Captivated by CAPTCHAs

by Mattias on December 22nd, 2008 in MyLavasoft blog.

CAPTCHAs - you love to hate them. Those pesky little images with quirky letter that you usually have to try two or three times before you actually can prove that you are a human and not a script trying to act as one. Apart from the embarrassment of having your human status questioned, it is also a time drain for no appearent reason to you as a user.

It should be obvious why automated scripts are a problem to us web developers though. We love when humans use and like our services. We loathe when bots and scripts use up the resources we alloted for humans (unless there is a human user benefiting on the other side of the chain, like with a mash-up). Yes, guilty as charged - we discriminate against machines.

What is the alternatives to the dreaded letter/number captcha then? Well, Microsoft have designed a cute captcha task where you have to tell cats and dogs. But even though it helps to take away some of the embarrassment and actually introduces some fun (animals on the internet is always funny), it still serves as a time drain.

And it is still subject to being busted open by the most flexible and foolproof way to crack a captcha:

Use humans!

The Internet has plenty of Mechanical Turk communities (like Amazon's) where you can pay really small bucks to get menial HITs (Human Intelligence Tasks) carried out. Another approach is to simply use a web site with high traffic (most likely adult in nature) or a piece of malware (like last years "Melissa") to which you can feed the captcha you want to crack and get a response within seconds. The lesson? You can always count on people's sex drive or greed to break any boundary.

What to use instead of captchas then? I personally believe that the best we have right now is a mix of techniques (preferably ones that don't discomfort or put the burden on the user), such as behavior based heuristics (checking for common bot behavior) or ip-based timeouts (although done wrong, they might cause a lot of trouble for the users). And if you can ask for something else than human status, like which social sphere the user belongs to, then you are much better off. But if anyone have any bright ideas how to disrupt the mechanical turkers, I'm all ears!


I understand the need for

User offline. Last seen 20 weeks 6 days ago.Yxxxx
Beta tester
Joined: 2007-06-06
Posts: 0

I understand the need for things like catchpa but i hate them as i have a great deal of difficulty with alot of the common ones especially if they scrunch the letters up weirdly.


 


I wonder if its partly down to dyslexia no idea.


 


As to something better no idea sorry


One method of bot blocking is

User offline. Last seen 4 years 4 weeks ago.aigarslv
Joined: 2008-12-16
Posts: 0

One method of bot blocking is checking how much web-pages user accesses per second? And how many forms he posts. Another is trickier ? for example a ?hidden? link to a form that says: IP blocker ? Enter Text and press Submit to have your IP blocked form this site. I bet bot will fall for this one. Though this is not a 100 percent method.


 And another approach is to show less or totally remove CAPTCHAs after time passes for account (if you use accounts).


Windows 7 Ultimate 32 bit

1TB Samsung SATA2 HDD

ATI Radeon

 

I have problems with

User offline. Last seen 5 years 16 weeks ago.Dianthus
Joined: 2008-12-16
Posts: 0

I have problems with capchas.  Most of the time I can't see what they're supposed to be and I discovered by accident that sometimes, if there are two, I can often get around the whole thing by getting just one of them correct.


I'm a volunteer Moderator on a forums site which is currently getting a LOT of flamers, spambots and general trolling.  We don't have capchas, but we DO have a system where new posts are "suspended" till I or one of the other Mods get around to either approving or deleting them.  I can see, however, that this may be a problem on a very high-traffic site with maybe just one or two people running it.


Minds, like parachutes, work better when open.

I personally do not like

User offline. Last seen 3 years 15 weeks ago.Question Mark
Lavasoft staff Web department Blogger
Joined: 2008-12-02
Posts: 0

I personally do not like Cahtcha's. They are frustratingly difficault to use. Most of the time i am having to cycle through a number of images to be able to recognise the digits used. As Mattias stated it is only a matter of time before a horny 14 year old looking to make some money will devise a way around them and for myself i hope its soon. To combat the problem of spammers and bots attacking forums and sites is tricky. Proof of who the person is, is one way but then delve in to the realms of privacy and i dont want to go there. Mattias stated that its a time sink to have to fill out extra tasks to prove your a human and not a bot. I do not see this as a bad thing. Lets face it you are wanting to get a vew accross for isntance so i dont see the issue of spending one or two more minutes to do so.


"I am wiggling my leg! Witness my leg!"