I find the most effective ones also make it impossible for me to read, endlessly pressing refresh for new images until i get a readable one and Bam still wrong.
Security researchers have discovered the vast majority of text-based anti-spam tests are easily defeated. Computer scientists from Stanford University discovered 13 of 15 CAPTCHA schemes from popular websites were vulnerable to automated attacks. The CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans …
When I see a Captcha in use on a site, I distrust the security of that website. Using such an awkward system seems like a pointless sticky plaster to me. Surely it would be better to count the number of failed logins? Or check the speed of data entry?
The worst sites I find are those who use the Captcha on every login. At least wait until I have failed with my password before insisting I type in such an awkward looking image.
And those sites who use them at the bottom of a page full of data entry nearly always loose my trade. Nothing worse than having to fill in a WHOLE page of data again because of a mistyped captcha.
I hope more of this research helps kill off Captchas permanently.
"The problem is... there isn't a better solution"
Yeah, but like he said:
"Nothing worse than having to fill in a WHOLE page of data again because of a mistyped captcha."
How effing easy is it to create a web form that can REMEMBER what you just typed? And how effing stupid is it to abuse your customers by not doing that simple nicety? One of my pet peeves also. Sheesh!
I don't think you read any of my post did you? I was most upset about when these appear on a LOGIN page. What is the point? If you don't trust your own security, then adding a captcha isn't going to stop the hacker.
If you are running a website without the need for a login, then put that captcha onto a separate submission page or something. There is no excuse for making me retype ALL of my data again and again because the website is badly made.
The one they were using when I last had to go through a Google CAPTCHA a year or two back was brutal. I failed repeatedly, then tried the audio one, and failed on that twice before getting it. I was 1 failure away from asking a friend to register the account for me! I'll bet the computers had trouble with that one - either that, or I'm not a human.
I just went to see what they have now, and it's much more human-solvable than it was, and doesn't 'look' very hard to machine read.
This is nothing new, and to be honest nothing we didn't already know (if you're running a discussion forum, that is)
I wonder if the report author was aware that Google now owns reCAPTCHA.
Also, the report author is almost certainly not aware of a side issue which makes this redundant anyway: there is an entire industry forming in Asia that will for the princely sum of 1 USD proceed to solve 1000 CAPTCHAs for you. Spamming, then, needn't be quite so expensive.
That said, it's also well known that most of the CAPTCHAs are written by people who have never tried to actually solve them themselves, and figure that text + noise + distortion = profit. Which it doesn't, especially with the power of OCR improving all the time.
It is time to move past image-based CAPTCHA. image-based CAPTCHA doesn't work for blind people or those with images disabled and are increasingly easier for computers to solve.
We need a CAPTCHA which is accessible, easy for humans, and near impossible for computers. My own site has a bank of hundreds of questions and acceptable answers. This makes sure my posters have enough intelligence to productively participate, but does discriminate somewhat against people without a strong grasp of the English language. This bank supports multiple correct answers to account for alternate spellings, writing numbers out in numerals or words, etc. You would be surprised that no bot has correctly answered the question "Is ice hot or cold?"
Another approach would be to place a honeypot - something which looks like a CAPTCHA in the HTML code but doesn't appear when rendered by a browser. Bots would attempt to solve the CAPTCHA, but humans (not seeing the puzzle) would leave it blank. This approach will only work as long as it is in the minority or if it sometimes displays a true CAPTCHA to its visitors.
The problem is that sites like Wolfram Alpha and TrueKnowledge can answer these questions quite easily. I tried "Is ice hot or cold?" (http://www.trueknowledge.com/q/is_ice_hot_or_cold) and got a sentence that contains the word "cold". It wouldn't take much work to extract the answer you need, especially if you allow some leeway with spelling and so on.
One solution to the problem Ms. Handcart pointed out, is to use trivia known to your target audience, but too inconsequential for inclusion in these general databases. For example a the forum about a game might use a question like "What color is the main character's hat?" An easy question for anyone who'd played it, or even seen the box art presumably, but it requires more context awareness than computers can muster as yet.
Your 2nd solution is to put a captcha in the html but ask the browser to not display it (which would have to be a tag in the html).
So let me see, the bot has to be good enough to try to solve the captcha but dumb enough to not check the browser hideme tag around it??
I'd stick to your colouring in books mate
First, if a website is going to be targeted (like GMail or the comments form for a WordPress page), it is first going to be viewed by the programmer to extract the basic requirements and makeup of the page. Sometimes this can be automated if your program can sniff out <form></form> tags and interpret. However, if the program isn't aware of the particular CAPTCHA method used, it can't effectively defeat it. The CAPTCHA could be cat and dog pictures for all the program knows. It, at best, would find common CAPTCHAs such as reCAPTCHA and the like, based on basic elements, such as external links or structure/naming.
Next, your CAPTCHA is good for your corner of the internet, but if you roll it out en masse, it will fail. Automated attacks using the fore-mentioned chatter-boxes (Wolfram Alpha, et al), or even easier: brute-force collection of your questions and a few hours of simple answering for an automated catalog. Security by obscurity fixes some. It's similar to those who think their self-grown encryption is actually better than AES or the like.
I run a forum which uses Recaptcha and I reckon I get 20-30 bot applicants every single day. I have to run second level checks against the IPs and email addresses to weed this crap down to acceptable levels and then wait a week before emailing out activation codes to the remainder. 3 levels of security for this bloody problem.
I think the only way to stop bots is to personalize every site in some way such that an automated attack simply doesn't work. It won't stop the attacks against the big targets but it might give respite against all the small fry. How to personalize every site? I'd suggest that forum software should implement a simple challenge / response language that allows someone to pose a question, perhaps relevant to the forum and reject answers which are incorrect. e.g. you sign up for an evolution forum and the question might be "Replace the hyphens to complete the name" - "Charles D--win". And so on.
A quick google shows that about the 5th answer in the list is the correct answer, and it's the first one with the right number of letters. reCAPTCHA actually has it right - it starts with something that computers can't read. Not perfect, but then, computers can read more things than people, these days...
That is, typing in "Charles D" and currently "Charles Darwin" is the first suggestion. But entering "Charles Dnnwin" gets you "Did you mean Charles Darwin?" and the first link is to the WP article for Charles Darwin.
For that matter, for "Is ice hot or cold" the first link is to the answer at wiki.answers.com : "Cold.duh."
I'm afraid knowledge-based tests are passé, we have Google to substitute for brains.
I had the same experience with reCAPTCHA. When I investigated, I found discussions that suggested reCAPTCHA had been broken with a pretty solid success rate by one of the forum spam bots. I switched to a custom question and answer system that required a certain amount of reading comprehension in order to answer (one says to leave the answer blank, for example), and so far it has worked great.
Maybe the solution is to design a task which is so unbearably illogical as to be computationally intractable and so deeply frustrating that a human CAPTCHA-beater would go completely insane if forced to complete it more than once. Something a bit like arranging an overdraft over the phone with a high street bank.
"the Stanford team suggest several approaches towards making CAPTCHAs harder to beat"
You only need one: don't use CAPTCHAs. They're largely useless, annoying to users, and have an idiotic name.
They were never a good idea, and have proven useful only for their moderately interesting impact on image processing and economics.
Biting the hand that feeds IT © 1998–2019