Pete,

I like Guillermo's idea too, for a number of reasons. But any captcha idea deserves some scrutiny on the basis of its strength against bot authors, how difficult it would be to implement, and how cumbersome or invasive it would be for humans. Your derivative of the idea sounds a bit cumbersome for users, for example.

It seems that one of the challenges of a good captcha is finding the right balance between strength against bot authors, but not be a problem for humans. In the case of the TicketMaster site, there was so much distortion in the character-code images, and so much noise on the sound bites, that it became a difficult human hurdle too.

During this discussion, I've swayed back and forth between the different options mentioned. At first I was leaning toward just using random looking CSS and JavaScript injection, but the more I thought about that idea the more it became clear that a bot author could bind their program to the IE or GECKO DOM engines, and "see" what was going on under the covers. A script kiddie with Visual Basic and .Net could overcome the captcha.

Images of familiar people, places, and things can't be deciphered by OCR technology, plus it solves the problem of having high degrees of noise in sound files, and distortion in character-code image files, that are hard for humans, too.

A human won't have a problem deciphering a familiar person, place, or thing. That's nice, but how much work is it to assemble a large enough sampling of images that the captcha could survive iterative probing and learning from a bot.

If one does go through the effort of assembling and cataloging an image library, one thing that may help would be to use photoshop filters (or something comparable) to generate a lot of different image files of the same subject - like a cat with varying colors, opacity, and so forth that wouldn't be any problem for humans, but make it harder for a bot author to obtain a signature on the image.

Nathan.




----- Original Message ----
From: Pete Helgren <Pete@xxxxxxxxxx>
To: Web Enabling the AS400 / iSeries <web400@xxxxxxxxxxxx>
Sent: Wednesday, September 3, 2008 11:55:24 AM
Subject: Re: [WEB400] CAPTCHA image validation in web form

I guess I misread that post but the more I think about it, the better
the idea seems to me. You could have 7 images, generated in random
order and that followed by the statement that says: "Click on the image
of the boat" and allow the selection. If it is correct, perhaps
challenge them with a second randomly generated set of images with a
second statement.

If the answer is incorrect, generate a new set of images and a new
statement: "Click on the image of the Cat". Correct selections are
verified at the server with a few seconds delay to avoid a brute force
attack.

I also thought the discussion about image sizes and characteristics to
be interesting as well. With some randomness in colors, images, sizes
and resolutions, you could probably have a small number of images that
could be manipulated into a large number or variants making an automated
method of guessing correctly difficult to accomplish.

Interesting discussion.

Pete



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.