CAPTCHA Effectiveness

GH122 · October 30, 2006, 12:00am

I can’t spell, I’m tired

pdq · October 30, 2006, 12:00am

Here’s an interesting alternative: the ASCII art CAPTCHA.

a href="http://www.thephppro.com/products/captcha/"http://www.thephppro.com/products/captcha//a

This seems pretty ingenious, if you implement it correctly. You could either output tricky HTML/CSS (or even more advanced, javascript), so now the spammer needs to render HTML, CSS, and possibly Javascript, and THEN needs to use good AI to convert the ASCII image to a phrase.

Simone · October 30, 2006, 12:00am

Last week I’ve got 200 spam comments on my blog.
And all coming from the website, and not from the comment API.
So I imagine that the type of captcha used on my blog sw has been broken

Vinnie · October 31, 2006, 12:00am

BTW, the captcha used here is not sufficiently difficult. even MS software could read it!

Me146 · October 31, 2006, 12:00am

Yellow, no… blue. Wait, red… No orange. Help! I’m color-blind!

LeighS · November 1, 2006, 12:00am

Come on Jeff, explain why you’re happy to discriminate against people with visual disabilities, contrary to legislation.

Probably for the same reason as he filters out all of us who linked him from Blogspot.

why do you need to filter out bee-el-oh-gee-ess-pee=oh-tee website adddresses
Because of trackbacks. Blogsp0t is spam central.

Nice to know how much you respect your readers.

codinghorror · November 1, 2006, 12:00am

Nice to know how much you respect your readers.

Don’t complain to me, complain to blogsp0t! It’s really profoundly bad. See here:

a href="http://www.lockergnome.com/nexus/web/2005/06/30/the-strange-world-of-blogspot-spam-blogs/"http://www.lockergnome.com/nexus/web/2005/06/30/the-strange-world-of-blogspot-spam-blogs//a

–
What I’ve found, though, is that a large percentage (maybe up to a third) of all Blogspot blogs are spam-logs - sites created to increase the Google ranking of some other site (which is itself usually a Google-spamming site). The ultimate purpose of these spamlogs is usually to drive traffic to a commission-paying ph4rmacy, pr0n, or c4sino site.

That’s from 2005, but I assure you the flow of blogsp0t trackback spam continued unabated through at least last month.

Vinit · November 2, 2006, 12:00am

There are other simple ideas too … think out of the box of “text recognition”.
Something I used on my guestbook …
http://bhansalimail.com/guestbook.php

It just asks people to add two numbers (they are a mix of random number/Swatch time).

Dozens of better ideas out there, but the problem is getting something popular enough to replace/expand on captcha’s!

andrew_crucible · November 5, 2006, 12:00am

personally I’m loving the look of Geoff Appleby’s Gaptcha… Captcha with photos instead.
http://blogs.crankygoblin.com/blogs/geoff.appleby/archive/tags/GAPTCHA/default.aspx

I’m also wondering if captcha is the best thing - because who needs comments from the visually impaired anyway?

Robert · November 18, 2006, 12:00am

I admit to not having read everything on the page properly, but the thought occurs to me - and my apologies if this is way out dated - would a captcha made from either 1. a fading in and out set of letter (each fading from background colour to a different colour at different rates)…an animated gif or 2. a flash animation with moving characters be a lot more difficult to break?

Job · November 19, 2006, 12:00am

Hi,

I’m just entering the wonderful world of captcha’s, but am wondering about another approach. I don’t exactly know how spambots work, but would it work if everytime a page with a form is visited, the formfields have a different (randomised) name?

Another thought I had about visual captchas, would a small flash-movie displaying text/something (maybe some interactivity in it?) work? Only trick here would be to pass the right information backforth between the movie and the page…

cheers,
Job

DeanE1 · February 2, 2007, 12:00am

orange

Michael · February 6, 2007, 12:00am

I was getting wiki spam on a low-volume specialized wiki. I simply required users to use a password to edit, and put it right on the front page spaced out. Real naive, and instantly effective. Again, I wasn’t a high-value target.

JA12 · February 15, 2007, 12:00am

Hi,

I am getting ready to launch an assembly for ASP.NET called HTMLCaptcha. I thought the readers of this article and blog might be interested in what it does.

HTMLCaptcha outputs a small icon-sized image – a real picture, not skewed text – created entirely in HTML/CSS, and then offers a random selection of choices that best describe the image. The user must select the correct descriptor in order to validate.

The idea is similar to that described in the paper “CAPTCHA: Using Hard AI Problems For Security”.

There are several advantages to this method –

– Hard A.I. problem. There is a much higher probability that a human will associate a random, arbitrary image with its correct descriptor than computer software.

– Text scanning techniques do not apply.

– Every developer can create their own CAPTCHA images for their site with the included utility. Uniqueness does provide a deterrent, and makes the A.I. problem harder:

I think the key isn’t captcha, per se, but just being different. Security through obscurity in a sense.

An image can be anything. In the image cache that is included with the download, I use standard icons, plus simple bars of different colors (with descriptors like “vertical bars - black RED black BLACK”). You could also use sequences of geometrical shapes, e.g. two circles and a triangle, dots and slashes, or another set of icons, or mix and match.

You can download the demo (in beta), or read more at

http://www.htmlcaptcha.com

JA

Marc · February 21, 2007, 12:00am

Hi,

I have a solution to cut 100% of guest book spam:

You ask the visitor for a $1.00 pre-authorization through PayPal before he can submit his form.
You then check the form submission, if he is a genuine visitor, you cancel the authorization, if he is a spammer, you withdraw his money.
You will be either lonely or rich!

csharpp · March 27, 2007, 12:00am

what about www.captchasolver.com ? it’s an automated captcha solving web service and it’s able to solve any type of captcha.

Brian · May 4, 2007, 12:00am

Well a turning test would be better if you have something like

A1B2C3 and the instructions are. Please enter all the Numbers from the string above. Or if they were colours something like. Enter all Red and Blue Letters from above. Or ever Second Red Letter. Soemthing that needs a little more smarts then just OCR.

Roie · May 19, 2007, 12:00am

I wonder how different the results would be if instead of “enter the word image”, it would just be “copypaste the word orange below”. I would hypothesize that it would not affect comment spam that much, and would make things easier for (some of) the users. (Especially the sight-impared)

shoobe01 · May 31, 2007, 12:00am

I also have observed CAPTCHAs being easily violated in the wild. If the site has a high enough payoff, its worth it. In our case, reducing the incentive helped most. How? Timer. Normal users don’t need to hit the page (not a registration app) more than once every few minutes. For the bots to make their money, they were hitting multiple times per minute, or as fast as the server would accept calls. A timer made it too slow to get their message out, so aside from preventing access, attacks dropped off almost immediately because we were not a good target.

Alix_Axel · July 1, 2007, 12:00am

Very interesting article, I’ve myself coded a simple CAPTCHA breaker in PHP (you can see it at http://www.alixaxel.com/wordpress/2007/06/15/php-captcha-decoder/) however this article reminded me of a way in which other more complex CAPTCHAS could be broken.