In November 2007 I called these three CAPTCHA implementations "unbreakable":
This is a companion discussion topic for the original blog entry at: http://www.codinghorror.com/blog/2008/03/captcha-is-dead-long-live-captcha.html
In November 2007 I called these three CAPTCHA implementations "unbreakable":
Well. CAPTCHA are often not understandable for old people.
And since they are generated with computers, it seems possible that a way to reverse it with a computer exists.
I really prefer clever and hand made captha :
āWhat is the first name of Jeff Johnson ?ā
"What is the year of the end of 2nd world war(1939-1945) ?"
And so on ā¦ If you create hand-made silly question, then all the spammers will be defintively blocked. There is no software which is able to understand a question.
Somewhere Iāve read that using hidden inputs as bot traps can be effective. If something was entered into the hidden fields, it must be a bot. The bot isnt going to render the page to determine if a textbox is hidden. Youād probably have to constantly randomize the field names on high profile sites though
What about language barriers?
Also your site uses CAPTCHA!
what about using some CJK charactors?
there are ten thousands of charactors.
perhaps, it need longer time to break.
of course, a human must be a chinese, japanese, or korean.
On .Net Rocks, I heard them talking about āinvisible Captaā, which was something to the effect of your trivia questions. The whole thing had to do with having an invisible Div with a small math problem that would only be answered by Javascript enabled browsers, which would root out all bots, or something to that effect.
Another solution : stop using these damn registration pages and use OpenID. Of course there will be openid spam server but itās easier to control and ban them.
When will we actually hit the spammers where it hurts ? And by hitting, I mean prosecution. Yes they are in various countries that do not necessarily care, but maybe, just maybe, we can make them care ? I would think the WTO is for that kind of thingsā¦
And it is even Web 2.0 enabeledā¦ Isnt that great?
Here is the link :
a href="http://hotcaptcha.com/"http://hotcaptcha.com//a
I think Bots will have a hard time breaking that one
P.s.:
And here is the link to the article where I found itā¦ I know its āoldā but i found it quite interestingā¦
http://radar.oreilly.com/archives/2006/07/another-captcha-but-i-failed-p.html
The text on the Google CAPTCHA breaking page suggests that they pay humans to solve the CAPTCHAs. Iām not sure if this is true or not.
===================
If you are unable to recognize a picture or she is not loaded (picture appears black, empty picture), just press Enter.
In no case do not enter random characters!
If there is delay in downloading images, exit from your account, refresh the page and go again.
The system tested in browsers:
Internet Explorer
Mozilla Firefox
Before each payment deemed by pictures checked Admin. We pay only correctly recognized pictures!
So what if the CAPTCHA turns into an intelligence test? Letās not have dumb people make comments either
Oh, damn. I canāt spell āorange.ā
My Freakonomics thing tells me āCipherTrust has analyzed the effectiveness of various kinds of spam. It turns out that pornography is far and away the most effective spam, with a click-through rate of 5.6 percent. The next-best click-through rate is pharmaceuticals, at 0.02 percent.ā
The only way to solve spam forever is to stop people opening spam messages.
Best dumb-butted responses so far:
Pay $1 for all the (stupid) websites that ask for your info.
Give up your identity, SSN, credit card, etc
Limit the number of emails for new accounts.
All internet advertising must be PAID advertising
Universal ID
Charge people per email:
PS Banks donāt use captcha. They have secure offline processes in place to set up your internet banking so that even their employees canāt fake the system out. Multi-level authentication isnāt captcha.
I read the Websense report on Googleās CAPTCHA last week. I was under the impression that it wasnāt broken in the sense that machines were solving the CAPTCHAs automatically (via machine vision or whatever), but by duping humans to solve them (unknowingly, on a different site) in order to make money or get access to free porn (http://www.boingboing.net/2004/01/27/solving-and-creating.html)
As I understand it, the hard part about breaking Googleās CAPTCHA was the bot getting the image to human eyes, and getting a response back to Google before the process timed out.
If this is the case, changing the CAPTCHA from a reading test to an intelligence test probably wonāt make much difference. The hard part is surely making the authentication process robust against this kind of attack?
Asirra has no chance to success
Users are usually dumb with the willing to be even more dumber.
If You start to forcing them to use brain they will rather search for āXā button insteed of on the photos of catsā¦
However ASCII art is available on Drupal CMS and iāve started to using it some time ago.
Seems to be fine for now.
Also
Another good thing is to use javascript along with captcha, even simply onmouseover effect above the captcha image (like : display captcha image when moise is above āfakeā captcha image)
Bots usually donāt do that
or use splitted captcha images with different z-index, animated gifās (or just backgrounds)
Just use your imagination
Well, as you say: āperhaps proliferation and evolution of many different CAPTCHA techniques is the most effective preventionā.
However, many of these CAPTCHA alternatives you mention are broken much easier than your average ātype the characters from the pictureā CAPTCHA. So, how about just sticking with the image CAPTCHAs, but using much more randomness in your rendering - i.e. thereās no need to distort the picture heavily, you just need to have a bunch of different not-so-distorted, easily readable CAPTCHA variants?
If you have a bunch of different algorithms (each requiring a different cracking approach), and switch them randomly (requiring the bot to be able to distinguish between them), bots will not get far.
Of course, coming up with continuous variations in your CAPTCHA rendering can be a part-time job on itās own, but is only necessary if youāre a high-profile target - for most websites in existence, changing a broken CAPTCHA algorithm for a different one is going to be enough to solve your problems for a long whileā¦ Unless you have a cracker whoās REALLY keen on spamming your site and your site only, enough to change his cracking approach every time you change the protection, even if it will never pay off (and as we know, most spammers are in it for money).
Letās face it: if youāre Google, or Microsoft, or Yahoo - any of those āalternativeā methods will be broken much faster than a new CAPTCHA rendering algorithm. Something to think aboutā¦
I was under the impression that it wasnāt broken in the sense that machines were solving the CAPTCHAs automatically (via machine vision or whatever), but by duping humans to solve them (unknowingly, on a different site) in order to make money or get access to free porn
If thatās the case, then Googleās CAPTCHA generation algorithm isnāt broken after all. These human farms would work against ANY turing test.
Does anyone know for sure?
That is excellent food for thought. Distinguish a type of animal, bloody brilliant! At least then the captcha would be fun!
As with all anti-abuse measures, CAPTCHAs have to evolve to keep up; this is the nature of adversarial systems like anti-spam and anti-virus. Theyāll be broken eventually, by a sufficiently-determined attacker.
also:
āOf course there will be openid spam server but itās easier to control and ban them.ā
Great hand-waving assertion there, acemtp Same way itās easier to control and ban mail servers originating spam in SMTP-land?