Evolution of the 'Captcha'

FireballX301 writes "The New York Times is running an article about the small word puzzles various sites use in order to defeat automated script registration while still letting humans through. It seems many people can't actually solve them anymore, so new alternatives (image recognition) are being created. This, of course, seems breakable as well — is there a feasible alternative to the captcha, or are we stuck jumping through more and more hoops to register at places?"

Alternative?

[morgan_greywolf]

In my mind, anything that can be put out by an automated system for purposes of determine whether the communications on the other end is from an automated system can, with enough ingenuity, be answered by an automated system. IOW, all 'captchas' and similar methods are ultimately defeatable. It's an arms race, just like DRM: clever people will always figure out how to defeat what protections you put in place no matter how clever your protections are.

Great idea

[grimdawg]

What word did you have to type to prove you weren't a bot? A good sample might give us an insight into which words are used: why? I had to type 'interest' - which seems to have no real distinguishing feature.

Are they chosen for any good reason, or are they completely arbitrary? Are there letters that bots have trouble with? Fonts? Who knows?

The only thing that's sure is that every protection will eventually be broken.

What's more, maybe if you can't solve a simple word puzzle, I don't want you registering at my site...

Re:Great idea

[Turn-X Alphonse]

So people with eye sight problems aren't welcome on your site then?

I have perfect vision and I struggle to tell if some S/5/Zs are one of the letters. The fonts and distortion is getting worse and worse to the point where it's usually 2 or 3 attempts before I can get one correctly, purely because letters are so distorted in them these days.

Captcha too hard

[aepervius]

OK, I am a bit shrotsighted, but still, some of the captcha are so garbled with bright color random pixel/forms while the font color of what was to be read was light gray/pink/blue on white background (and naturally distorted) that frankly I swore loudly while trying for the 5th time to enter the correct random combo of lower case, upper case and digits.

I am not sure if a picture is better, but it is defintively a step forward if I don't have to spend 5 time retrying.

Stop testing the Humans, test the Robots

[Anonymous Coward]

I always get annoyed by captchas.. its like a forced human intelligence test.
We know that humans are more intelligent than scripts, so I always thought it should be easier to test the lack of intelligence in scripts than proving intelligence in humans.

For example just use a simple honeypot in a html form. Put a dummy input field in a form. You can hide the field with CSS/noscript tag or just mark it: "This field should be left intentionally blank" or something of that nature to make it more human friendly.

Seeing that all form fields are generally blank, the spambot/script will fill your dummy field. On server side check if the field has data, ignore the submission. It would be a VERY intelligent script that could COMPREHEND the purpose of any particular html input field.

my anonymous 2c

woah

[weighn]

+5 Funny in 7min 15sec AND frost pist!
Come to think of it - its great to see fp without some sort of script bollocks - welcome back to /.

Digital Certificates are the answer

[rtobyr]

One day, everybody will have a digital ID. You know, the kind used to digitally sign e-mail. If you had to digitally sign your request to create an account with a certificate issued from a trusted CA, then using a bot creates the potential of the user having his digital certificate revoked.

Re:Alternative?

[moranar]

Doesn't work well: a bot will be right 25% of the times, just by answering at random. And more pictures mean difficult layout, or small picture size. Plus, it becomes an undue hassle on real users.

Re:Great idea

[0123456]

Indeed: these things are getting to be an appalling nuisance. If I see a site that use them I increasingly just say 'fuck it' and leave; particularly the sites that keep asking for another one every few pages.

Meanwhile, having an automated system feed them to Chinese people on $0.50 an hour can't be too hard, and they'll have at least as good a chance of getting the correct result as I do.

Scraping works too

[zumajim]

I read some time ago about a guy who wanted to spam a large ISP (Can't recall the company), so he created a porn site, botted the ISP and scraped the capchas, putting them on his porn site where a good old human was waiting to do the work for him. Seems porn can power anything.

Re:Captcha too hard

[HouseArrest420]

I hate the pictures that your describing. Being color blind, I'm about %100 percent sure not to see anything but 2 letters or less, in which case I have to beg for someone to help me out.

Bugmenot wants to join our b&.

[tepples]

With the likes of BugMeNot.com, which people can use to distribute usernames and passwords for websites, there is little incentive to collectively continuously register.

And bots operated by web sites that require registration can spider bugmenot and ban all accounts that are listed there.

Re:Ask questions

[JDHannan]

I don't think many people know that its a canary with a machine gun. And i'm not sure i want that many people knocked off the internet in one swell foop

Re:Alternative?

[twistedsymphony]

What ever happened to email validation?

You give script your email address, it sends you an email and you follow a validation link within the email. Implementing this on my website where I had a captcha before got rid of 100% of the spam.

There are also other little dirty tricks you can do to ensure it's a human on the other end, one of my favorites is to check the referrer URL when accepting a comment... if it's not being referred from my entry forum then it just happily throws the request away. Even if it's not spam it's probably something malicious anyway.

Another thing I used to use that worked really well in conjunction with registration is "approving" any account in which the first post doesn't contain any links or any words on a "spam list". If the first post of the newly registered account contains any links or spam words at all, it's held for moderation and must be approved manually. A vast majority of the legit people leaving comments for the first time wont be including any links or talking about viagra on a tech site, no links or spam words means they've been validated as "not spam" and if they've included links it only takes a human a few seconds to qualify if the account should be canceled as spam or approved as a non-spam account. This one obviously takes some man power so it only really works on smaller sites. It might be easy for a spam bot to counteract this but the way it validates is not apparent, not to mention this is already after an email has been validated.

Re:Alternative?

[JesseMcDonald]

Nonsense. There are plenty of things humans are good at that computers are rubbish at. How about displaying four photographs with the question "which image contains a bottle?"

Your search space wouldn't be large enough -- you can only have a limited number of photographs, since they have to be manually generated, and once the correct answers have been identified the captcha-breaking algorithm would reduce to "which image is closest to something in this set", a fairly trivial image-matching problem. This is exactly the issue the GP was referring to: the captchas must be randomly computer-generated to create a suitably large search space, but they mustn't be computer-solvable.

Re:Knowledge tests...

[kbox]

If there are four possible answers even a script will be right 1 in four time... So if they make a registration attempt every second they will still get 900 successful registions an hour.

Re:!you can't solve them ; machine can

[NoseyNick]

No wonder the OCR software can't read them... I had to reload about 4 times before I could identify both words, and even then, I can't help wondering why they added the extra strike-through to make it even harder.

Re:Alternative?

[Goaway]

They way I look at it, if someone can't trust me with their email address then I can't trust them not to spam me.

Get over yourself.

If you're building a community forum where your visitors are likely to be repeat customers then IMO a more formal registration is appropriate.

How many people do you really think come to your website thinking, "Today I am going to join a community!"? Joining a community is not something people carefully plan out doing, it's something that happens if they try it out for a while and like it.

Re:Alternative?

[Goaway]

As the previous poster pointed out, your maths is wrong, and it's 16 possibilities. This means the spam bot just has to try 16 times instead of 1. It can easily do that if it wants to.

Meanwhile, you have shut out all users who do not speak English well can can't figure out your instructions.

Re:Knowledge tests...

[Dragonslicer]

Kinda like you'd like to keep the caveman with the club away from the nuclear bomb.

Be careful. They're already pissed off at Geico. They'll be coming for Slashdot next.

Re:Alternative?

[merreborn]

What ever happened to email validation?

You give script your email address, it sends you an email and you follow a validation link within the email. Implementing this on my website where I had a captcha before got rid of 100% of the spam.

In many circumstances, email validation will cause users who would have otherwise filled out your captcha, to leave your site without contributing.

For example, I'll gladly solve a captcha to comment on a blog, but 90% of the time, if email validation is required, I'm just going to close the window and move on to someone else's site.

Filling in a captcha is a nuisance, but email validation is an even larger nuisance that also requires that I give you personal data.

Re:Knowledge tests...

[Anonymous Coward]

Good idea, bad math.

And 3^-3 is (drum roll).... 1/27

Re:Put the knowledge in the question

[Em Adespoton]

It seems to me, the best system would be:
Implement a standard CAPTCHA system, with fairly easy to read characters.

Then, for the challenge section, randomly select a prompt from the following (as an image, not plain text):
"Enter only the last letter of the captcha"
"Enter all the numbers included in the captcha"
"Enter all the letters included in the captcha"
"Enter the character from the captcha in reverse order"
"Enter all the vowels from the captcha"
"Enter all the consonants from the captcha"
"Enter the letter of the alphabet that follows the second letter shown in the captcha"
"Enter all the blue characters"

It seems to me that this would make the already-used captchas much harder to crack, as the bots would have to be able to recognize the captcha, locate the prompt graphic (which could be randomly inserted, along with "dummy" images), understand what the prompt is saying, and then apply its instructions to the captcha. Most humans should be able to do this (except maybe the consonant one, for people who never learned what a consonant is), but most computerized means that could do this would be more lucrative sold as commercial software than used to enter captchas on websites.

Re:Knowledge tests...

[mu22le]

Your captcha can be defeated by a simple parser + google. Just see if "food+pink" has more hit than "food+hamburger".

Also you would need a small army of people to write the question in the first place (actually you could try to generate category/item couples from a statistical analysis of wikipedia).

Now that I think of it... it's just too easy to beat your captcha randomly (1/4 chances is not that bad for a script).

On a funny note... captcha similar in spirit to the one you propose is http://www.hotcaptcha.com/ [hotcaptcha.com] based on hotornot. At least it's worth a laugh :)