“Have a dictionary of nouns of at least 1000 commonly used nouns. For example “Tiger, Snake, Man, Computer, Stapler, etc.” Using PHP or other means, search for this noun on Google image search, with safe search turned on. Pick a random Google cached image off the front page of the results. Display this image to the user, along with a question asking for the original noun. And do this twice, otherwise the attacker could just attempt your dictionary for a .1% success rate. Certain search terms will often fail even for humans – therefore, store the success rate along with the noun in a database, and any noun with a less than x% success rate won’t be used.
The noun database should also store unique synonyms for each noun, which will reduce the human fail rate without affecting the bot fail rate.
This captcha works because
1. Humans are good at random image recognition, while computers are not.
2. Although there are only say 1000 nouns, the nouns times the possible number of images (especially if you use common nouns) might be in the millions.
3. Asking twice prevents attackers from just guessing nouns directly. With a dictionary of 1000, asked twice, this results in a 1 in a million chance of successfully asking at random.”