News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

Captcha verification issue

Started by Srinib, June 03, 2012, 04:05:14 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Srinib

June 03, 2012, 04:05:14 PM
I am not sure weather it is a bug in 2.0.2, or the functionality is built like that.

When a new user is registering, in the Verification section, if they click on Request another image link, the same matter is displayed, but in a different way(different image, but same alphabets).

For example if the image shows the letters DTPPCW, after clicking Request another image, it still shows DTPPCW. Just the image changes.

Is it a bug or does it supposed to work that way?

Arantor

#1
June 03, 2012, 04:10:44 PM
It is actually supposed to work that way, daft as it sounds - it's for when the letters are so obscured by noise that you cannot see what they're supposed to be.

Honestly, though, you're better dropping the CAPTCHA and using an anti-spam question. Or at least getting a different CAPTCHA (there are several to choose from)

Srinib

#2
June 03, 2012, 04:26:57 PM
I really want to know one thing. Do these CAPTCHA stuff save us from spammers? I mean any of them, not just the one provided by default by SMF.

One thing bothering me is, the more complex we make the registration process to get rid of these spammers, there are chances that the genuine user may get bored and tired of doing that, and he may leave(untill unless the service we provide him is one of a kind).

Arantor

#3
June 03, 2012, 04:30:21 PM
They do - right up until the point that they're broken. reCAPTCHA has been broken, all the rest for SMF, it's only really a matter of time until they can be automated. Most of the new wave 'playing games' type CAPTCHAs are actually surprisingly weak.

That's why we suggest Q&A - it takes no more effort to solve for a human (and gets the benefit that you're targeting it at the users who you actually want on the forum), doesn't discriminate against disabled users as much, and just for fun a single well written question pretty much nails bots dead because they can't solve it automatically.

Antechinus

#4
June 03, 2012, 05:02:49 PM
What he said. I've stopped using captcha completely on the site I run, and just rely on a custom question.

Arantor

#5
June 03, 2012, 05:27:23 PM
A totally custom CAPTCHA can be a useful measure too - but it's only a stopgap measure, really. Once it's big enough to be a target, it will be targetted.

MrPhil

#6
June 03, 2012, 07:43:02 PM
Quote from: Arantor on June 03, 2012, 04:10:44 PM
It is actually supposed to work that way, daft as it sounds - it's for when the letters are so obscured by noise that you cannot see what they're supposed to be.
Hmm. I wonder if there are any statistics on whether bots routinely ask for several different images of the same letters, in order to improve their chances of breaking the CAPTCHA through statistical analysis of the images? Either a different set of letters should be offered, or a minimum 60 seconds between asking for a different image of the same letters. How about numbers and punctuation, too (keeping in mind that various fonts make it hard to tell a zero from an Oh, etc.)? It would be easy enough to test these approaches on busy forums with lots of spammers attempting to sign up. Measurements could be made for how quickly new images (of the same letters) are requested, too. You have to be careful, too, that any audio "readings" of the letters don't arrive as "a.wav, e.wav, t.wav" etc. discrete files, which would be a dead giveaway.

I'd call sending out a different image with the same letters as probably a serious design flaw, if not an outright bug!

Quote
Honestly, though, you're better dropping the CAPTCHA and using an anti-spam question. Or at least getting a different CAPTCHA (there are several to choose from)
Using both a CAPTCHA and questions would maximize knocking out spambots. However, these days many signups are by humans on spam farms, against whom CAPTCHAs are almost useless.

Arantor

#7
June 03, 2012, 08:04:42 PM
Actually there is very little evidence to suggest they do actually use such thing things.

The audio reading does not arrive in that form, it is aggregated into a single .wav file, noise added, then sent to the user. However it would be trivial to compare the resultant noise to the standard .wav files sent since it is not *that* randomised.

Tell you one thing, though: after it was widely announced that reCAPTCHA was broken because the audio part was easier to solve, I wrote a patch to disable audio CAPTCHA (and log requests for it). In well over a year, no bots ever requested the audio CAPTCHA. At the same time I also had it log requests for changing the image, and very few of those too. In fact, as far as I can tell, it's actually humans that use it more than bots do.

The different image with the same letters is distinctly intended to be that way, I actually had that argument a long time ago. If you request a new image you can certainly update the session but the problem is that it generally confuses the user more than it helps.

(For those wondering, there is a specific reason I spent a month or so developing my own CAPTCHA from scratch. So far it has had almost 100% success with keeping bots out on wedge.org. But that's only a matter of time. And there, I didn't 'fix' this design flaw but I added a twist of my own: there's no guarantee that the *style* of CAPTCHA will be different. My own CAPTCHA, which was available for some time as a mod, did it so that there were about 10 different styles of CAPTCHA, not just variations on a theme, and bots would likely see a different style on the next request, making it harder for them to analyse the style used in order to break it)

MrPhil

#8
June 04, 2012, 08:11:08 PM
Quote from: Arantor on June 03, 2012, 08:04:42 PM
The different image with the same letters is distinctly intended to be that way, I actually had that argument a long time ago. If you request a new image you can certainly update the session but the problem is that it generally confuses the user more than it helps.

Well, I stand by my contention that offering the same letters multiple times is going to severely weaken CAPTCHA, simply because the multiple images could be used to statistically analyze the picture and more easily break the code. My gut feeling on user confusion is that users are going to ask for new image until they see one they can read, in its entirety, and aren't going to build up a list of letters one image at a time.

Radically changing the style (font, noise types, etc.) between images is certainly better than keeping the same style.

Arantor

#9
June 04, 2012, 08:27:00 PM
That's the thing, studying the data does not agree with that contention. Bots only need to build up a profile of the letters once. Once that's done for a given forum system, they won't keep requesting new images - they know how to understand the letters. The data I've collected - not much, but better than nothing - seems to suggest that in fact they don't keep requesting images, and that humans are actually more likely to do so than bots are.

Humans are just going to keep going for an image they can read, and it seems that if they're presented with line after line of letters they can't read (as opposed to variations on a theme) they'll give up instead of posting.

Oh, radically changing the style is a massive improvement, as it happens. But when you have a CAPTCHA that even features animation, it definitely screws the bots up (and yes, it's slow enough not to trigger seizures in epilepsy sufferers)

emanuele

#10
June 05, 2012, 04:44:55 AM
I can speak only for my personal experience with CAPTCHA, but this is what I do:
Quote from: Arantor on June 04, 2012, 08:27:00 PM
Humans are just going to keep going for an image they can read


Take a peek at what I'm doing! ;D



Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

ziycon

#11
June 05, 2012, 04:57:08 AM
I'm a supporter of the human readable questions but if you're really stuck on the captcha then have a look at Google's re-captcha as you're helping out deciphering books while your at it ;)

Arantor

#12
June 05, 2012, 06:54:53 AM
I really cannot advocate reCAPTCHA, partly because I'm not sure you're actually deciphering books so much (as other things like Street View pictures have turned up) and partly because it's actually so easy to beat.

You're shown two things, one of which it knows and one of which it doesn't. For the one it doesn't, you can literally put anything. (It's also possible to figure out algorithmically which is which without too much trouble)

Then for the other word, the one it does know, it actually allows for one-letter-off, so of the word, any one letter can be wrong and it'll still accept it.

This does not strike me as particularly secure.

tpgames

#13
June 06, 2012, 12:06:54 PM
The only thing captcha and similar devices do is make it extremely difficult for the handicap  to access the forum. Those who are blind, have cognitive disorders, hearing issues, or visual processing problems, including Colour processing issues are often effectively banned from the site. Red and green blindness issues can't read the captcha.

I have auditory processing issues, but find the letters are so obscured that it is impossible to tell the difference between a o and a. v and u look identical. And, any programer worth their weight in gold, can write a program to read those obscure letters. So, they are 100% useless against the best attackers. Banks already have the software to read customers illegible writing on checks in order to process what the amount was, and type a code on the bottom. I used to do this by hand. Now, a computer does this for me. So, no, these things do not really work very well.

But, with that said, they DO keep out the casual spammer who can't be bothered with being human at all. A persistent spammer, will log in and set up an account and spam away, leaving behind his calling card.

Alternative: The questions are the only thing that makes sense. Make the question to hard, and you still ban those with certain cognitive disorders, but the vast majority can get in. I do not recommend 12 + 18 - 6 type questions or whatever it was. I had to get out a calculator because I was tired and couldn't do it in my head. It was just annoying.

In short, know your audience and who you want to access your board. If you are a gaming site, then you are to expect gamers who are ace gamers, but might have cognitive issues otherwise, possibly. If you are a geek site that deal with physics and calculus, then that question matters less because most people aren't going have the brains for your site anyways.

signed...one who does have a cognitive disorder, colour processing issues (mild), auditory processing issues but STILL managed to graduate from college and set up several websites, including one using HTML 5 and CSS 3, and 3 forums. I am a bit of an overachiever. :laugh:

Antechinus

#14
June 06, 2012, 05:31:54 PM
Quote from: Arantor on June 04, 2012, 08:27:00 PMHumans are just going to keep going for an image they can read, and it seems that if they're presented with line after line of letters they can't read (as opposed to variations on a theme) they'll give up instead of posting.
Have done both myself. Sometimes I just cbf'd dealing with idiotically hard captchas, and just write a site off.
Print
Go Up Pages1
User actions
Advertisement: