I didn't really know where else to post this (i.e. AGS as opposed to other forums...I don't get around much :P), and since I know there are at least a few web developers out there, maybe someone can help me with this idea:
I had the idea for a CAPTCHA that has you tick checkboxes in a random, specified order. They would be arranged in a square grid, perhaps 3x3 or 4x4, like my mockup below:
(http://img128.imageshack.us/img128/6483/captchaprototype01cc6.jpg)
The checkboxes would, of course, be blank, and the user would have to match the pattern shown on the left in order to be able to leave comments, etc. The correct "answer" is what is illustrated above.
I was trying to come up with something that would be accessible to most people, as well as hard for computer programs to crack. But as for the latter point...is it really safe? Is it too cumbersome? Complicated? Is there a possibility it might not be understood by many at first?
What do you guys think?
BTW, a CAPTCHA is one of those deals where you type in some distorted word to prove that you're human...but now it seems many of those methods might be crackable by computer programs.
Also: As a web developer, this would be very simple for me to program and make it work. What I'm wondering is how the end user would fare.
Quote from: TerranRich on Wed 15/08/2007 22:15:00
BTW, a CAPTCHA is one of those deals where you type in some distorted word to prove that you're human...but now it seems many of those methods might be crackable by computer programs.
most captcha is so crappingly unrecognisable that it's more likely you are a human if you get it wrong.
Seems a nice workable idea. Perhaps a greater variety of colours for the highlights (randomly chosen) would be better though, to make it less machine readable.
A captcha method like that would be easy for a machine to work... basically if enough people use that method, then there's a demand for spammers to make an automated system to do those.
I tend to prefer recognition methods of captcha... for example, show an easily-identifiable picture of something, and then have the person type in what it is.
Quote from: Gregjazz on Thu 16/08/2007 00:50:45
I tend to prefer recognition methods of captcha... for example, show an easily-identifiable picture of something, and then have the person type in what it is.
And then a German user comes across this site, sees the cat and types in "Katze". I guess it's too complicated to implement all the common words for this picture in all the relevant languages. Futhermore, the random factor of that idea would be pretty much lower as when random digits and letters have to be typed in.
It's a clever idea, but I agree with Gregjazz that it'd be too easy to automate if the demand was great enough.
I'd recommend giving a listen to this podcast (http://www.twit.tv/sn101), which talks about various types of captcha's and why it's so difficult to come up with effective ones. I found it pretty interesting. Also, they talk about a variation called reCAPTCHA (http://recaptcha.net/), which "utilizes CAPTCHA to improve the process of digitizing books. It takes scanned words that optical character recognition software reports as undetectable and presents them for humans to decipher as CAPTCHA words." Maybe you can save yourself a lot of work!
I like your idea, but each box only have two variables. On or off. Checked or unchecked. With 12 boxes that gives you 4096 possible outcomes.
Take a regular alpha-numerical CAPTCHA with, say, eight characters... each character has 36 variables to choose from (26 letters, 10 digits), which gives you a whopping 2821109907456 possible outcomes.
I don't know if that really means yours would be any easier to crack, but when you see that number the alpha-numeric one certainly sounds a lot safer... hehe
Quote from: Stupot on Thu 16/08/2007 05:42:26
Take a regular alpha-numerical CAPTCHA with, say, eight characters... each character has 36 variables to choose from (26 letters, 10 digits), which gives you a whopping 2821109907456 possible outcomes.
I think it is not a good idea to use all 36 characters though, as 0 and O, 1 and I, etc. are very easily mixed up, I'll say only using either the 10 numerals or the 26 alphabets is more than enough.
Quote
I don't know if that really means yours would be any easier to crack, but when you see that number the alpha-numeric one certainly sounds a lot safer... hehe
And a lot more annoying... :=
I think it depends on how "important" the stuff to be accessed is, since I
supposed what Terran was mentioning was not high security national secrets like nuclear missile launch codes, I'll say using the checkbox method (or the more complicated varying colour method as AGA suggested) is probably enough already.
It is rather amusing in funny kind of way that some of the most importent work in AI is being done by people trying to rip off others instead of scientest
Also amusing that all of these convoluted captchas are currently being defeated by a powerful implementation of distributed computing: lying to dumb people.
You know all those dumb people who don't filter spam, and read and believe most of the stuff that comes into their inbox? You know how they believe those emails that say "go to this webpage and enter in your personal details to get free money," well now those webpages come complete with captchas which are actually filtered in from a bot, so that they're actually filling out captchas for a machine while they dummy over their personal details. And just imagine "Oops, you must've made a mistake on the last one, now try this one. Seriously, your money's coming soon."
Those captchas are actually being used by a bot to, for example, sign up for new Yahoo mail accounts to use to look more friendly while sending out millions of more such emails.
Millions of people fall for those stupid things every day making internet scamming a successful industry, now they're just synergizing!
Phishing, ya gotta love it. I mean how stupid can you get, espcessially if you don't even GO to that bank. I would love to have heard the scammers brainstorming that one. 'na peole can't be THAT stupid, can they?" Millions frauded later, yes they can.
Quote from: AGA on Wed 15/08/2007 23:11:11
Seems a nice workable idea. Perhaps a greater variety of colours for the highlights (randomly chosen) would be better though, to make it less machine readable.
Yeah, a 4x4 grid with 8 possible random colors for each square, and then a randomly selected color to match on a blank grid. Random guessing would still be possible, but with 1,677,216 possible combinations of colors and making it difficult for a bot to read, seems pretty effective.
But but but it's discrimination against colour blinded people! ;)
Serious though, would 8 possible colours each box be too much? Though the user needs only to recognise one colour from that, maybe it's still hard to differentiate similarly coloured boxes. Maybe four different colours is enough?
would the patterns change each time?! clickin in all those little clicky-boxes would take forever, man!
My idea is to have a little 'OK' button that when you click it, your computer scans to see if you're a hacker. If you're not, then you shall pass. If you are a hacker, then a cute little text graphic appears saying, "F**k you, I'm banging your wife right now! Just go home or to another locality into which your wife and myself are not present!" And then put in a redneck drinking some beer or something that's animated and spams the McAttacker into DoS oblivion!!!
I see you have an OK button - you're already half-way there!
EDIT: Another thing you could do is spam the identity check with random colors. The offending computer won't know what to process, should it be a bot, and a hacker, with their sharp senses, would be overwealmed by the random, alternating colors and will collapse to the floor, instantly contracting rabies! Glorious rabies!
I think it'd take about 10 minutes to write a script to bypass this in its current form. A grid of colours is far easier for a computer to recognise than letters... more colours will only make it harder for the user, while being no more difficult for the computer - why would people think a computer is going to have trouble with more colours? It can accurately distinguish between millions, can you? :P. The only way this captcha could work is if nobody is trying to hack it. Which will be the case on most small sites, but if nobody is trying to hack it you may as well just make people type in 3 unobscured a-z characters, that's probably easier for most people.
Any slight complication of your forms will deter most automated form spamming bots. However, if you want a particularly robust captcha for a high traffic site it unfortunately has to be a slightly irritating one, at the moment.
Also, picture recognition captchas sound nice in theory, the main problems with them are noun guessing (is it a pistol, a handgun, a gun...? Like in IF - and this is made far worse for non native language users) and limited picture stock. If you only have 10,000 pictures it won't take long for a spammer to note them all. Even if he only has 1/5 of the images in a database, that's enough to send a bot to work.
Quote from: nihilyst on Thu 16/08/2007 01:44:18
Quote from: Gregjazz on Thu 16/08/2007 00:50:45
I tend to prefer recognition methods of captcha... for example, show an easily-identifiable picture of something, and then have the person type in what it is.
And then a German user comes across this site, sees the cat and types in "Katze". I guess it's too complicated to implement all the common words for this picture in all the relevant languages. Futhermore, the random factor of that idea would be pretty much lower as when random digits and letters have to be typed in.
Have three pictures with the caption above: "please click on the cat to procede".
Quote from: Hudders on Thu 16/08/2007 11:21:30
Have three pictures with the caption above: "please click on the cat to procede".
Don't think this could work really. I bet a bot in 0,00000000001 sec can try all three pics. Problem solved!
EDIT:
The only thing I know that works is to ask for a non "generic" e-mail in order to register. Northern Sound Source uses this system, so any e-mail with yahoo, hotmail, gmail, aol, homecall, bulldog, whatever generic is non acceptable and you can't log in. A personal site is traceable really, so only people with personal pages are in.
Not if none of the pictures depicts a cat.
And... how would the use enter then? I don't really understand
That was just an attempt for a joke, I suppose. (Though I think the second post should come with a smiley.)
Oh, yes. Sorry.
Here's a belated smiley: ;)
It's done by clicking on the word "cat". Duh. ::)
And it would work because Hackers don't play adventure games and wouldn't know what to do. I like your idea :D.
Hmm, yeah, maybe my CAPTCHA idea isn't the best. Thing is, I always prefer to do things myself rather than use 3rd party software to do it. But if I need to for the site I'm working on, then I guess I might have to.
I was also thinking of that supposed university study, where words were scrambled except for the first and last letters, yet were still perfectly readable by most people. On second thought, that might not be the best method for a CAPTCHA.
There is also the method of asking a common sense/very easy question (such as "What is 1+1?" or "What color is the sky?") but there are only so many questions you could come up with. It would be pretty hard for a computer algorithm to crack...but the questions couldn't be too hard, or culture-specific, lest it venture too close to a trivia game.
I've taken a quick look at reCAPTCHA before, and I'm impressed. By running a simple curvy line though words, most OCR programs can't read it at all. I might see if I can implement that.
Have you considered NONOGRAMS? If not, let Wikipedia tell you everything about it.
Of course a full, classic NONOGRAM would be nonsense, since even a small one would take a good 10 to 20 minutes to solve, but a 3x3 or even 5x5 grid should be possible.
This is just entering into the spirit of the idea, though. Personally I would always prefer being asked a simple question.
Gabe: I forgot my password.
Tycho: But of course you left yourself a question with an answer that would remind you of your password.
Gabe: Oh, yes. It's "What is delicious?"
Tycho: Ah. Well, that's a valid path of inquiry. What *is* delicious? A sensational experience? Or is is even deeper? Maybe *what* is delicious!
A word, could that have a taste itself? Or...
Gabe: Oh, I remembered. Candy. Candy is delicious.
Quote from: Ghost on Thu 16/08/2007 19:13:19
Gabe: Oh, I remembered. Candy. Candy is delicious.
No, THIS IS DELICIOUS!!
CAKE TOWN!!!
FROSTING!!!
BRUSH YOUR TEEEEEEETH!!!
http://www.youtube.com/watch?v=gNqiSkd1M6k
Quote from: Ghost on Thu 16/08/2007 19:13:19
Have you considered NONOGRAMS? If not, let Wikipedia tell you everything about it.
Of course a full, classic NONOGRAM would be nonsense, since even a small one would take a good 10 to 20 minutes to solve, but a 3x3 or even 5x5 grid should be possible.
That might be fun, but entirely straightforward to solve with a suitable algorithm*. Like just about anything based on pure logic. Shape recognition is a bit harder to do, which is why CAPTCHAs are as they are.
* Several can be found with google.
Quote from: Gilbot V7000a on Thu 16/08/2007 08:25:24But but but it's discrimination against colour blinded people!
Write down the number you see below to continue:
(http://www.efg2.com/Lab/Library/Color/colorblind3.jpg)
Quote from: TerranRich on Thu 16/08/2007 16:12:46There is also the method of asking a common sense/very easy question (such as "What is 1+1?" or "What color is the sky?") but there are only so many questions you could come up with.
That's the problem with non-automated questions like this: somebody has to come up with all the questions. And if the total possible number of questions is relatively small, then it won't be very difficult to make a program that just keeps a list of every possible question and responds with the correct answer. The spammer wouldn't even need to make this list; he could redirect the captcha to a phoney page and have unwitting people that browse there solve it for him and populate his program with the answers.
QuoteI've taken a quick look at reCAPTCHA before, and I'm impressed. By running a simple curvy line though words, most OCR programs can't read it at all. I might see if I can implement that.
It's even better than that: these are words that OCR programs have already been unable to identify, so that already makes them resilient against spam bots. Also, I think they have ways of preventing spammers from redirecting the recaptcha to their own page. Plus, you'll be contributing to the online digitization of books! 8) Anyway, I think all you need to do is add a few lines of code to your web page.
How would a spammer redirect my CAPTCHA to his own page? I don't quite understand how that works. But yeah, I think reCAPTCHA is the way to go, so far.
Automatically browse your page, take a screenshot of the captcha in that browsing session, save it on their own server, and keep the browsing session alive for X minutes. When some unwitting person opens a link in one of their spam, take one of the most recently copied screenshots and show that to them and have them type it in. When they do, take the answer they gave and route it to your automatic screenshot program, which still has the session where they got the screenshot from open and still has time to use the answer from the dimwit. Wouldn't take very long to create.
Quote from: EagerMind on Fri 17/08/2007 00:53:46
Quote from: TerranRich on Thu 16/08/2007 16:12:46There is also the method of asking a common sense/very easy question (such as "What is 1+1?" or "What color is the sky?") but there are only so many questions you could come up with.
That's the problem with non-automated questions like this: somebody has to come up with all the questions. And if the total possible number of questions is relatively small, then it won't be very difficult to make a program that just keeps a list of every possible question and responds with the correct answer. The spammer wouldn't even need to make this list; he could redirect the captcha to a phoney page and have unwitting people that browse there solve it for him and populate his program with the answers.
The more specific you make the CAPTCHA, the less likely it will be foiled. Nobody is going to spend time cracking your CAPTCHA when it is a non-commerical device only used on the one site. If a generic bot is able to get through it then fair enough but as soon as they're having to develop specific bots for your specific CAPTCHA, they may as well just forget the bots and do whatever it is they're trying to do themselves; it would probably save them a lot of effort.
Of course, that's all speculation and completely falls down if someone has a vendetta against you personally.
You can put a cat in a box and then the user needs to state wherther if it's dead or not...
One of Lycos's services had a great CAPTCHA. It displayed 4 or 5 strings of numbers, and only one was larger than the rest. It told you to enter the largest numbers. I thought it was pretty brilliant, and it would definitely fool most bots.
I don't think there's any CAPTCHA that will fight spammers that have other unwitting people do the dirty work for them. Honestly, I don't think it would be worth the time for spammers to do it that way, anyway. The time spent having other people do it for them would be better spent just typing it in your damn self.
I think I'm going to take inspiration from Lycos on this one.
I remember when somebody posted a rapidshare download link in a forum (could have been this one) back when they used CAPTCHAs like this:
(http://img250.imageshack.us/img250/9238/rapidsharexs5.png)
The correct word is "K68G", of course, but there were people who tried to put all the letters in the text field ;D
I still laugh hard at this one whenever it pops into my head. :D
Imagine one of those sitting in front of a grid of colors and having to check boxes...
The spammer would have to have a lot of people working in real time (especially if you put a low timeout on the captcha, say, 2 minutes), but some do that... there are plenty of people who will spend time gold farming in MMOs, posting as friends on forums and social networks, or identifying photos on Mechanical Turk for a pittance, especially in developing countries. Filling in CAPTCHAS is no worse.
Of course only a few sites are worth targetting in this manner.
Quote from: Stupot on Thu 16/08/2007 05:42:26
I don't know if that really means yours would be any easier to crack,
Yes, it really means that, by several orders of magnitude.
Everyone has probably seen this already, but what if captchas were like this (http://crap.teurasporsaat.org/?i=5489).
Then we would be robots because a robot would probably solve that faster then a human.
I just had to fill in a captcha just to send an email on Yahoo! mail.
That's taking it a bit too far, surely... luckily I don't send an awful lot of emails... if I did, though, this could become a nuisance.
Sure I know they're trying to cut down on spam, but I'd rather get a bit of junk mail in my inbox than have to keep doing that just to send an email to a friend.
Spammers don't even use actual email programs/sites anymore anyway, so it's pretty useless. I had a virus on my laptop a few weeks ago, where AVG would constantly give me pop-ups saying that too many emails were being sent from my computer. Just using simple PHP code you can send an email and pretend it's from wherever you want.
Sure they do... using bot managed accounts on real large email sites is still one of the most popular methods, it helps them get past filters. Obviously nobody can blacklist hotmail or yahoo mail servers, because most mail coming from them isn't spam, so it's not as immediately suspicious. Sending millions of spams out from your web server is just going to get it blocked. Getting your botnet to spam through yahoo accounts is much more sustainable. People rent out their botnets to spammers for that purpose.
Sorry, I figured the way I witnessed was the easiest, and therefore only way. Damned, dirty spammers!