Re: CAPTCHA image validation in web form

It should also be noted that any CAPTCHA strategy that relies on a
library of images is extremely hackable by "sneakernet." There are
banks of workers in India who crack the CAPTCHA images and save the
results matching the CAPTCHA filename (and probably a hash of the image)
with the answer. This has been used successfully against Yahoo and
others.

The best CAPTCHA strategy requires the images to be one-use only.

--Robert

-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx [mailto:web400-bounces@xxxxxxxxxxxx]
On Behalf Of Ralph Daugherty
Sent: Monday, September 01, 2008 8:29 PM
To: Web Enabling the AS400 / iSeries
Subject: Re: [WEB400] CAPTCHA image validation in web form


I don't want to belabor the point, I'll wait to hear pros/cons from
others as well, but I need to correct something I said and then add
something else.

I said that resunmitting multiple times would eventually let the bot

through. I forgot that we should be responding to a wrong answer with a
different image and set of answers, so essentially starts over each
time.

I don't know that a bot would ever retrieve the URL in question, and

if they did, that it would have any idea how to respond, but I do know
that bots don't work through browsers, so "hidden" fields aren't hidden,

and they can and will change any value in a cookie as programmed to
crack a site with well known software.

A lot of things we will get by on with custom sites through security

by obscurity instead of being well known software.

On the other hand, maybe one of us will end up writing well known
software? :) Let's hope so.

rd



Guillermo Andrades, CPI Software wrote:

as you note each image need an caption in each language, then

depending the

user language the captions to show is simply depending on the array

index

(i.e. 1=english 2=spanish 3=french and so on).
of course making multilanguage apps are complex, so into this

complexity is

a natural function, everithing depending of the language.

also using the transaction-id assigned to the client (cookie or hidden
field) there are easy to admit only one or even none selection error.
putting the idea in pause for pro/cons.

Thanks,
Guillermo.



On Tue, Sep 2, 2008 at 1:27 AM, Ralph Daugherty <rdjfc@xxxxxxxxxxxxx>

wrote:

not too simple at all, Guillermo. That would do nicely. I think
there was a language requirement not being English, though? Maybe

not. I

get confused easily.

Anyway, even if there were, some buttons for different languages
which would redisplay with captions in selected language. But then
following pages would have to be in that language as well.

Of course the foil here is that a resubmit wuth a different
selection each time will get through, but no bot is going to be
programmed for that for a custom page.

Simple but effective.

rd


Guillermo Andrades, CPI Software wrote:
> maybe simple, or maybe useful idea:

the program shows an html with an image,
but the image is not an captcha, the image is an small photo: a boat

in

the

sea.

below the image, the question: please select the image:
and an select/combobox or check/radio with several possibilities:
_ ICE _ BOAT _ GIRL _ THE MOON _ FLOWERS _ GUITAR _ THE SUN

you get the idea, the user click in BOAT and voila,
only human can select the adecuate? ocr is unable at least.

maybe an low number of images are enough,
this can be made using RPG, no js code required.

too simple?

Regards,
Guillermo.