Improving a CAPTCHA - An idea

Published Mon, Jan 31 2005 0:20 | William

Ok, so you have probably already heard about all of the controversy my homey KC caused with his Captcha beater.  He posted his suggestions on how to make Captcha stronge, which are provided below:

  • render the characters with different colors
  • make some characters darker than the background, and some lighter
  • use gradient colors for the backgrounds and the characters
  • dont align all the characters vertically
  • dont make the answers words, so that a dictionary could be used
  • use more characters and symbols
  • use uppercase and lowercase characters
  • use a different number of characters each time
  • rotate some of the characters more drastically (i.e. upside down)
  • do more overlapping of characters
  • make some pixels of a single character not touching
  • have grid lines that cross over the characters with their same color
  • consider asking natural language questions

    • But I was thinking about an addition.  In my building, we have an access code to get in the building on weekends and extreme hours - and you basically punch in your code.  The buttons are all LED so the numbers appear Lit up vs. being painted on or hard coded.  However it's got one neat twist to it -- you hit an “Enter Code” button, since it's LED, the numbers appear in a scrambled format.  So you never know where any given number is going to show up.   This is done, ostensibly, to keep someone from looking over your shoulder and figuring out what you just punched.

    So, how does this relate to captcha?  Well, randomly, you could attach a number to either the top, bottom, left or right of a given character.  So if a was the first character, but it had a 3 next to it - it would need to be entered third.  You could rotate the numbers around different parts of the letters to help prevent reading across - bottom etc - it would have the side benefit if making it more difficult to figure out the base numbers.  And if you really wanted to get tricky, you could make it so you appended some other crap in front of the number just to really throw a monkey wrench into the process.  Also, you could embed something like “ALL CAP LETTERS” or so even if there was an 'a', you'd need to enter an 'A'.  So far from what I've been toying with - writing this is a whole lot easier than reading it will be (which is good) - b/c I'm trying to copy what casey did and just getting the pixels is enough of a pain in the a33 for me to get frustrated. 

    Filed under: , , , , ,

    Comments

    # William said on January 31, 2005 12:44 AM:

    Dude it's been an interesting day for sure with the CAPTCHA episode.

    We all could use some comic relief.

    So for funny comic relief go to this site I just found. It will totally make you laugh and take your mind off all things tech:
    http://helookslike.blogspot.com/

    I d@mn near sh!t myself I laughed so hard at some of these.

    # William said on January 31, 2005 3:42 AM:

    Andy: them "helookslike" nearly cracked me up here!!! was reading it while on the phone with a client (on hold actually) and couldn't stop laughing when i was connected!!!

    damn that was some funny shite!

    # William said on January 31, 2005 4:21 AM:

    Why don't we have something like ---

    5 or more comments in your comment - and the blog gives the comment poster a 110V Jolt thru two wires taped to his nipples.

    # William said on January 31, 2005 8:52 AM:

    Sorry I meant HREFs

    # William said on January 31, 2005 9:09 AM:

    i dont think thats the way to go. computers have gotten good at doing character recognition ... even with a bunch of noise. CAPTCHA really needs to use something that computers arent good at yet ... which is natural language processing. then the problem is you have to have a large dictionary of questions

    # William said on January 31, 2005 9:10 AM:

    Yah, you're probably right.

    # William said on January 31, 2005 5:05 PM:

    I got the perfect solution. Tell every company out there who does any OCR work to stop. Stop teaching your computer character recognition and we can develop a CAPTCHA that will be hard(er) to recognize.

    Casey is right though. As long as computers generate it, a computer can read it (eventually). As we put more "humanity" into computers trying to tell them apart will become more difficult as time progresses. Eventually this will become a big enough problem to throw a real solution at (CAPTCHA specifically, not comment spam it's already big enough with no solutions). Trying to tell a human and computer apart in 50 years may be physically impossible if we don't start dealing with it now. Using that as a method to combat spam is dumb though because even spammers are people and they can circumvent it anyway. It prevents bot spam or mass spamming but again doesn't solve the root cause, just a symptom.

    Hopefully other people will realize why CAPTCHA isn't good enough for comment spam. It's a layer, a very annoying layer that helps but doesn't cure. Hopefully now that it's becoming easier to break these things, people will get rid of them altogether for real solutions. I don't think anything can be a cure to the problem though but through a couple of layers can slow spam down to being almost negligable.

    # William said on January 31, 2005 7:17 PM:

    It would all be stopped if you had a registration process...

    simple as that.. :)

    # William said on January 31, 2005 7:22 PM:

    Brian:

    Actually it wouldn't - that's what KC's point about Social Engineering and Yahoo was. We don't get spammed enough for it to be a big deal - this thing is consuming wayyyyyyyyyyyy too much energy ;-)

    # William said on February 1, 2005 8:02 PM:

    Bill:

    i get spammed tons on DNJ and spend around 30 minutes a day going through my comments to remove shit!

    that's 30x31/60=15 1/2 hours a month..could of course be that the reason it takes me so long is because i get pretty sqlparameter errors half the time..

    anyways it all adds up and i for one is fed up with it..i think i'll have to look into this some more! maybe find some way to get around it - but with smart people like KC out there it's really damn hard..

    could we vote for a frontal lobotomy for KC - at least to bring his brain functions down to a normal level?

    Search

    This Blog

    Tags

    Community

    Archives

    News

    My other sites

    Cool Stuff

    Book Stuff

    Security

    ORM

    Data Access

    Funny Stuff

    Compact Framework Stuff

    Web Casts

    My KnowledgeBase Articles

    My MVP Profile

    Design Patterns

    Performance

    Debugging

    Remoting

    My Fellow Authors

    My Books

    LINQ

    Misc

    Speech

    Syndication

    Email Notifications