CAPTCHA Idea: Checkbox Grid

TerranRich · Wed 15/08/2007 22:15:00

I didn't really know where else to post this (i.e. AGS as opposed to other forums...I don't get around much

), and since I know there are at least a few web developers out there, maybe someone can help me with this idea:

I had the idea for a CAPTCHA that has you tick checkboxes in a random, specified order. They would be arranged in a square grid, perhaps 3x3 or 4x4, like my mockup below:

The checkboxes would, of course, be blank, and the user would have to match the pattern shown on the left in order to be able to leave comments, etc. The correct "answer" is what is illustrated above.

I was trying to come up with something that would be accessible to most people, as well as hard for computer programs to crack. But as for the latter point...is it really safe? Is it too cumbersome? Complicated? Is there a possibility it might not be understood by many at first?

What do you guys think?

BTW, a CAPTCHA is one of those deals where you type in some distorted word to prove that you're human...but now it seems many of those methods might be crackable by computer programs.

Also: As a web developer, this would be very simple for me to program and make it work. What I'm wondering is how the end user would fare.

BOYD1981 · Wed 15/08/2007 22:41:14

Quote from: TerranRich on Wed 15/08/2007 22:15:00
BTW, a CAPTCHA is one of those deals where you type in some distorted word to prove that you're human...but now it seems many of those methods might be crackable by computer programs.

most captcha is so crappingly unrecognisable that it's more likely you are a human if you get it wrong.

AGA · Wed 15/08/2007 23:11:11

Seems a nice workable idea. Perhaps a greater variety of colours for the highlights (randomly chosen) would be better though, to make it less machine readable.

Gregjazz · Thu 16/08/2007 00:50:45

A captcha method like that would be easy for a machine to work... basically if enough people use that method, then there's a demand for spammers to make an automated system to do those.

I tend to prefer recognition methods of captcha... for example, show an easily-identifiable picture of something, and then have the person type in what it is.

nihilyst · Thu 16/08/2007 01:44:18

Quote from: Gregjazz on Thu 16/08/2007 00:50:45
I tend to prefer recognition methods of captcha... for example, show an easily-identifiable picture of something, and then have the person type in what it is.

And then a German user comes across this site, sees the cat and types in "Katze". I guess it's too complicated to implement all the common words for this picture in all the relevant languages. Futhermore, the random factor of that idea would be pretty much lower as when random digits and letters have to be typed in.

EagerMind · Thu 16/08/2007 03:05:40

It's a clever idea, but I agree with Gregjazz that it'd be too easy to automate if the demand was great enough.

I'd recommend giving a listen to this podcast, which talks about various types of captcha's and why it's so difficult to come up with effective ones. I found it pretty interesting. Also, they talk about a variation called reCAPTCHA, which "utilizes CAPTCHA to improve the process of digitizing books. It takes scanned words that optical character recognition software reports as undetectable and presents them for humans to decipher as CAPTCHA words." Maybe you can save yourself a lot of work!

Stupot · Thu 16/08/2007 05:42:26

I like your idea, but each box only have two variables. On or off. Checked or unchecked. With 12 boxes that gives you 4096 possible outcomes.

Take a regular alpha-numerical CAPTCHA with, say, eight characters... each character has 36 variables to choose from (26 letters, 10 digits), which gives you a whopping 2821109907456 possible outcomes.

I don't know if that really means yours would be any easier to crack, but when you see that number the alpha-numeric one certainly sounds a lot safer... hehe

Gilbert · Thu 16/08/2007 06:12:51

Quote from: Stupot on Thu 16/08/2007 05:42:26
Take a regular alpha-numerical CAPTCHA with, say, eight characters... each character has 36 variables to choose from (26 letters, 10 digits), which gives you a whopping 2821109907456 possible outcomes.

I think it is not a good idea to use all 36 characters though, as 0 and O, 1 and I, etc. are very easily mixed up, I'll say only using either the 10 numerals or the 26 alphabets is more than enough.

Quote
I don't know if that really means yours would be any easier to crack, but when you see that number the alpha-numeric one certainly sounds a lot safer... hehe

And a lot more annoying...

I think it depends on how "important" the stuff to be accessed is, since I supposed what Terran was mentioning was not high security national secrets like nuclear missile launch codes, I'll say using the checkbox method (or the more complicated varying colour method as AGA suggested) is probably enough already.

lo_res_man · Thu 16/08/2007 06:24:06

It is rather amusing in funny kind of way that some of the most importent work in AI is being done by people trying to rip off others instead of scientest

Vince Twelve · Thu 16/08/2007 07:07:41

Also amusing that all of these convoluted captchas are currently being defeated by a powerful implementation of distributed computing: lying to dumb people.

You know all those dumb people who don't filter spam, and read and believe most of the stuff that comes into their inbox? You know how they believe those emails that say "go to this webpage and enter in your personal details to get free money," well now those webpages come complete with captchas which are actually filtered in from a bot, so that they're actually filling out captchas for a machine while they dummy over their personal details. And just imagine "Oops, you must've made a mistake on the last one, now try this one. Seriously, your money's coming soon."

Those captchas are actually being used by a bot to, for example, sign up for new Yahoo mail accounts to use to look more friendly while sending out millions of more such emails.

Millions of people fall for those stupid things every day making internet scamming a successful industry, now they're just synergizing!

lo_res_man · Thu 16/08/2007 07:19:06

Phishing, ya gotta love it. I mean how stupid can you get, espcessially if you don't even GO to that bank. I would love to have heard the scammers brainstorming that one. 'na peole can't be THAT stupid, can they?" Millions frauded later, yes they can.

Evil · Thu 16/08/2007 07:39:54

Quote from: AGA on Wed 15/08/2007 23:11:11
Seems a nice workable idea. Perhaps a greater variety of colours for the highlights (randomly chosen) would be better though, to make it less machine readable.

Yeah, a 4x4 grid with 8 possible random colors for each square, and then a randomly selected color to match on a blank grid. Random guessing would still be possible, but with 1,677,216 possible combinations of colors and making it difficult for a bot to read, seems pretty effective.

Gilbert · Thu 16/08/2007 08:25:24

But but but it's discrimination against colour blinded people!

Serious though, would 8 possible colours each box be too much? Though the user needs only to recognise one colour from that, maybe it's still hard to differentiate similarly coloured boxes. Maybe four different colours is enough?

nick.keane · Thu 16/08/2007 08:43:50

would the patterns change each time?! clickin in all those little clicky-boxes would take forever, man!

My idea is to have a little 'OK' button that when you click it, your computer scans to see if you're a hacker. If you're not, then you shall pass. If you are a hacker, then a cute little text graphic appears saying, "F**k you, I'm banging your wife right now! Just go home or to another locality into which your wife and myself are not present!" And then put in a redneck drinking some beer or something that's animated and spams the McAttacker into DoS oblivion!!!

I see you have an OK button - you're already half-way there!

EDIT: Another thing you could do is spam the identity check with random colors. The offending computer won't know what to process, should it be a bot, and a hacker, with their sharp senses, would be overwealmed by the random, alternating colors and will collapse to the floor, instantly contracting rabies! Glorious rabies!

scotch · Thu 16/08/2007 09:36:47

I think it'd take about 10 minutes to write a script to bypass this in its current form. A grid of colours is far easier for a computer to recognise than letters... more colours will only make it harder for the user, while being no more difficult for the computer - why would people think a computer is going to have trouble with more colours? It can accurately distinguish between millions, can you?

. The only way this captcha could work is if nobody is trying to hack it. Which will be the case on most small sites, but if nobody is trying to hack it you may as well just make people type in 3 unobscured a-z characters, that's probably easier for most people.

Any slight complication of your forms will deter most automated form spamming bots. However, if you want a particularly robust captcha for a high traffic site it unfortunately has to be a slightly irritating one, at the moment.

Also, picture recognition captchas sound nice in theory, the main problems with them are noun guessing (is it a pistol, a handgun, a gun...? Like in IF - and this is made far worse for non native language users) and limited picture stock. If you only have 10,000 pictures it won't take long for a spammer to note them all. Even if he only has 1/5 of the images in a database, that's enough to send a bot to work.

Hudders · Thu 16/08/2007 11:21:30

Quote from: nihilyst on Thu 16/08/2007 01:44:18
Quote from: Gregjazz on Thu 16/08/2007 00:50:45
I tend to prefer recognition methods of captcha... for example, show an easily-identifiable picture of something, and then have the person type in what it is.

And then a German user comes across this site, sees the cat and types in "Katze". I guess it's too complicated to implement all the common words for this picture in all the relevant languages. Futhermore, the random factor of that idea would be pretty much lower as when random digits and letters have to be typed in.

Have three pictures with the caption above: "please click on the cat to procede".

Nikolas · Thu 16/08/2007 11:29:53

Quote from: Hudders on Thu 16/08/2007 11:21:30
Have three pictures with the caption above: "please click on the cat to procede".

Don't think this could work really. I bet a bot in 0,00000000001 sec can try all three pics. Problem solved!

EDIT:

The only thing I know that works is to ask for a non "generic" e-mail in order to register. Northern Sound Source uses this system, so any e-mail with yahoo, hotmail, gmail, aol, homecall, bulldog, whatever generic is non acceptable and you can't log in. A personal site is traceable really, so only people with personal pages are in.

Hudders · Thu 16/08/2007 11:41:08

Not if none of the pictures depicts a cat.

Nikolas · Thu 16/08/2007 11:42:10

And... how would the use enter then? I don't really understand

Gilbert · Thu 16/08/2007 11:56:49

That was just an attempt for a joke, I suppose. (Though I think the second post should come with a smiley.)