1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

This Form of CAPTCHA in PHP

Discussion in 'PHP' started by T0PS3O, Mar 6, 2006.

  1. #1
    Has anyone seen this variation on the CAPTCHA method in PHP? The inventor coded it in ASP and I don't fancy re-inventing the wheel.

    I hate the standard CAPTCHA method, on Blogger and many other I get it wrong myself way too often. Go figure what an average non-whizz would think of it. So I'm after the image interpretation method but need it in PHP. Has anyone seen such code?
     
    T0PS3O, Mar 6, 2006 IP
    amanoffewwords likes this.
  2. mad4

    mad4 Peon

    Messages:
    6,986
    Likes Received:
    493
    Best Answers:
    0
    Trophy Points:
    0
    #2
    I also find myself getting the words wrong in captcha's and have never implemented them on my sites for this reason. Also I have never had a problem with bots or scripts trying to gain access so didn't want to solve a problem that didn't exist with a solution I wasn't happy with.

    There are certain sites that have very clear images that are easy to read and it would be interesting to know if their captcha scripts are ever beaten by hackers.

    If you don't find a php script for this then let me know and I will make an open source one - it would be an interesting project to try and create a next generation captcha script.
     
    mad4, Mar 6, 2006 IP
  3. mariush

    mariush Peon

    Messages:
    562
    Likes Received:
    44
    Best Answers:
    0
    Trophy Points:
    0
    #3
    My guess is that this variation is way easier to crack...

    I mean .. 6 pictures max , 1 out of six is correct.

    I could easily write a little tool that would have a large collection of proxies (if really needed, seems his implementation does not check for proxies) and start opening the page and selecting all the time one of the options. I'm estimating it would take about 10-14 refreshes to actually post a message.

    Indeed, his solution is very human friendly and computers can not determine what is inside a picture easily at this time. But a computer can simply try a few times using the same option and get over it.

    A better solution (and human friendly) would be something like this :

    [​IMG]

    Yes, I've made it in Paint :)
     
    mariush, Mar 6, 2006 IP
  4. T0PS3O

    T0PS3O Feel Good PLC

    Messages:
    13,219
    Likes Received:
    777
    Best Answers:
    0
    Trophy Points:
    0
    #4
    Standard text based captchas are being cracked all over the shop. OCR is pretty easy apparently, hence the image idea - something computers consistently fail to do well at (hence the Amazon Turk project).

    Problem is with popular scripts you are more voulnerable because a hacker/spammer would rather crack a widely used package as oppose to a custom fit one. But then again, if you fancy coding it then that would be great. Just try and implement means of making it very unique even if many people use it.

    Free clipart libraries should be widely available. I'll help you out if we don't find an existing solution.

    Re: mariush

    Adding code that counts the attempts made is fairly easy. Even they use proxies, if your library is large enough they will hit too many fails. Even if one comes through it's not 'cracked' yet, since they still don't know the answers, they are just predicting the rollong of a dice as it were. They'd start from scratch every new attempt.

    Like Mad4, I don't have a massive spam problem, so it's not like we're vending off big boys.
     
    T0PS3O, Mar 6, 2006 IP
  5. mad4

    mad4 Peon

    Messages:
    6,986
    Likes Received:
    493
    Best Answers:
    0
    Trophy Points:
    0
    #5
    Looking at the picture you posted I don't think it looks very human friendly at all. Are we supposed to add up the numbers? If so then people will get the sums wrong and it will annoy the less mathematical amongst us.

    Any system relying on people selecting images could be cracked by a program trying different combinations at random. Eventually it would suceed. A system like this would need to only allow users a maximum of 5 trys for example to prevent this.

    Edit- just thinking outside the box and remembering something shawn did with a Hummer picture maybe if the user had to 'draw' an image (for example a red hummer or a green cat with a big tail) maybe this would be a bit more interactive and intuitive?
     
    mad4, Mar 6, 2006 IP
  6. T0PS3O

    T0PS3O Feel Good PLC

    Messages:
    13,219
    Likes Received:
    777
    Best Answers:
    0
    Trophy Points:
    0
    #6
    I checked through most of the many CAPTCHAs at phpclasses.org but they're all the usual ones unfortunately.

    Besides randomizing the images, you can also randomize the form values so it's harder to input values into variables (because you don't know the names).
     
    T0PS3O, Mar 6, 2006 IP
  7. mad4

    mad4 Peon

    Messages:
    6,986
    Likes Received:
    493
    Best Answers:
    0
    Trophy Points:
    0
    #7
    Thinking about this over lunch the key is creating some images that can't easily be recognised by a program. This is obviously why sites have such hard to read text in the conventional captchas.

    My best thoughts so far are having a database of images with a one word description of what the image is (eg cat, dog, car etc). To validate yourself as a valid user you need to look at a picture and state what it is in a text box. Your input is then validated against the appropriate entry in the database.

    Obviously the key would be for anybody using the script to have their own images of cats or dogs etc so that a hack for the script has to be written on a per site basis rather than one program working to hack every site.

    Sites could even use images appropriate to their own sites for example a fishing site could have a hook, net reel etc.

    Any comments?
     
    mad4, Mar 6, 2006 IP
  8. T0PS3O

    T0PS3O Feel Good PLC

    Messages:
    13,219
    Likes Received:
    777
    Best Answers:
    0
    Trophy Points:
    0
    #8
    That's what they did here: http://www.captcha.net/captchas/pix/ but using a drop-down. But I didn't like it. If you let the end user type the answer you introduce many ways of possible errors. I like the 'pick the "drums"'. I can not think of a programmatical way for bots to find the drums. You'll have to parse the image pixel by pixel and do pattern matching against known images of drums. Virtually impossible at the scale we're talking about (i.e. no entire University or Google department with tons of server power will try and beat my CAPTCHA).

    Jason Mauer has the right idea IMO.
     
    T0PS3O, Mar 6, 2006 IP
  9. mariush

    mariush Peon

    Messages:
    562
    Likes Received:
    44
    Best Answers:
    0
    Trophy Points:
    0
    #9
    Hmm.. I thought it would be very easy.. user is supposed to find the answer to :

    40 + 7 - ( 6/2) , then add 5.

    The ideea is to not use the same fonts or not use fonts at all, handwriting is much harder to recognize. Also, a good ideea would be to use two -three colors to draw one letter..

    I actually found the captcha project at that university much harder, had to thing about 2 minutes about what it could be when it showed a botlle of medicine saying pepto bysmol, guess it's some stomach medicine. But the answer could have been muscles, bra, woman, body and so on... people could make mistakes.

    i have actually performed a test on Jason's system, I clicked refresh 15 times on one of his post. These are the results :

    01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 < attempts
    5 2 1 2 2 2 2 5 3 4 1 4 5 3 1 < correct answer

    Guess 1, 2, 5 are favourites. Would have spammed the blog within 5 attempts.
     
    mariush, Mar 6, 2006 IP
  10. T0PS3O

    T0PS3O Feel Good PLC

    Messages:
    13,219
    Likes Received:
    777
    Best Answers:
    0
    Trophy Points:
    0
    #10
    Same here. I got 4 images of a woman. Answer turned out to be girl. Not as obvious as it may seem and if it takes more than 10 seconds I think our visitors will get ticked off.

    I just had another idea I haven't seen before.

    Can we not create animated GIFs on the fly? You could animate showing 3 simple words in succession, or 2 words and an image. Say 'cat', 'dog', '[image of bird'].

    I know how to generate stills on the fly but can PHP's image libraries generate animated gifs?
     
    T0PS3O, Mar 6, 2006 IP
  11. mad4

    mad4 Peon

    Messages:
    6,986
    Likes Received:
    493
    Best Answers:
    0
    Trophy Points:
    0
    #11
    http://www.boutell.com/gd/ says that gd 2.0.29 added animated gif support so this shouldn't be a problem.

    We could have an array of words and the script chooses 3 words at random to display in the animated gif (one word per frame) and the user has to write the words down in a text box in the correct order.

    Is this what you had in mind?
     
    mad4, Mar 6, 2006 IP
  12. T0PS3O

    T0PS3O Feel Good PLC

    Messages:
    13,219
    Likes Received:
    777
    Best Answers:
    0
    Trophy Points:
    0
    #12
    Yeah pretty much what I was thinking of. Can a bot easily safe an animated gif and rip the frames apart?
     
    T0PS3O, Mar 6, 2006 IP
  13. relixx

    relixx Active Member

    Messages:
    946
    Likes Received:
    54
    Best Answers:
    0
    Trophy Points:
    70
    #13
    well, i was reading an article a while go and offered another approach: you randomly generate the text with different colours, then print out an image saying "type int he 3rd letter from the left, after the 1st blue one" or something. much more difficult to crack with a bot. unfortuantely, the simplest way is to hire a sweat shop, which is what blackhats do :(
     
    relixx, Mar 6, 2006 IP
  14. mad4

    mad4 Peon

    Messages:
    6,986
    Likes Received:
    493
    Best Answers:
    0
    Trophy Points:
    0
    #14
    Personally I think that making it hard for the bots is secondary to making it easy for actual users.

    This is what the usual captcha scripts seem to forget - we spend lots of trying to get visitors to our sites and then put them off by making them jump through too many hoops.

    As long as the script offers protection against most bots I would be happy to use it I think.
     
    mad4, Mar 6, 2006 IP
  15. tccoder

    tccoder Peon

    Messages:
    69
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    0
    #15
    There is no such thing as a perfect captch system.. to be honest any captcha system can be beaten with enough work and coding..

    but the best way to go is randomize everything..

    randomize fonts.. lines curves letters font color.. background colors everything.. makes it hard for an um "cracker" to have targets in your image to hook onto and use as a guideline for determening the values..

    also, captcha systems are a bit obsolete.. i am actually writing a paper on php security right now about Prevention of automated tools.. the example codes in there can ofcourse be used to prevent automated messagers/signups etc..
     
    tccoder, Mar 7, 2006 IP
    T0PS3O likes this.
  16. T0PS3O

    T0PS3O Feel Good PLC

    Messages:
    13,219
    Likes Received:
    777
    Best Answers:
    0
    Trophy Points:
    0
    #16
    Can you lift the lid a little? What is your solution to it then?
     
    T0PS3O, Mar 7, 2006 IP
  17. mad4

    mad4 Peon

    Messages:
    6,986
    Likes Received:
    493
    Best Answers:
    0
    Trophy Points:
    0
    #17
    It seems that they have been implemented on a load of sites without due consideration for the usability aspects. The catch 22 situtation is that to make them more secure you need to make them harder to read and this makes them difficult to use.

    With the tools available and the technology powering sites these days I would be surprised if there is not a better solution to the problem - even if we have to come up with it ourselves.
     
    mad4, Mar 7, 2006 IP
  18. T0PS3O

    T0PS3O Feel Good PLC

    Messages:
    13,219
    Likes Received:
    777
    Best Answers:
    0
    Trophy Points:
    0
    #18
    Did you see the other solutions from 'the Captcha Project' besides the Pix one I linked to? They have an audio one as well (though not everyone has speakers / working ears) and an IQ test like equation. Though that one takes too long IMO and takes your mind off whatever you were doing on that site in the first place.

    So there is some innovation, just no real solution yet.
     
    T0PS3O, Mar 7, 2006 IP
  19. mad4

    mad4 Peon

    Messages:
    6,986
    Likes Received:
    493
    Best Answers:
    0
    Trophy Points:
    0
    #19
    You have hit the nail on the head here. For me to implement something on a site I need to see a demo and straight away think "That was easy" or "wow, neat idea".
     
    mad4, Mar 7, 2006 IP
  20. T0PS3O

    T0PS3O Feel Good PLC

    Messages:
    13,219
    Likes Received:
    777
    Best Answers:
    0
    Trophy Points:
    0
    #20
    I've seen banks send sms with verification codes. That's pretty fail proof but way too complicated for not-so-sensitive websites.

    I'll spend some quiet time thinking about this over the next couple of weeks (not much time available unfortunately). See if something comes up.
     
    T0PS3O, Mar 7, 2006 IP