I am setting up a web site and going to use "captcha" to prevent robots.
I get rather annoyed with some of the systems where you have to try and try again as the words are unreadable.
Therefore I am just going to use these letters/numbers
acdefhkmnpqrstwxyz 234578
This is in the hope that it will avoid some confusion (e.g. 1 and l).
Is there any other things that I should consider?
easier for humans, easier for robots...
think about visually impaired people, they hate captcha even more
why reinventing the wheel?
To add on to Tomasz answer
reCaptcha is for a worthwhile cause, use it.
Related
Since cracking is a huge problem I want to go deep into blocking those pirates (I don't even want to mention Cydia Themes, I have recorded a cracking percentage of over 98% on my themes which are all under 1$!!). There are several methods on how to detect cracked apps, but I want to know, which one is the safest and best, and the most difficult to come around for crackers? Here are some of the methods I have looked at: http://www.iphonedevsdk.com/forum/iphone-sdk-tutorials/36330-iphone-piracy-protection-code-2-another-tutorial.html#post154496
Not sure if this is what you want to hear, but IME, it is useless to try to protect against cracking. Using a more sophisticated anti-cracking method only gives the crackers a nicer challenge and they will try to crack it with more enthusiasm. And one of them will succeed.
Crack protection is a lost cause. Certainly don’t hope for a single “safest and best” anti-crack measure. The protection tricks used on iOS are IMHO mostly heuristics and can be bypassed even without the cracker having to patch the executable. If you insist on doing something against it, mix a few good tricks and hope the cracker is not going to have enough motivation.
I wanted to run some captcha possibities past people to see if they are easily by passed by bots etc.
What if colors were used - eg: there is a string of 10 characters are you ask people to type the red characters of where there are 5? Easy to bypass?
I've noticed a captcha on plentyoffish that involves typing in the characters under the circles. This seems a touch more complex - would this be more challenging for bots?
The other idea I was thinking was putting the requirement in an image as well meaning like in no. 1 above - you can put "type the red characters" in an image and this could change with different colors. Any value here?
Interested in what people think.
cheers
Colours are easy to bypass. A bot just takes the red channel and gets the answer. It is even easier than choosing between many possible solutions. The same applies to any noise that has another colour than the letters the user needs to find.
Symbols that don't touch the letters are very easy to ignore. Why would a bot even look at those circles that probably always stay at the same position? (valid but wasn't asked here)
Identifying circles or other symbols is easier than identifying letters, if one can do the latter, a simple symbol is no challenge.
I think captchas are used too frequently in places where they aren't the best tool. For instance, are you trying to prevent registration spam? Why use a captcha rather than email validation?
What are your intentions and have you considered alternatives to the (relatively ineffective) captcha technology?
As a side note, if you have to use them, I prefer KittyAuth myself :) http://thepcspy.com/kittenauth/#5
Color blind people will have trouble separating red from green letters. People who have trouble reading and understanding descriptions, or have other disabilities may have trouble reading the captchas too.
In some of these, the texts are so mangled that almost everyone has a hard time reading them.
I think captcha's, if used at all, should be quite easy to read. The one with the dots and triangles is doable, although it's a matter of time before someone writes an algorithm to hack them. It is very easy for computers to read this kind too.
The best way to deal with this, is increase moderation. Make your site so that it isn't rewarding to spam it at all. Don't make it the problem of your users.
Also, if you're gonna use captcha's, it may be better to build something yourself than to use common libraries. I've found that these are easier hacked, probably because it is more rewarding to write a captcha solver for something that is used by thhousands of sites.
No matter which CAPTCHA you construct, spammers will find a way to work around it, given enough incentive. Large CAPTCHA services like reCAPTCHA, for instance, get bypassed by outsourcing solving them to cheap labor in India(source).
If you run a small site, your best bet is to make your own mini-CAPTCHA, which asks a simple question. If it isn't a standard question, isn't a standard CAPTCHA module and isn't a large site, it isn't worth it for the spammers to automate bypassing it.
I've been working on a community site for an organization at my university, and we've had trouble with spammers registering, despite us using every CAPTCHA module in the book. As soon as we made our own simple one-question CAPTCHA, all spam stopped. The key to preventing this sort of spam often lies in uniqueness.
I have to decide a technique to prevent spam bots from registering my site. In this question I am mainly asking about negative captchas.
I came to know about many weaknesses of bots but want to know more. I read somewhere that majority of bots do not render/support javascript. Why is it so? How do I test that the visiting program can't evaluate javascript?
I started with this question Need suggestions/ideas for easy-to-use but secure captchas
Please answer to that question if you have some good captcha ideas.
Then I got ideas about negative captchas here
http://damienkatz.net/2007/01/negative_captch.html
But Damien has written that though this technique likely won't work on big community sites (for long), it will work just fine for most smaller sites.
So, what are the chances of somebody making site-specific bots? I assume my site will be a very popular one. How much safe this technique will be considering that?
Negative captchas using complex honeypot implementations here described here
http://nedbatchelder.com/text/stopbots.html
Does anybody know how easily can it be implemented? Are there some plugins available?
Thanks,
Sandeepan
I read somewhere that majority of bots do not render/support javascript. Why is it so?
Simplicity of implementation — you can read web page source and post forms with just dozen lines of code in high-level languages. I've seen bots that are ridiculously bad, e.g. parsing HTML with regular expressions and getting ../ in URLs wrong. But it works well enough apparently.
However, running JavaScript engine and implementing DOM library is much more complex task. You have to deal with scripts that do while(1);, that depend on timers, external resources, CSS, sniff browsers and do lots of crazy stuff. The amount of work you need to do quickly starts looking like writing a full browser engine.
It's also computationally much much expensive, so probably it's not as profitable for spammers — they can have dumb bot that silently spams 100 pages/second, or fully-featured one that spams 2 pages/second and hogs victim's computer like a typical web browser would.
There's middle ground in implementing just a simple site-specific hack, like filling in certain form field if known script pattern is noticed in the page.
So, what are the chances of somebody making site-specific bots? I assume my site will be a very popular one. How much safe this technique will be considering that?
It's a cost/benefit trade-off. If you have high pagerank, lots of visitors or something of monetary value, or useful for spamming, then some spammer might notice you and decide workaround is worth his time. OTOH if you just have a personal blog or small forum, there's million others unprotected waiting to be spammed.
How do I test that the visiting program can't evaluate javascript?
Create a hidden field with some fixed value, then write a js which increments or changes it and you will see in the response..
I'm currently working on a site which went through god knows how many developers' hands. One of the things I don't like about it is the way every table in the database has the prefix "tbl_" and every field "fld_".
I've started work on a new feature and I'm faced with the following problem: should my new tables continue with the old convention, or not?
I guess I should, but I feel stupid doing it :)
I would keep the same convention.. Regardless of if it's bad or not at least it would be consistent. And consistency will be very important to the next developer who gets ahold of the code.
Being a contractor, I am faced with this problem a lot. Here is my 2 cents:
If it isn't broken, then the client is wasting their money having me change that. Unless I am rewriting the entire app, I usually keep with the old (bad) standards (at least that way, you don't have part of the app with one convention and other parts using something different - this keeps the code readable by other developers).
You have two options.
Change all the bad naming conventions to new ones.
Use the old conventions.
Someone will be looking at this code later and will need to deal with any differences you create. That means you need to be aware that other people are affected by this decision. Do the right thing if you have time, do the ugly thing if you don't have the time... but keep it consistant.
If it a constant style throughout the application I would follow the naming convention it will make it much easier on the next developer.
I tend to look at the scale involved. The consistency of a bad naming convention, to me, is preferable over a multitude of different ones in the same codebase or database.
If there are a handful of tables and you can safely change them, my feeling is to make the change. But anything of scale or an application that you're only doing a bugfix on is likely not worth the time and effort involved.
Go with which ever route costs less, in money and resources. If it's not going to save you money going through and re-tilling the ground, then don't. Just grit your teeth and move forward.
"If it ain't broke, don't fix it"
I think you should prefer consistency and follow the convention already being used.
Think of the poor developer(s) who come along behind you and have to deal with two different naming conventions (the original one and your new one), neither of which the new developers like.
Welcome to the world of maintenance. ;)
Who's to say that the next person who works on the site won't despise the way you did things?
Any naming convention is better than no/inconsistent naming convention.
I say change it iff there's a significant difference between the old code and the new code. For example, if the old way was a terribly dead-end and the new way is completely independent, then go ahead and start a new convention.
It's good to be visually consistent if the new material is structurally and semantically consistent, but if what you're doing is a clean break from what came before, then it's even more important that different things look different.
Like everyone said, stay with the bad convention since you are not writing it from scratch. However, use "good practice" if there is a compelling need for it (aka the end-user will be negatively affected otherwise). For example, if the "bad convention" makes the API users use boxing, change the value of strings and other performance-hit to a great degree; do not add to the problem! The end goal of software and API's is not to make the developers' life easier; but the end-user's. Developers that stay in the business long are highly aware of this and you want to be one of those developers.
Of all the forms of CAPTCHA available, which one is the "least crackable" while remaining fairly human readable?
I believe that CAPTCHA is dying. If someone really wants to break it, it will be broken. I read (somewhere, don't remember where) about a site that gave you free porn in exchange for answering CAPTCHAs to they can be rendered obsolete by bots. So, why bother?
Anyone who really wants to break this padlock can use a pair of bolt cutters, so why bother with the lock?
Anyone who really wants to steal this car can drive up with a tow truck, so why bother locking my car?
Anyone who really wants to open this safe can cut it open with an oxyacetylene torch, so why bother putting things in the safe?
Because using the padlock, locking your car, putting valuables in a safe, and using a CAPTCHA weeds out a large spectrum of relatively unsophisticated or unmotivated attackers. The fact that it doesn't stop sophisticated, highly motivated attackers doesn't mean that it doesn't work at all. Using a CAPTCHA isn't going to stop all spammers, but it's going to tremendously reduce the amount that requires filtering or manual intervention.
Heck look at the lame CAPTCHA that Jeff uses on his blog. Even a wimpy barrier like that still provides a lot of protection.
I agree with Thomas. Captcha is on its way out. But if you must use it, reCAPTCHA is a pretty good provider with a simple API.
I believe that CAPTCHA is dying. If someone really wants to break it, it will be broken. I read (somewhere, don't remember where) about a site that gave you free porn in exchange for answering CAPTCHAs to they can be rendered obsolete by bots. So, why bother?
If you're a small enough site, no one would bother.
If you're still looking for a CAPTCHA, I like tEABAG_3D by the OCR Research Team. It's complicated to break and uses your 3D vision. Plus, it being developed by people who break CAPTCHAs for fun.
If you're just looking for a captcha to prevent spammers from bombing your blog, the best option is something simple but unique. For example, ask to write the word "Cat" into a box. The advantage of this is that no targeted captcha-breaker was developed for this solution, and your small blog isn't important enough for someone to actually develop one. I've used such a captcha on my blog with some success for a couple of years now.
This information is hard to really know because I believe a CAPTCHA gets broken long before anybody knows about it. There is economic incentive for those that break them to keep it quiet.
I used to work with a guy whose job revolved mostly around breaking CAPTCHA's and I can tell you the one giving them fits currently is reCAPTCHA.
Now, does that mean it will forever, call me skeptical.
I wonder if a CAPTCHA mechanism that uses collage made of pictures and asks human to type what he sees in the collage image will be much more crack-proof than the text and number image one. Imagine that the mechanism stitches pictures of cat, cup and car into a collage image and expects human visitor to tick (checkboxes) cat, cup, and car. How long do you think will hackers and crackers will come up with an algorithm to crack the mechanism (i.e. extract image elements from the collage and recognize the object depicted by each picture) ...
If you wanted you could try out the Microsoft Research project Asirra: http://research.microsoft.com/asirra/
CAPTCHAS, I believe should start being considered heavily when designing the UX. They're slow, cumbersome, and a very poor user experience. They are useful, don't get me wrong but perhaps you should look into designing a honeypot.
A honeypot is created by adding a hiddenfield at the bottom of the form. Because spam bots will fill in all the fields on the page blindly you can do a check:
If honeypotfield <> Empty Then
"No Spam TY"
Else
//Proceed with the form
End If
This works until there is a specifically designed spambot for your site, so they can choose to fill out selected input fields.
For more information: http://haacked.com/archive/2007/09/11/honeypot-captcha.aspx/
As far as I know, the Google's one is the best that there is. It hasn't been broken by computer programs yet. What I know that the crackers have been doing is to copy the image and then send it to many phishing websites where humans solve them to enter those websites.
It doesn't matter if captchas are broken or not now -- there are Indian firms that do nothing but process captchas. I'm with the rest of the group in saying that Captchas are on their way out.
Here is a cool link to create CAPTCHA..... http://www.codeproject.com/aspnet/CaptchaImage.asp
Just.. don't.. There are several reasons use of captcha is not advised.
http://www.interfacegeek.com/dont-ever-use-captchas/
I use uniqpin.com - it's easy to use and not annoying for users. So, bots can recognise a text, but can't recognize a image.
Death by Captcha can solve any Regular CAPTCHA (incude reCAPTCHA), but not Speedcoin Cryptocurrency Captcha.
Death by Captcha - http://deathbycaptcha.com
Speedcoin Captcha - http://speedcoin.co/info/captcha/Speedcoin_Captcha.html