Different kind of CAPTCHA

Care to comment on renaming the textfields that we were speaking about above? I was thinking something like ...

$field_name = md5(md5($random_field_name)) ; 

PHP:

then keep the real name & scrambled name in a session so the correct info stays in the right field.

Obviously, if you have 1-3 fields you the crack attempt could use brute force but with 10 fields (how I would use it) It becomes much more difficult.

Also the video captcha got me thinking about animated gifs. Creating them server side would not work because of patents in place on gifs but a standard 100 or so of them might do the trick (sans brute force). Can .gifs (animated) be read the same way as 1 framed .jpgs? Something like ...



Also do you see the merit in javascript methods (kittenAuth or flickcha).

 

the name of the field won't make a lot of difference, neither will the amount of fields on the page, the pattern will still match inside one of those fields, and if the programmer ( not me ) can't get a pattern for each eventuality then they can just brute force and use the patterns they have.

I had actually written "like a video captcha, or gifs", then I deleted it because of the patent thing out of habbit, but last time I brought up the patent issue in a forum someone said it no longer applied, the patent had run out and thats why the gd library supports animated gifs now by default, but I'm not sure if that information is reliable, I'm also not sure if you can destruct the frames from a gif and read them but it has to be worlds harder to destruct a video or image than it is to recognize text, the very nature of webpages ( they are made of patterns, and they have to be to render correctly ) doesn't really allow for the above method to be affective in my opinion.

As for using javascript, that's a pretty stupid idea, again the javascript needs to be rendered by a browser, and if a browser can do it a programmer can just reverse engineer the code and void it's methods.....

None of these things I would ever spend time doing, I just thought I would point out the huge flaw in the plan of using text to verify someone is a human.

 

I think there will never be a long term, fool proof plan for this, that is not what I am shooting for. You will never be able to keep 100% of the spam out, but you can strive for 99% and live happily there. If someone wants in bad enough ...

It sounds as if the .gif or .mov captcha holds the most potential out of the bunch. Since most are not comfortable making video files or have a camera, I will take a look into that patent thingy.

Thanks Krak

 

I think using a bunch of frames ( gifs, pngs, jpegs, whatever ) and using something like ffmpeg or mencofer to either make one animated gif or output to a flash movie would be best, that is if normal captcha isn't good enough for you.

if I were any good at gfx I would make a "what", "where", "who", and a "why", then program a world capitals module, a math module, a general module that can query things like out of the following letters which one is uppercase : "dsfnjngRsdfkslfdn", a shapes module, a whatever else I could think of, then make a class that can load a "who", "what" etc at random and compile a question that makes sense, to which it already has the answer somewhere, if the question is too difficult they could request another question, this would also allow for people that are blind, or with partial site ( of which there are many that use the internet believe it or not ) to have the questions read to them with audio recordings, obviously thats way down the line, but the best approach I think would be that, if someone is willing to do whatever gfx I ask for, I'd be willing to make something that does it or have a go at least .....

 

i usually just do a normal image captcha and then add a second email field (if there's one already) and use the css 'display' property and set it to 'none' so that it is hidden. if it's a spam bot and bypasses the captcha, it's likely to fill out the hidden email field as well. so when you check values just be sure that it blank. just a second layer of security against these persistent buggers.

 

and if you want, to make it a 'little' more secure... you could have say 3 seperate questions regarding mathematical equasions or questions of some sort but instead of using text, generate the riddle in a normal captcha image. atleast that way the question can't be parsed out of the html and they would need some ocr software to decypher the question itself before submitting a logical answer. and having a multitude of questions, say 20-100 that can randomly be generated it's unlikely to generate the same question for each riddle layed out. just a thought...

 

OK, after doing a bit of research it does seem that the .gif patent (Unisys and IBM / US Patent #4,558,302) has expired from the last country late last year (USA expired in 2004 I think) so I guess it's a free for all now.

Following some of the advice given in this thread I have come up with an animated gif captcha system that I feel is pretty solid (not unbreakable but better than it's peers). Some of the features are ...

* Easy to read bold letters and numbers on a white background (bad eyes friendly)
* Random math equations so even 10 year olds can solve the question (165 different questions by default, more is possible with only minor changes)
* Random number of total frames rendered to throw the bots off a bit.
* 100% math (no language logic) so it breaks down any language barriers

I fully intend to release this to the public after it gets a few days of seasoning so ..........

Anyone who wants to try this out and give suggestions to why it sucks and how I can better accomplish this, let me know ... I'm pretty open to any comments. I purposely left out division (/) because some of the resulting numbers could be carried out to many decimal points and I wanted to make this as simple as possible.

Also, if your programming skills lie on the dark side ... please try to break it, I would love to see how secure it actually is. I've given some pointers as to how the program works on the page, Full source coming very soon.

@Ansi - I really like your idea of setting the display to hidden on an email field. I think this would work quite well as long as the css for it is not included in the input tag (like located in an external css file or even in the header).

@Krakjoe - I chose not to use your movie classes or flash options because of 1> speed and size of rendered movies(.gifs are traditionally very small in size). The resulting .gifs of this script are around 13 kb 2> Every browser I know of supports the .gif format (except straight text browsers like lynx, no captchas would work on that). Depending on the movie file type there might be some issues with apple's browsers displaying it. 3> I also do not like flash because it requires a plug-in to play (not included by default in most browsers). This reasoning keeps me away from using any javascript option as well (it can be turned off). The input you have given so far has been priceless, your review of this captcha system would be most welcomed.

ALSO, Because of the way the variables are stored I feel it would be easy to come up with a feature for the blind to "hear this equation" but am unsure how secure it would be. How good is voice recognition for spam bots? I know programs exist that listen to voices and type out what people are saying ... I feel that this might be a weak point if I allow this feature. Any comments from DP users about this side of it?

Or you perhaps have an idea on what features are missing from the script. The developer is open to criticism and just wants to make this as easy to use as possible.

 

it looks good. not to mention it works great as well. i am sure someone somewhere could break it but i don't see it happening tomorrow. as for the voice, a lot of websites use this but i honestly don't think that it is a good idea. i mean, with all the voice recognition software and such. hell, vista is shipped with it. would make things much easier imho. and as far as blind people on a computer, IT'S A COMPUTER. it's like wipin' before you poop, just doesn't make any damn sense... lol

 

great idea! I'm going to use this as well on my future applications.

 

Good job, I like that, can I get a look at sources please ????

 

What kind of Coding it is ?

 

Sure can ... PM sent.

The rest of you will have to wait a bit but I really feel this system is quite secure as everything is random
from the total # of frames
to the numbers used
to the operators
to the total time elapsed

&& it's totally readable to humans and logical enough for a 10 yr. old to comprehend.

And as an added bonus .... it does not even depend on the gd library being installed.

 

The best solution, IMO, would be to have the user select a picture out of a list. Ask them to choose the picture of a duck, for instance, among a set of seven animals.

For added security, make the selection out of checkboxes instead of radio buttons, voiding submission if multiple pictures are checked.

Of course, the order of the images and the image to select would be dynamically generated. You could even use different sets of pictures, such as animals, colors, shapes, etc.

Hell, you could even add animated GIF images and use random field names.

 

oh yeah i can see it now, a 4x4" square for human interaction. try and make that look good hehe

 

The problem I see with that is that they could take up a lot of room. Those common CAPTCHA images don't take up much room at all...

 

This is goooood, I like it......

 

i don't like image captcha at all, what about the blind ? your effectively stopping them from entering your site.
i like the whole question/answer idea, give them a single question like "whats the first letter of the word rabbit" and match the answer against your database.

 

Am going to get a mic today and attempt an audio class of the same, we had thought of the blind, the code has only just been started and its a good idea

It doensn't matter how complicated you make your questions, in the end if they are built from dynamic data ( a database ) and shown as plain text, then they can be destructed by php or perl or even javascript or your preferred language.

Also, for the blind people, it's a lot harder to make a database of recordings for random questions than it is to make a database of about 12 recordings, it's just not practical to have a random amount of questions, it's much easier and more effective to have a fixed amount of questions and a random amount of variables contained therein.