be assessed because the manuscript provides no details on the OCR engines tested, whether they were off-the-shelf or fine-tuned on Bengali data, the attack pipeline (segmentation, preprocessing, single-character vs. string recognition), or any comparison to stronger models. This directly undermines interpretation of the result as evidence of robustness rather than weak test attackers.
- [Abstract / Usability study] Usability evaluation (abstract): No information is given on participant demographics, recruitment method, exclusion criteria, or statistical tests for the reported success rates and times. Without these, the 56.25-90.29% success range cannot be evaluated for bias or generalizability to the target Bengali-speaking population.
minor comments (1)
- [Abstract] The abstract states this is 'the first of its kind to the best of our knowledge'; a brief related-work paragraph citing prior non-English CAPTCHAs would strengthen the novelty claim.
Simulated Author's Rebuttal
We thank the referee for the constructive feedback on our manuscript proposing Bengali text-based CAPTCHAs. The comments identify key areas where additional methodological detail is needed to strengthen the security and usability claims. We address each major comment below and commit to revisions that directly respond to the concerns raised.
read point-by-point responses
-
Referee: [Abstract / Evaluation] Abstract and Evaluation section: The headline security claim (0-20% OCR recognition rate) cannot be assessed because the manuscript provides no details on the OCR engines tested, whether they were off-the-shelf or fine-tuned on Bengali data, the attack pipeline (segmentation, preprocessing, single-character vs. string recognition), or any comparison to stronger models. This directly undermines interpretation of the result as evidence of robustness rather than weak test attackers.
Authors: We agree that the current manuscript does not provide sufficient detail on the OCR attack methodology, which limits the ability to fully evaluate the security results. The Evaluation section reports outcomes from OCR-based attacks on the six variants but does not specify the exact engines, fine-tuning status, preprocessing steps, segmentation approach, or comparisons to alternative models. In the revised version we will expand this section with a clear description of the attack pipeline, including the specific OCR tools employed, any language-specific adaptations, and the rationale for the chosen attack models. This addition will allow readers to better assess whether the 0-20% recognition rates reflect meaningful robustness. revision: yes
-
Referee: [Abstract / Usability study] Usability evaluation (abstract): No information is given on participant demographics, recruitment method, exclusion criteria, or statistical tests for the reported success rates and times. Without these, the 56.25-90.29% success range cannot be evaluated for bias or generalizability to the target Bengali-speaking population.
Authors: We acknowledge that the Usability Evaluation section lacks the requested details on the participant pool and analysis methods, which are necessary to interpret the reported success rates and response times. The manuscript states that 110 participants were involved but provides no further information on demographics, recruitment, exclusions, or statistical testing. We will revise the section to include these elements, such as participant age range and language background, recruitment channels, any exclusion rules applied, and the statistical methods used to analyze the 56.25-90.29% success rates and 6.69-9.9 second response times. This will improve transparency and support claims of usability for native Bengali speakers. revision: yes
Circularity Check
No circularity; purely empirical evaluation with no derivations or fitted predictions
full rationale
The paper presents an empirical study of a Bengali CAPTCHA design, reporting direct measurements of OCR attack success rates (0-20% on 6000 challenges) and human usability metrics (success rates and response times from 110 participants). No equations, parameter fitting, predictions derived from inputs, self-citations used as load-bearing uniqueness theorems, or ansatzes are present in the provided abstract or described claims. The security and usability results are stated as outcomes of explicit testing rather than any chain that reduces to the authors' own definitions or prior fits. This is the expected non-finding for an experimental systems paper without a mathematical derivation component.
Axiom & Free-Parameter Ledger
Reference graph
Works this paper leans on
-
[1]
Bijoy Bayanno Keyboard
2022. Bijoy Bayanno Keyboard. https://bijoybayannowin.com/api/v1
2022
-
[2]
OCR using pytesseract (Bengali & English)
2022. OCR using pytesseract (Bengali & English). https://www.kaggle.com/code/ggck43/ocr-using-pytesseract-bengali-english/data?select= Bengali.traineddata [Online; accessed 2022-11-09]
2022
-
[3]
OpenCV-python tutorials
2022. OpenCV-python tutorials. https://docs.opencv.org/4.x/d6/d00/tutorial_py_root.html [Online; accessed 2022-11-09]
2022
-
[4]
Traineddata files for version 4.00 +
2022. Traineddata files for version 4.00 +. https://tesseract-ocr.github.io/tessdoc/Data-Files [Online; accessed 2022-11-09]
2022
-
[5]
Bengali alphabet
2023. Bengali alphabet. https://en.wikipedia.org/wiki/Bengali_alphabet
2023
-
[6]
Ekushey Keyboard
2023. Ekushey Keyboard. https://ekushey.org/ 2User under 35 years age 77% probability and User over 35 were not able to solve any Text CAPTCHAs 22 MNI Shibbir et al
2023
-
[7]
S M Izaz Ahmmed, Muhammad Minhazul, Haque Bhuiyan, Md Khan, and Research Publications. 2014. A Survey on Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA). SSRN Electronic Journal 1 (03 2014), 187–193
2014
-
[8]
Luis von Ahn, Manuel Blum, Nicholas J Hopper, and John Langford. 2003. CAPTCHA: Using hard AI problems for security. In International conference on the theory and applications of cryptographic techniques . Springer, 294–311
2003
-
[9]
Shymon Islam, Hafsa Sultana, A
Aysha Akther, Md. Shymon Islam, Hafsa Sultana, A. K. Z. Rasel Rahman, Sujana Saha, Kazi Masudul Alam, and Rameswar Debnath. 2022. Compila- tion, Analysis and Application of a Comprehensive Bangla Corpus KUMono.IEEE Access 10 (2022), 79999–80014. doi:10.1109/ACCESS.2022.3195236
-
[10]
Walid Aribi. 2016. A Survey of Current Research on CAPTCHA. International Journal of Computer Science & Engineering Survey 7 (06 2016), 1–21. doi:10.5121/ijcses.2016.7301
-
[11]
Agustin Garcia Asuero, Ana Sayago, and AG González. 2006. The correlation coefficient: An overview. Critical reviews in analytical chemistry 36, 1 (2006), 41–59
2006
-
[12]
Paul Baecher, Marc Gordon Lior Fischlin, Robert Langenberg, Michael Lützow, and Dominique Schröder. 2010. Captchas: the good, the bad, and the ugly. In Sicherheit 2010. Sicherheit, Schutz und Zuverlässigkeit . Gesellschaft für Informatik eV, 353–365
2010
-
[13]
M Tariq Banday and Shafiya Afzal Sheikh. 2013. Design of CAPTCHA script for Indian regional websites. In Security in Computing and Commu- nications: International Symposium, SSCC 2013, Mysore, India, August 22-24, 2013. Proceedings 1 . Springer, 98–109
2013
-
[14]
Abhay Bansal, Divye Garg, Anup Gupta, and Anand Gupta. 2008. Breaking a Visual CAPTCHA: A Novel Approach using HMM. In Proceedings of the
2008
-
[15]
Seyed Mohammad Reza Saadat Beheshti and Panos Liatsis. 2015. CAPTCHA Usability and Performance, How to Measure the Usability Level of Human Interactive Applications Quantitatively and Qualitatively?. In 2015 International Conference on Developments of E-Systems Engineering (DeSE). 131–136. doi:10.1109/DeSE.2015.23
-
[16]
Marios Belk, Christos Fidas, Panagiotis Germanakos, and George Samaras. 2015. Do human cognitive differences in information processing affect preference and performance of CAPTCHA? International Journal of Human-Computer Studies 84 (2015), 1–18
2015
-
[17]
Benjamin Boyter. 2015. All About CAPTCHA’s: Decoding CAPTCHA’s for Fun and Profit . Leanpub. https://leanpub.com/decodingcaptchas(visited 2022-08-08)
2015
-
[18]
Darko Brodić and Alessia Amelio. 2019. The CAPTCHA: Perspectives and Challenges: Perspectives and Challenges in Artificial Intelligence. (2019)
2019
-
[19]
Darko Brodić and Alessia Amelio. 2019. Exploring the usability of the text-based CAPTCHA on tablet computers. Connection Science 31, 4 (2019), 430–444
2019
-
[20]
Elie Bursztein, Steven Bethard, Celine Fabry, John C Mitchell, and Dan Jurafsky. 2010. How good are humans at solving CAPTCHAs? A large scale evaluation. In 2010 IEEE symposium on security and privacy . IEEE, 399–413
2010
-
[21]
Kumar Chellapilla, Kevin Larson, Patrice Simard, and Mary Czerwinski. 2005. Designing human friendly human interaction proofs (HIPs). In Proceedings of the SIGCHI conference on Human factors in computing systems . 711–720
2005
-
[22]
Kumar Chellapilla, Kevin Larson, Patrice Y Simard, and Mary Czerwinski. 2005. Computers beat Humans at Single Character Recognition in Reading based Human Interaction Proofs (HIPs).. In CEAS
2005
-
[23]
Jun Chen, Xiangyang Luo, Yanqing Guo, Yi Zhang, and Daofu Gong. 2017. A survey on breaking technique of text-based CAPTCHA. Security and communication networks 2017 (2017)
2017
-
[24]
Geeta Chhabra Gandhi, Vijay Dhaka, and Manoj Kumar Agarwal. 2019. Design of Innovative CAPTCHA and Analysis of It’s Efficiency. Interna- tional Journal of Advanced Studies of Scientific Research 4, 3 (2019)
2019
-
[25]
Yang-Wai Chow, Willy Susilo, and Pairat Thorncharoensri. 2019. CAPTCHA design and security issues. Advances in Cyber Security: Principles, Techniques, and Applications (2019), 69–92
2019
-
[26]
Alex Clark. 2015. Pillow (PIL Fork) Documentation. https://buildmedia.readthedocs.org/media/pdf/pillow/latest/pillow.pdf
2015
-
[27]
Clark and contributors
Jeffrey A. Clark and contributors. 2022. Pillow. https://pypi.org/project/pillow/ [Online; accessed 2022-11-09]
2022
-
[28]
Imtiaz Ahmed Dahar, Fizza Abbas Alvi, and Ubaidullah Rajput. 2020. Enhancing Security of Urdu Language Websites through Urdu CAPTCHA. International Journal of Computer Science and Network Security 20, 11 (2020), 142–151
2020
-
[29]
Line Eikvil. 1993. Optical character recognition. citeseer. ist. psu. edu/142042. html 26 (1993)
1993
-
[30]
Ryan Fortune, Gary Luu, and Peter McMahon. 2005. CS229 Project Report: Cracking CAPTCHAs. Stanford University CS229 Project Report
2005
-
[31]
Rich Gossweiler, Maryam Kamvar, and Shumeet Baluja. 2009. What’s up CAPTCHA? A CAPTCHA based on image orientation. In Proceedings of the 18th international conference on World wide web . 841–850
2009
-
[32]
Carlos Hernández-Castro and Arturo Ribagorda. 2010. Pitfalls in CAPTCHA design and implementation: The Math CAPTCHA, a case study. Computers & Security 29 (02 2010), 141–157. doi:10.1016/j.cose.2009.06.006
-
[33]
Indic-OCR. 2022. Tesseract Models for Indian Languages. https://indic-ocr.github.io/tessdata/
2022
-
[34]
Kiranjot Kaur and Sunny Behal. 2014. Captcha and its techniques: a review. International Journal of Computer Science and Information Technologies 5, 5 (2014), 6341–6344
2014
-
[35]
Kiranjot Kaur and Sunny Behal. 2015. Designing a Secure Text-based CAPTCHA. Procedia Computer Science 57 (2015), 122–125. doi:10.1016/j. procs.2015.07.381 3rd International Conference on Recent Trends in Computing 2015 (ICRTC-2015)
work page doi:10.1016/j 2015
-
[36]
Bilal Khan, Khaled Alghathbar, Muhammad Khurram Khan, Abdullah M AlKelabi, and Abdulaziz Alajaji. 2013. Cyber security using arabic captcha scheme. Int. Arab J. Inf. Technol. 10, 1 (2013), 76–84
2013
-
[37]
Martin Kopp, Matej Nikl, and Martin Holena. 2017. Breaking CAPTCHAs with Convolutional Neural Networks.. In ITAT. 93–99. A Usable and Secure Bengali CAPTCHA 23
2017
-
[38]
Mohinder Kumar, MK Jindal, and Munish Kumar. 2022. A systematic survey on CAPTCHA recognition: types, creation and breaking techniques. Archives of Computational Methods in Engineering 29, 2 (2022), 1107–1136
2022
-
[39]
Mohinder Kumar, Manish Kumar Jindal, and Munish Kumar. 2022. Design of innovative CAPTCHA for hindi language. Neural Computing and Applications (2022), 1–36
2022
-
[40]
Piotr Kuszaj. 2017. Kuszaj/claptcha: Simple Captcha Generator for Python. https://github.com/kuszaj/claptcha. GitHub repository
2017
-
[41]
Manar Mohamed, Niharika Sachdeva, Michael Georgescu, Song Gao, Nitesh Saxena, Chengcui Zhang, Ponnurangam Kumaraguru, Paul Oorschot, and Wei-Bang Chen. 2014. A three-way investigation of a game-CAPTCHA: automated attacks, relay attacks and usability
2014
-
[42]
G. Mori and J. Malik. 2003. Recognizing objects in adversarial clutter: breaking a visual CAPTCHA. In 2003 IEEE Computer Society Conference on Computer Vision and Pattern Recognition, 2003. Proceedings. , Vol. 1. I–I. doi:10.1109/CVPR.2003.1211347
-
[43]
Nilobon Nanglae and Pattarasinee Bhattarakosol. 2015. Attitudes towards Text-based CAPTCHA from developing countries. In 2015 12th Interna- tional Conference on Electrical Engineering/Electronics, Computer, Telecommunications and Information Technology (ECTI-CON) . 1–4. doi:10.1109/ ECTICon.2015.7207116
-
[44]
Meharuniza Nazeem, Anitha R, Navaneeth S, and Rajeev R. R. 2024. Open-Source OCR Libraries: A Comprehensive Study for Low Resource Language. In Proceedings of the 21st International Conference on Natural Language Processing (ICON), Sobha Lalitha Devi and Karunesh Arora (Eds.). NLP Association of India (NLPAI), AU-KBC Research Centre, Chennai, India, 416–4...
2024
-
[45]
Jakob Nielsen. 1994. Usability engineering. Morgan Kaufmann
1994
-
[46]
OmicronLab. 2023. Avro Keyboard. https://www.omicronlab.com/avro-keyboard-download.html
2023
-
[47]
Brian M Powell, Adam C Day, Richa Singh, Mayank Vatsa, and Afzel Noore. 2010. Image-based face detection CAPTCHA for improved security. International Journal of Multimedia Intelligence and Security 1, 3 (2010), 269–284
2010
-
[48]
Xiao Qin and Yuqian Wu. 2011. An Algorithm for Segmentation of CAPTCHA Characters Based on Color-Clustering and Feedback Mechanism. 2011 International Conference on Internet Technology and Applications, iTAP 2011 - Proceedings (08 2011). doi:10.1109/ITAP.2011.6006257
-
[49]
Alec Radford, Jong Wook Kim, Chris Hallacy, Aditya Ramesh, Gabriel Goh, Sandhini Agarwal, Girish Sastry, Amanda Askell, Pamela Mishkin, Jack Clark, Gretchen Krueger, and Ilya Sutskever. 2021. Learning Transferable Visual Models From Natural Language Supervision. In International Conference on Machine Learning (ICML) . PMLR, 8748–8763. https://arxiv.org/ab...
work page internal anchor Pith review Pith/arXiv arXiv 2021
-
[50]
Anthony C Redmond, Yvonne Z Crane, and Hylton B Menz. 2008. Normative values for the foot posture index. Journal of Foot and Ankle research 1 (2008), 1–9
2008
-
[51]
Andrew Searles, Yoshimichi Nakatsuka, Ercan Ozturk, Andrew Paverd, Gene Tsudik, and Ai Enkoji. 2023. An empirical study & evaluation of modern {CAPTCHAs}. In 32nd usenix security symposium (usenix security 23) . 3081–3097
2023
-
[52]
Shahjalal University of Science and Technology. [n. d.]. Institutional Profile and Academics. https://sust.edu. Accessed: 2026-05-24
2026
-
[53]
Md Neyamul Islam Shibbir, Hasibur Rahman, Md Sadek Ferdous, and Farida Chowdhury. 2024. Evaluating the security of CAPTCHAs utilized on Bangladeshi websites. Computers & Security 140 (2024), 103774
2024
-
[54]
Ved Prakash Singh and Preet Pal. 2014. Survey of different types of CAPTCHA. International Journal of Computer Science and Information Technologies 5, 2 (2014), 2242–2245
2014
-
[55]
Ray Smith. 2007. An overview of the Tesseract OCR engine. In Ninth international conference on document analysis and recognition (ICDAR 2007) , Vol. 2. IEEE, 629–633
2007
-
[56]
Oleg Starostenko, Claudia Cruz-Perez, Fernando Uceda Ponga, and Vicente Alarcon-Aquino. 2015. Breaking text-based CAPTCHAs with variable word and character orientation. Pattern Recognition 48 (04 2015). doi:10.1016/j.patcog.2014.09.006
-
[57]
Statista. 2025. The most spoken languages worldwide 2025 | Statista. https://www.statista.com/statistics/266808/the-most-spoken-languages- worldwide [Online; accessed 2026-01-28]
2025
-
[58]
Tesseract OCR tessdata_best ben. 2022. Tesseract. https://github.com/tesseract-ocr/tessdata_best/blob/main/ben.traineddata. [Online; accessed 2022-11-09]
2022
-
[59]
Tesseract OCR. 2022. Tessdata best. https://github.com/tesseract-ocr/tessdata/blob/main/ben.traineddata
2022
-
[60]
Tesseract-Ocr. 2022. Tessdata/ben.traineddata at main · TESSERACT-OCR/tessdata. https://github.com/tesseract-ocr/tessdata/blob/main/ben. traineddata [Online; accessed 2022-11-09]
2022
-
[61]
Tesseract-Ocr. 2022. Tesseract-OCR Best (most accurate) trained LSTM models. https://github.com/tesseract-ocr/tessdata_best [Online; accessed 2022-11-09]
2022
-
[62]
Tesseract-OCR. 2022. Tesseract-OCR/tessdata_fast: Fast integer versions of trained LSTM models. https://github.com/tesseract-ocr/tessdata_fast
2022
-
[63]
Tesseract OCR Bengali Traindata. 2022. TessdocTable. https://github.com/tesseract-ocr/tessdoc/blob/main/Data-Files.md#data-files-for-version- 400-november-29-2016 . [Online; accessed 2022-11-09]
2022
-
[64]
Nghia Dinh Trong, Thien Ho Huong, and Vinh Truong Hoang. 2023. New cognitive deep-learning CAPTCHA. Sensors 23, 4 (2023), 2338
2023
-
[65]
Vecteezy Contributors. 2023. Topographic Background and Texture Abstraction with Place for Text - Topo Backdrop Lines, Contour Geo- graphic Grid, Modern Black and White Topographic Contours, Lines of Mountains, Topography Map Art. https://www.vecteezy.com/vector- art/18939191-topographic-background-and-texture-abstraction-with-place-for-text-topo-backdrop...
-
[66]
VintaSoft. 2022. OCR: Prepare OCR engine for text recognition. https://www.vintasoft.com/docs/vsimaging-dotnet/Programming-OCR-Prepare_ OCR_engine_for_text_recognition.html. 24 MNI Shibbir et al
2022
-
[67]
Wikipedia contributors. 2025. Captcha Wikipedia. https://en.wikipedia.org/wiki/CAPTCHA [Online; accessed 4-April-2025]
2025
-
[68]
Wikipedia contributors. 2026. Comet (browser) — Wikipedia, The Free Encyclopedia.https://en.wikipedia.org/w/index.php?title=Comet_(browser) &oldid=1336424809
2026
-
[69]
Hisaaki Yamaba, Ahmad Saiful Aqmal Bin Ahmad Sohaimi, Shotaro Usuzaki, Kentaro Aburada, Masayuki Mukunoki, Mirang Park, and Naonobu Okazaki. 2021. Proposal of Jawi CAPTCHA Using Digraphia Feature of the Malay Language. In Advances in Information and Computer Security: 16th International Workshop on Security, IWSEC 2021, Virtual Event, September 8–10, 2021...
2021
-
[70]
Jeff Yan and Ahmad Ahmad. 2008. Usability of CAPTCHAs or usability issues in CAPTCHA design. Proceedings of the 4th Symposium on Usable Privacy and Security , 44–52. doi:10.1145/1408664.1408671
-
[71]
Jeff Yan and Ahmad Salah El Ahmad. 2008. Usability of CAPTCHAs or usability issues in CAPTCHA design. In Proceedings of the 4th symposium on Usable privacy and security . 44–52
2008
-
[72]
Bin B Zhu, Jeff Yan, Qiujie Li, Chao Yang, Jia Liu, Ning Xu, Meng Yi, and Kaiwei Cai. 2010. Attacks and design of image recognition CAPTCHAs. In Proceedings of the 17th ACM conference on Computer and communications security . 187–200. A Attacking Bengali CAPTCHAs To validate the security claims of our developed Text-Based Bengali CAPTCHA, it was essential...
2010
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.