Comments on: CAPTCHA images and your website http://www.tmprod.com/blog/2008/captcha-images-your-website/ Web Development & Internet Marketing Blog Wed, 01 Feb 2012 15:20:31 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Zac http://www.tmprod.com/blog/2008/captcha-images-your-website/comment-page-1/#comment-27 Zac Fri, 17 Oct 2008 19:54:47 +0000 http://www.tmprod.com/blog/?p=93#comment-27 As long as the "Crayola" captcha results in a real word (as yours shows "insane"), it's very easy for a human to determine the answer. For example, if I couldn't quite tell if the first letter was an "l" or an "i," the second choice is obvious since there's no English word "lnsane." It's when the captcha is simply a string of random letters (or letters plus numbers) that people have problems -- too many letters look like other letters if they're distorted enough, and also depending upon the font in use. I've also seen math questions employed, such as, "What is four plus three (type the numerical answer in the box below)." At first glance this would seem to be very effective, especially since the addends are spelled out rather than expressed in numbers. But I also wonder if a brute-force attack might defeat it, since I don't recall seeing anything beyond a single digit answer. Thoughts? I also found it curious that my ability to post a comment here was unrestricted by the use of a captcha. Irony in play? As long as the “Crayola” captcha results in a real word (as yours shows “insane”), it’s very easy for a human to determine the answer. For example, if I couldn’t quite tell if the first letter was an “l” or an “i,” the second choice is obvious since there’s no English word “lnsane.” It’s when the captcha is simply a string of random letters (or letters plus numbers) that people have problems — too many letters look like other letters if they’re distorted enough, and also depending upon the font in use.

I’ve also seen math questions employed, such as, “What is four plus three (type the numerical answer in the box below).” At first glance this would seem to be very effective, especially since the addends are spelled out rather than expressed in numbers. But I also wonder if a brute-force attack might defeat it, since I don’t recall seeing anything beyond a single digit answer. Thoughts?

I also found it curious that my ability to post a comment here was unrestricted by the use of a captcha. Irony in play?

]]> By: Eric http://www.tmprod.com/blog/2008/captcha-images-your-website/comment-page-1/#comment-28 Eric Fri, 17 Oct 2008 19:17:00 +0000 http://www.tmprod.com/blog/?p=93#comment-28 Thanks for commenting Zac, Theres no doubt in my mind that the Crayola Captcha was easy to read. A handful of people out of thousands complained about its ease of use. But the guy that signs our paychecks decided it was too ugly and therefore we changed to captcha 2. Crayola captcha was indeed ugly, but effective, regardless of case or actually being a real word. All of the captchas I've built are based on a string of possible characters, with characters such as 1, l, i, etc stripped out so that there is no way to confuse such characters with another that looks like it. Math questions as captchas are, in my experience, about as crackable as a static word inside a p tag. I've been urged to try them out, and they nearly always fail. And you're right about brute force attacks, as most people don't want to be bothered by answering 521671+314229/99 * (6296+302-619), squared, and therefore they'll be a simple math problem which results in a grand total of 100 possible answers, which could be brute forced in about 1/1,000,000 of a second on any PII processor with 4mb RAM. I wish we were that creative and ironic though Zac. The reason we don't use any kind of Captcha on our blogs (or our clients blogs for that matter) is because we use a service called <a href="http://akismet.com/" title="askimet spam stopper" rel="nofollow">Askimet</a>, which stops spam in its tracks without the use of a capatcha or other security device. Go check it out, especially if you have a blog! Thanks for commenting Zac,
Theres no doubt in my mind that the Crayola Captcha was easy to read. A handful of people out of thousands complained about its ease of use. But the guy that signs our paychecks decided it was too ugly and therefore we changed to captcha 2. Crayola captcha was indeed ugly, but effective, regardless of case or actually being a real word. All of the captchas I’ve built are based on a string of possible characters, with characters such as 1, l, i, etc stripped out so that there is no way to confuse such characters with another that looks like it.

Math questions as captchas are, in my experience, about as crackable as a static word inside a p tag. I’ve been urged to try them out, and they nearly always fail. And you’re right about brute force attacks, as most people don’t want to be bothered by answering 521671+314229/99 * (6296+302-619), squared, and therefore they’ll be a simple math problem which results in a grand total of 100 possible answers, which could be brute forced in about 1/1,000,000 of a second on any PII processor with 4mb RAM.

I wish we were that creative and ironic though Zac. The reason we don’t use any kind of Captcha on our blogs (or our clients blogs for that matter) is because we use a service called Askimet, which stops spam in its tracks without the use of a capatcha or other security device. Go check it out, especially if you have a blog!

]]>