Comments on: Lesson two on what not to do with a CAPTCHA http://xato.com/windows-security/lesson-two-on-what-not-to-do-with-a-captcha Mark Burnetts Windows Security Mon, 01 Dec 2008 19:14:32 +0000 http://wordpress.org/?v=2.5.1 By: mb http://xato.com/windows-security/lesson-two-on-what-not-to-do-with-a-captcha#comment-266 mb Sun, 26 Aug 2007 00:37:05 +0000 http://xato.net/bl/2007/08/22/lesson-two-on-what-not-to-do-with-a-captcha/#comment-266 You are exactly correct, the CAPTCHA I use is a WordPress plugin by Peter's Custom Anti-Spam http://www.theblog.ca/?p=21 This particular CAPTCHA definitely sucks more than the ones I am criticizing but it is simply a first layer of protection that just reduces the number of comments I have to moderate. And it works well for that. It is important to distinguish the difference between the quest for the perfect CAPTCHA and the everyday application of CAPTCHAs. Most people agree that CAPTCHAs are fairly weak but fortunately they still work for now. Still, that doesn't excuse us from studying CAPTCHAs, analyzing the weaknesses, and learning to build more effective security measures for the future. You are exactly correct, the CAPTCHA I use is a WordPress plugin by Peter’s Custom Anti-Spam
http://www.theblog.ca/?p=21

This particular CAPTCHA definitely sucks more than the ones I am criticizing but it is simply a first layer of protection that just reduces the number of comments I have to moderate. And it works well for that.

It is important to distinguish the difference between the quest for the perfect CAPTCHA and the everyday application of CAPTCHAs. Most people agree that CAPTCHAs are fairly weak but fortunately they still work for now.

Still, that doesn’t excuse us from studying CAPTCHAs, analyzing the weaknesses, and learning to build more effective security measures for the future.

]]> By: redrum http://xato.com/windows-security/lesson-two-on-what-not-to-do-with-a-captcha#comment-265 redrum Sat, 25 Aug 2007 21:57:58 +0000 http://xato.net/bl/2007/08/22/lesson-two-on-what-not-to-do-with-a-captcha/#comment-265 great article :p i see this inviting anti-spam image you have, just waiting to be cracked.. correct me if i'm wrong, but one could simply change the antiselect variable in the image source to 1, and the word would always be plan great article :p
i see this inviting anti-spam image you have, just waiting to be cracked..
correct me if i’m wrong, but one could simply change the antiselect variable in the image source to 1, and the word would always be plan

]]> By: chaz http://xato.com/windows-security/lesson-two-on-what-not-to-do-with-a-captcha#comment-264 chaz Thu, 23 Aug 2007 08:52:48 +0000 http://xato.net/bl/2007/08/22/lesson-two-on-what-not-to-do-with-a-captcha/#comment-264 Unless you are hotmail, os someone else super-big, it really isn't efficient to break any cptacha. Hence, a super-simple, unchanging captcha is just as effective as those nasty wobbly spotty ones. I like your captcha a lot. Unless you are hotmail, os someone else super-big, it really isn’t efficient to break any cptacha. Hence, a super-simple, unchanging captcha is just as effective as those nasty wobbly spotty ones.

I like your captcha a lot.

]]> By: mb http://xato.com/windows-security/lesson-two-on-what-not-to-do-with-a-captcha#comment-263 mb Thu, 23 Aug 2007 06:35:21 +0000 http://xato.net/bl/2007/08/22/lesson-two-on-what-not-to-do-with-a-captcha/#comment-263 Thanks for adding that. It's good to see you thought that through. And thanks for providing your service to anyone for free. The point here isn't so much to point out flaws in any particular system, but to demonstrate in general what kinds of flaws do exist. It's also important to take this all into perspective: a CAPTCHA only slows down spammers and even something as simple as saying "Enter the letter Y in the following box" will usually accomplish just that. Nevertheless, even the best CAPTCHAs are flawed due to the nature of the technology itself. It's only through the constant analysis that our collective knowledge will further the technology. Thanks for adding that. It’s good to see you thought that through. And thanks for providing your service to anyone for free.

The point here isn’t so much to point out flaws in any particular system, but to demonstrate in general what kinds of flaws do exist.

It’s also important to take this all into perspective: a CAPTCHA only slows down spammers and even something as simple as saying “Enter the letter Y in the following box” will usually accomplish just that.

Nevertheless, even the best CAPTCHAs are flawed due to the nature of the technology itself. It’s only through the constant analysis that our collective knowledge will further the technology.

]]> By: Felix Holderied http://xato.com/windows-security/lesson-two-on-what-not-to-do-with-a-captcha#comment-262 Felix Holderied Thu, 23 Aug 2007 05:19:58 +0000 http://xato.net/bl/2007/08/22/lesson-two-on-what-not-to-do-with-a-captcha/#comment-262 Hi Mark, thanks for concerning about our system. You are right, it's a feature to choose the length and alphabet of the captcha code. But these parameters are chosen by the provider, using our system. Anyone can retrieve thousands of images from our server, where the code is fixed, e.g: http://image.captchas.net/?client=protector&random=xyz&letters=4&alphabet=zzzzzzzzzz But if the provider of a form has chosen the parameters letters=4 and alphabet=1234567890, it doesn't help to know the code from the parameters letters=4 alphabet=zzzzzzzzzz http://image.captchas.net/?client=protector&random=xyz&letters=4&alphabet=1234567890 For what you can use this "weakness", is to generate thousands of images to train an OCR. Regards, Felix Hi Mark, thanks for concerning about our system.

You are right, it’s a feature to choose the length and alphabet of the captcha code. But these parameters are chosen by the provider, using our system. Anyone can retrieve thousands of images from our server, where the code is fixed, e.g:
http://image.captchas.net/?client=protector&random=xyz&letters=4&alphabet=zzzzzzzzzz
But if the provider of a form has chosen the parameters letters=4 and alphabet=1234567890, it doesn’t help to know the code from the parameters letters=4 alphabet=zzzzzzzzzz
http://image.captchas.net/?client=protector&random=xyz&letters=4&alphabet=1234567890

For what you can use this “weakness”, is to generate thousands of images to train an OCR.

Regards, Felix

]]> By: mb http://xato.com/windows-security/lesson-two-on-what-not-to-do-with-a-captcha#comment-261 mb Thu, 23 Aug 2007 01:01:08 +0000 http://xato.net/bl/2007/08/22/lesson-two-on-what-not-to-do-with-a-captcha/#comment-261 Haha, great comment. Fortunately, despite all the weaknesses, even the worst CAPTCHAs still are effective in blocking spam. At least for now. Haha, great comment. Fortunately, despite all the weaknesses, even the worst CAPTCHAs still are effective in blocking spam. At least for now.

]]> By: TarraDog52 http://xato.com/windows-security/lesson-two-on-what-not-to-do-with-a-captcha#comment-260 TarraDog52 Thu, 23 Aug 2007 00:10:36 +0000 http://xato.net/bl/2007/08/22/lesson-two-on-what-not-to-do-with-a-captcha/#comment-260 I think it's pretty funny that the CAPTCHA used to enter this comment would be very easy to solve... I think it’s pretty funny that the CAPTCHA used to enter this comment would be very easy to solve…

]]>