Forgot your password?
typodupeerror
Security The Internet

Building a Better CAPTCHA 197

Posted by Soulskill
from the we-have-the-technology dept.
jcatcw writes "Steven J. Vaughan-Nichols reports that CAPTCHA cracking isn't that difficult these days. It has even become a business. For example, DeCaptcher.com will solve CAPTCHAs for your spamming needs at a rate of $2 per 1,000 successfully cracked CAPTCHAs. In response, newer systems are in development. Both Carnegie Mellon and Penn State (is there something about the water in PA?) are working on image-based systems. ESP-PIX and SQ-PIX both require the viewer to interpret pictures. Imagination CAPTCHA from Penn has the user find the center of an image. The idea is that humans are better at image recognition that computers, but humans can legitimately disagree on their interpretations and some humans are color blind. Problems remain. For now, sites would be well advised to look at reCAPTCHA — the system that works with Google Books and the Internet Archive to digitize printed texts — which comes with a wide variety of application and programming plug-ins and an open API."
This discussion has been archived. No new comments can be posted.

Building a Better CAPTCHA

Comments Filter:
  • Indecipherable (Score:5, Insightful)

    by Bordgious (1378477) on Friday January 23, 2009 @08:06PM (#26583363)
    I know _I_ often have trouble seeing those... Maybe some sort of an animated .gif would be better?
    • by multisync (218450) on Friday January 23, 2009 @08:10PM (#26583419) Journal

      I know _I_ often have trouble seeing those... Maybe some sort of an animated .gif would be better?

      Me too. Wanna go halfers on 1000 CAPTCHAs?

    • by The Jonas (623192)
      There has been some comments [slashdot.org] on Animated Captchas [animierte-captcha.de] here in the past.

      Some people believe they would be rather easy to decipher [ckers.org].
    • by AftanGustur (7715)
      Not realy ..

      From the decaptcher.com website:

      "DeCaptcher CAPTCHA solving is processed by humans. So the accuracy is way more better than an automated capctha solver ones.

      So, whatever a human can read, decaptcher.com will also.

  • I speak for everyone. Captchas SUCK.

    Get rid of them.

    • by Goaway (82658)

      Well, you go get rid of the spammers, and we will.

      • I'm not sure how, yet, but I want people to start thinking about it this way.

        Just like DRM.

        See, with DRM, start with the assumption that all DRM can and will be cracked, and that all software and media can and will be pirated. Your challenge, then, is to make the legitimate product provide at least the quality and value of the pirated copy (something most DRM'd solutions fail miserably at), and ideally make it desirable enough that your price starts to seem reasonable, even when the alternative is "free".

        So

        • by Harik (4023)

          Given that spammers are using botnets NOW, what exactly are you going to accomplish by requiring everyone to burn CPU cycles just to post a comment? There's 5-10 million zombies out there, on some pretty fast machines spread out over millions of unique IPs at any given time.

          Please, don't suggest something stupid AND already obsolete, we might get saddled with it.

          • Re: (Score:3, Interesting)

            Please, don't suggest something stupid AND already obsolete, we might get saddled with it.

            Fortunately, it has two advantages:

            First, for those who aren't using botnets, or sufficiently large botnets, it's a significant impediment.

            Second, more cycles increases the chance that people will notice their computers slowing down and figure out its a botnet.

            Finally, it really doesn't matter whether we get saddled with it or not -- since it's just using Javascript, it's no more cumbersome than Slashdot's current comment system. And if it's completely ineffective, it could be turned off with no ill effects

        • If you want to eliminate spam on your board, you have to discourage people from following spam links. Now, it would be nice if you could simply say "you follow the spam link posted on our board and you'll be banned from the board", but you can't enforce it. How do you want to know whether someone followed a spam link?

          What I do, for now, is that I follow up to pretty much every spam message and tell people that at the end a trojan with a drive-by infection waits for them. Funny enough, often it ain't even a

          • Now, it would be nice if you could simply say "you follow the spam link posted on our board and you'll be banned from the board", but you can't enforce it. How do you want to know whether someone followed a spam link?

            That's trivial, actually.

            You could provide a redirect. Thus, the link is not to http://spam.me/ [spam.me], it's to http://my.board/spam.me [my.board]. (Roughly -- you could store the whole URL in there, too.)

            Or, you could leave the link alone, but use Javascript to intercept it, and submit a statistic to you before following it.

            Or, you could make the link not a link at all, but a span styled as a link, with javascript that does whatever you want.

            Of these, I'd prefer a combination of the first and the second -- transparent to mi

      • by fredklein (532096)

        I've said it before- Email Certification.

        Want to run a Certified Email server? Go to your ISP (or other such companies that may arise to offer the service). They check you out (Are you who you say you are? Do you have valid contact information? Etc...), then have you produce a Public/Private key pair. You give them the 'Public' key, and keep the 'Private' one to configure your email server with. Your email server must add an additional header with your Certifier's Certification Server (usually their email s

  • Dying Technology (Score:5, Insightful)

    by EdIII (1114411) * on Friday January 23, 2009 @08:10PM (#26583407)

    The idea is that humans are better at image recognition that computers

    C.A.P.T.C.H.A - Completely Automated Public Turing test to tell Computers and Humans Apart.

    This is a dying technology.

    1) Computers and synthetic systems in general are ONLY going to get better at doing anything a human can do. I mean anything.

    2) Humans are a substitute for our lack of a synthetic system to solve a CAPTCHA.

    A CAPTCHA has two answers to it's owner. This is a Human and this is a Computer. Humans can be hired to solve CAPTCHA at economically viable rates to meet the demand with a supply. Computers are catching up at being able to solve various CAPTCHAs creating an "arms race" between developers and those that need to crack CAPTCHA automatically with high throughput.

    The window for this technology to be effective in its use is shrinking rapidly and it will only be a matter of time before it is nearly impossible to tell without phsyical inspection what is a synthetic human reponse and an actual one.

    • Re:Dying Technology (Score:5, Informative)

      by Goaway (82658) on Friday January 23, 2009 @08:15PM (#26583473) Homepage

      Humans can be hired to solve CAPTCHA at economically viable rates to meet the demand with a supply.

      Not in general. For high-value targets, yes. For spamming blog comments, no.

      • by Eudial (590661)

        Humans can be hired to solve CAPTCHA at economically viable rates to meet the demand with a supply.

        Not in general. For high-value targets, yes. For spamming blog comments, no.

        Except that cracking one blog system CAPTCHA cracks all blogs with that system's CAPTCHA. Which makes anything but custom software (that Joe Sixpack wouldn't know the first thing about building) a high-value target.

        • by Dhalka226 (559740) on Friday January 23, 2009 @09:43PM (#26584335)

          Using a human being to solve a CAPTCHA is not "cracking" the CAPTCHA, nor does it make the next blog or even the next CAPTCHA any less secure. If the CAPTCHAs are actually successful enough that the only solution is to hire third-worlders to do them for you, a large part of the battle is already won.

          Will it stop all spam? No. Will all spam ever be stopped? Nope, so let's take what we can get while we can get it.

      • Is $1.00 per 24 hours of captcha decoding too expensive for you? This is what it costs my friend. Spamming blog comments is as simple as popping a captcha image to some third world country and have them do it for $1.00/day.
    • by jd (1658)

      Well, computers are still pretty crappy at herustics, whereas the human brain is much better. Non-computable problems cannot be solved by a computer at all.

      Let us take a theoretical CAPTCHA. This CAPTCHA uses optical illusions to create images in the brain that do not appear on the screen. These illusions are not, however, contained within a single image but an animation that is rapidly flipped through, exploiting persistence of vision to include the elements of the images you actually want and to exclude e

      • by retchdog (1319261)

        Your description is vague (perhaps intentionally so), but I'm skeptical nonetheless.

        The persistence-of-vision hurdle is easily jumped, by tuning a decay function to interpolate across the animated gif so that it looks like the appropriate single frame. Note, this only has to be done once.

        This leaves the optical illusions. Again, there are really only so many of these, and they can be pattern-recognized and classified as whatever they represent. You can stick them together in any combination but this just ad

      • by EdIII (1114411) *

        Well, computers are still pretty crappy at herustics, whereas the human brain is much better. Non-computable problems cannot be solved by a computer at all.

        I agree that computers right now are not as good as we would like at heuristics and humans are far better. I don't know about Non-computable problems though. Computer is a vague term. I think any synthetic system can be developed to perform what a human being can do. That's way down the line though.

        Computers will equal humans on such a system the day

    • Re: (Score:3, Insightful)

      by AaronLawrence (600990) *

      And:
      3) As you make it harder to solve for computers, you also make it harder to solve for humans.

      Since current CAPTCHAs are getting quite difficult for humans to solve, the process has already reached it's limit. Facebooks captchas are difficult enough for me that I have to ask for a new one 5-10 times to get one I'm fairly sure of.

      This one involving optical illusions is absurd, there will be large numbers of people who can never get it right.

      • by EdIII (1114411) *

        And:
        3) As you make it harder to solve for computers, you also make it harder to solve for humans.

        Since current CAPTCHAs are getting quite difficult for humans to solve, the process has already reached it's limit. Facebooks captchas are difficult enough for me that I have to ask for a new one 5-10 times to get one I'm fairly sure of.

        This one involving optical illusions is absurd, there will be large numbers of people who can never get it right.

        A very good point. That is because it is a bad, or poorly design

        • Re: (Score:3, Informative)

          by AaronLawrence (600990) *

          Well actually, systems like the one on facebook do have a kind of "I don't know" which is the "give me another". At least it makes it possible to solve, if extremely annoying ...

          • Re: (Score:3, Insightful)

            by EdIII (1114411) *

            Well actually, systems like the one on facebook do have a kind of "I don't know" which is the "give me another". At least it makes it possible to solve, if extremely annoying ...

            That's not what I meant. A Turing test is designed to test subjects and from their answers determine if it is a human or a computer. You are talking about the answer that a subject may give to the test itself. I was talking about the result that the Turing test may give to the researchers or the system. They are two different th

    • Re: (Score:3, Funny)

      obligatory xkcd solution to captchas
      http://xkcd.com/233/ [xkcd.com]

    • Re: (Score:3, Funny)

      Computers and synthetic systems in general are ONLY going to get better at doing anything a human can do. I mean anything.

      Robot sex slaves, here we come!!!

  • by corsec67 (627446) on Friday January 23, 2009 @08:11PM (#26583433) Homepage Journal

    Even if they had a perfect system that could tell a person from a computer, how can they prevent a CAPTCHA for porn system?

    (You make a website offering porn for entering the solution to a CAPTCHA from a 2nd site, and then use that solution on that 2nd site)

  • by sakdoctor (1087155) on Friday January 23, 2009 @08:12PM (#26583445) Homepage

    Instead of one little captcha at the end of a web form, the whole site will be a captcha.
    All the form labels will be jumbled images, and there will be 9 form submit buttons, 8 with dogs and 1 with a cat.
    All textual content can be a mangled image to stop scrapers as a bonus.

    Oh and please don't actually build this.

  • Worded questions? (Score:2, Insightful)

    by DavidR1991 (1047748)

    I thought the ideal captcha would be worded questions presented in the same image-like format as current captchas, e.g. "Two and Two makes?" or "The opposite of day is..?" Whilst the image recognition is now feasible, making a general system to solve this problem would be somewhat more difficult than just improved single-word captchas.

    Annoyingly, however, the system to create such captchas cannot really be automated (in terms of creating the questions). So I suppose as long as the captchas are computer cr

    • I thought the ideal captcha would be worded questions presented in the same image-like format as current captchas, e.g. "Two and Two makes?" or "The opposite of day is..?"

      That actually looks relatively easy to solve.

      No, you couldn't necessarily make a general, out-of-the-box solution. However, if each one is unique, built by a human, then it's simply a dictionary. If it's not a finite number, then you're going to have patterns, and it could just refresh until it gets "[numberword] and [numberword] makes?", then do the calculation.

    • Language. Not everyone has english as their native tongue. Americans for one.

    • I thought the ideal captcha [...]

      Just use a bunch of Raven's Progressive Matrices :)

  • by KPexEA (1030982) on Friday January 23, 2009 @08:24PM (#26583595)
    Any CAPTCHA system can easily be cracked by building a large database with the inputs and outputs that was actually solved by humans and then saved into the database for lookup later. The inputs don't need to be text, they can contain images ( or hash codes representing images ), or css or whatever is needed to define the input data. The only feasable way to stop this kind of caching of answers is to have no duplicate tests. For example, a large field of randomly colored circles that all vary in size and position and move slowly around, then tell the user to hover the mouse over the largest blue circle and then next have them move the mouse over the green triangle, etc. Then base their "pass or fail" on how well they could move the mouse fast enough. And change the test often, like, put the mouse over the shape that looks like a bunny etc.
    • by localman (111171)

      It's worse than that: any captcha system can be cracked by humans. You can either pay lots of low wage workers or offer some reward (porn) for cracking captchas. I came up with a whole bunch of captcha-tech ideas that would require hard AI... and then realized it's a dead end tech anyway. There are plenty of people in the world willing to crack captchas for next to nothing. There's no way to tell a real user from a person who is just trying to abuse the system.

      Something like recaptcha will stop lazy att

      • So the solution to spam is to equalize the world's economies, bringing everyone into the middle class? Sounds good to me.

    • by Dhalka226 (559740)

      Then base their "pass or fail" on how well they could move the mouse fast enough.

      So if I open things in tabs and come back when I'm finished reading whatever I was reading, I'm guaranteed to fail the first CAPTCHA? Seems like a pretty good way to annoy visitors into leaving.

    • Any CAPTCHA system can easily be cracked by building a large database with the inputs and outputs that was actually solved by humans and then saved into the database for lookup later....The only feasable way to stop this kind of caching of answers is to have no duplicate tests.

      And that's true of most CAPTCHAs today.

      For example, a large field of randomly colored circles that all vary in size and position and move slowly around, then tell the user to hover the mouse over the largest blue circle and then next have them move the mouse over the green triangle, etc.

      We're already at a limit of annoyance for users. And, if you've been following robotics at all, following a differently-colored circle around is not difficult.

      And either way, you still have the problem of humans solving it -- the common "porn" example being one solution, I would point to Amazon's Mechanical Turk as another.

    • Sounds like a good idea for most healthy twenty year old web surfers but the elderly and people with touchpads are not going to be able to perform as well.

  • So how about a system of paying captcha-creators $2/1000 captchas created? ;)

    On a serious note, though, it seems that general knowledge is a better way to do it than simple word recognition...

    Or, on the more imaginative side, what about classical music recognition. I don't know how good computers are at analyzing not just "Beethoven's 5th" but analyzing it amidst numerous recordings which all would have very significantly different waveforms. Unfortunately, music is neither universal (it'd have t obe coun

    • by brusk (135896)

      Actually music recognition seems like a task computers would be much better at than humans (rather, a program designed for just that task would be better at it than a random, off-the street human).

      • Wouldn't it have to do some pretty fancy waveform analyzing though, or a database of all the waves? There are a ton of different recordings of this or that well-known music piece.

        Maybe recognition isn't based on the waveform.. I'm not sure what else it'd be though.

        • Re: (Score:3, Insightful)

          by brusk (135896)

          Presumably the universe of tunes every internet user could be expected to know is quite small, so it would only be a matter of matching to that set. There's already an iPhone app (Shazam, I think it's called) that can identify ambient music and send you to the iTunes purchase link. That's presumably a much harder problem (a vastly bigger universe and probably poorer sound quality), and it's already been solved.

        • Wouldn't it have to do some pretty fancy waveform analyzing though, or a database of all the waves?

          I can't remember the name of it now, but I have seen software which can analyze a recording and split out individual instruments and notes. They had an example of taking a live recording, splitting it out, and changing the pitch of one note played by one instrument to correct it. Doesn't sound techno-ish, because it's a real recording, just slightly altered...

          Anyway, such waveform analysis exists.

          There are a ton of different recordings of this or that well-known music piece.

          And I'm guessing you can get a score of all of it somewhere.

          And you're getting really, really bad as far as legi

  • by fathom108 (706747) on Friday January 23, 2009 @08:33PM (#26583695)
    Will this detect Cylons?
  • by Anonymous Coward on Friday January 23, 2009 @08:34PM (#26583707)

    No one could ever predict that it would be spammers and porn merchants who would solve the hardest problems in AI.

  • We could use national celebrities or historic figures instead of text CAPTCHAs. Say you wanted to make a new gmail account and your IP looks like it comes from the US, Google could make you identify either Coolio, Benjamin Franklin, or Evel Knievel before you proceed.
    • by gapagos (1264716)

      Say you wanted to make a new gmail account and your IP looks like it comes from the US, Google could make you identify either Coolio, Benjamin Franklin, or Evel Knievel before you proceed

      I'm not from the U.S, but Canada, which is close enough.
      Of those 3 names that you listed, I only ever heard of Benjamin Franklin (some electricity discoverer), and I don't know what he looks like.

      Such a system would be -extremely- ethnocentric and terribly annoying for me.

    • I know about Ben Franklin. I've heard of Evil Knievel, but I don't know what he looks like.

      Even if all that was settled, what are the chances you're going to find enough pictures of each that people would recognize, and computers wouldn't?

  • Enough with the annoying captcha's stop comment spam by just analyzing the content.

    Free and works well:
    http://defensio.com/

    • On a related note, at my forum, I just have a system that doesn't let you post links or images in your first n posts (currently 5). Haven't had a single piece of spam since I put that in. Sure, plenty of fake accounts, but I filter out those with less than 5 posts from the member listing. Comment spammers don't tend to reuse accounts. :)
  • I really hate (Score:4, Interesting)

    by BetterSense (1398915) on Friday January 23, 2009 @08:46PM (#26583823)
    I really hate image-based CAPTCHAS, because they discriminate against lynx users. I seriously remember at least one occasion where I was using lynx for whatever obscure reason, and I came upon "enter the text shown in the box at the left". Fail. I like the math problem ones better.
    • Try using links2. It'll give you graphical w/o requiring X.
    • That happens to me quite often. I always just view them in aview or cacaview (I have elinks set to open images with those viewers) and can always figure it out after a little zooming and panning.
  • Ok, I will happily admit that I know bugger all about cracking CAPTCHAs, but one thing I have noticed is that most sites use their own version of a CAPTCHA, probably to make it harder to crack.
    This must mean that sites are specifically targeted by the crackers, specific routines are probably made to maximise the chances of a successful "crack" against that site. So rather than just making them harder and more obscure (Thus making them harder for humans to read), why not just vary them by a great deal?
    If an

  • by Ungrounded Lightning (62228) on Friday January 23, 2009 @08:54PM (#26583893) Journal

    The idea is that humans are better at image recognition that computers, but humans can legitimately disagree on their interpretations and some humans are color blind.

    COLOR blind? Some humans are BLIND blind. Others have various vision or vision processing impairments that would make meatware-visual-coprocessor-test CAPTCHAs reject them.

    IMHO most CAPTCHAs are already and obviously violating of the Americans with Disabilities Act. So now, in the info-war between weapons and armor (which weapons always win anyhow), even more of us less-than-Aryan-Supermen become collateral damage.

    Dogs are (allegedly) color blind and "... on the Internet nobody can tell you're a dog!". Well, maybe PEOPLE can't. But now the web applications can. B-(

    The solution to being attacked by better weapons is not better armor. That's only a stopgap. The solution is to hunt down those who misuse weapons and make them incapable of or unwilling to continue.

    • by Skapare (16644)

      The solution to being attacked by better weapons is not better armor. That's only a stopgap. The solution is to hunt down those who misuse weapons and make them incapable of or unwilling to continue.

      But, Obama said we were not going to use torture, anymore.

      • by g0at (135364)

        That oughtn't rule out painless amputation, lobotomy, or castration.

        -b

    • Some humans are BLIND blind.

      I always thought when someone acted like they couldn't see blind people they were just being insensitive clods. I never knew it was an actual condition!

    • by renoX (11677)

      >>The solution is to hunt down those who misuse weapons and make them incapable of or unwilling to continue.

      Given that those spammers can be in a different country, your alternative solution isn't very feasible: even if you caught all the one who are in countries with anti-spam laws, this would mean only that they would use contry without anti-spam laws as proxy..

      And beside in the meantime what are you going to do?

  • by Stile 65 (722451) on Friday January 23, 2009 @08:56PM (#26583915) Homepage Journal

    ...even though CraigsList uses reCAPTCHA and the article talks about a utility that helps spammers automatically post on CL.

    Besides, it's fairly easy to set up a Mechanical Turk HIT for users to solve CAPTCHAs for a penny a piece. Assuming you make more than a penny per captcha solved, you're set. If not, make someone successfully solve more than one CAPTCHA per HIT submission.

    • We just started using reCAPTCHA on our submit forms for non-logged in users and on the registration page after finally getting some korean or japanese spam. It was extremely easy to integrate, I think it took about 10 minutes from signup until it was in the code and worked. After a couple days on the development machine for testing, it was in production and no more false submissions.

      It may not be perfect, but it was easy to integrate and simple to use.

      • by Stile 65 (722451)

        Don't get me wrong, I *love* reCAPTCHA. They do good work on multiple fronts. I'm more pointing out the inconsistency in the article.

  • Ok so I read the article...
    The article focuses on OCR as the main problem. CAPTCHA can be broken by OCR, so reCAPTCHA uses text that OCR has already had trouble reading. Ok got it.

    So why are they stuck on ASCII characters? Why not use obfuscated animal pictures? "Type one word that best describes the picture above." Answer: Zebra (Moose, Dog, whatever)
    Why do they keep putting the right answer in the CAPTCHA? How about obfuscating "__ cups in a pint?" or "A Bakers Dozen is __".
    I'm no CMU whiz, but
    • How about obfuscating "__ cups in a pint?"

      Who the hell knows that shit??? O_o

      (I'm from not-the-US, so I'm used to the metric system...)

      • Re: (Score:3, Insightful)

        by DamnStupidElf (649844)

        Who the hell knows that shit??? O_o

        Google.

        In other news, it's probably a bad idea to base a captcha on something Google will look up for you.

  • Captchas aside, aren't there other ways of preventing bots from registering multiple accounts? Instead of focusing on humans, how about focusing on the behavior of the bots. Do they change their IP address every time? Do they fill forms faster than humanly possible? Does any human register more than one account on your site? Do they enter random text or put in URLs where they shouldn't?

    I still do not see any attempts to weed out the bots.

    • Do they fill forms faster than humanly possible?

      I type between 100 and 180 words per minute. Not only am I faster than some programmers might think is "humanly possible," but it's trivial to bypass protection like that.

      msleep(200 * number_of_characters_typed); // Now, we are a moderately fast (60 WPM) typist instead of a bot

      -:sigma.SB

    • by MP3Chuck (652277)

      "Do they enter random text or put in URLs where they shouldn't?"

      A (somewhat) common thing to do is have a form field hidden with CSS. Spam bots rarely, if ever, parse CSS ... so you hide a "Website" or "ICQ" form field (who uses ICQ anymore, anyway?) and if it's filled in you ignore the submission entirely.

      Or, you have a form field labeled "Leave this field blank." Spam bots will usually fill in all available fields so, again, if it's got a value you just ignore it.

    • by Culture20 (968837)

      Captchas aside, aren't there other ways of preventing bots from registering multiple accounts? Instead of focusing on humans, how about focusing on the behavior of the bots. Do they change their IP address every time? Do they fill forms faster than humanly possible? Does any human register more than one account on your site? Do they enter random text or put in URLs where they shouldn't?

      I still do not see any attempts to weed out the bots.

      You don't see the attempts because they're not visible. http://www.modsecurity.org/projects/modsecurity/apache/index.html [modsecurity.org] The bad part is that the bots can be made to eventually fit within defined rules.

  • hate it. hate it hate it hate it.

    I have to set up gmail accounts periodically for users here and it takes me some fighting every time to make the account. The "wheelchair" icon makes it read it to you, and the idea of course is in case you are having problems with the picture you can listen to it. But it's like trying to make out what your friend is saying to you from the other end of a dance floor. I have yet to figure out what they're saying by the recording.

    And if you miss the captcha too many times,

  • How about an audio clip where the user has to identify the nth word of a sentence, or get even more complicated and have the user identify an adverb or something. Not as universal as number or letter sequences, but it could work for web pages that serve a specific language demographic.
    • by g0at (135364)

      get even more complicated and have the user identify an adverb or something

      The vast majority of Internet noobs are barely able to cobble together a correct English sentence. How well do you expect that to work?

      -b

      • The vast majority of Internet noobs are barely able to cobble together a correct English sentence. How well do you expect that to work?

        How well would it work for improving the quality of messages on the Internet? Very well, I'd wager.

  • The summary mentions a service at decaptcher.com where you can pay $2 per 1000 CAPTCHA's solved. If you visit the site, they make it quite clear that the solving is being done by humans. The technology of the CAPTCHA has not been 'cracked' by this site; the concept of a CAPTCHA itself was proven ineffective. There is no 'more difficult for a computer to figure out' technology that can solve this problem... anything that a legitimate user is able to solve will be able to be solved by the people working at

  • I can't find the post where it was discussed but codinghorror.com has one CAPTCHA, or a very all set of them and it seems to work.

    I just read the blog so I have no idea how heavily the site gets hit, or how much cleanup the author does, but with that one never changing CAPTCHA there isn't any comment spam.

    So CAPTCHAs are another example of a classic security trade off, just needs to be enough to get the malicious entities to go somewhere else.

    Should be discussed in one of these articles: http://www.google. [google.com]

  • Find a way to pay third world people $2 to verify that 1000 website visitors are human (to replace the captchas, not defeat them). Then, it becomes a war of money-attrition: whoever is willing to spend the most money wins.
  • Wouldn't IPv6 adoption solve this problem? The whole reason that you have to use CAPTCHAS, I thought, was to guard against machine generated registrations. If you have a high number of registrations per IP address, then you could probably rule that out as a bot. But... you can't do that now because of NATs. In an IPv6, un-NATed world, you could. Even more, you could create a world wide database of suspected BOT computers and simply block them altogether. Perhaps if companies doing business online beg

    • by grumbel (592662)

      IPv6 wouldn't help here. Registration attempts could come from botnets and IPv6, when properly used, gives you *a lot* of IP addresses to chose from, so a spammer could just switch to a new one whenever he wants. The only way to fix this in the long run would be a web-of-trust kind of thing where your authenticity isn't based on a single test, but on reputation you build up in the past.

All constants are variables.

Working...