
Indian Railway has implemented the world's dumbest captcha - techaddict009
Indian Railway has been always criticized by the Indian travelers. Indian railway servers go down here and now.<p>Just found how dumb the developers of the Indian Railway are.<p>Visit: http:&#x2F;&#x2F;www.indianrail.gov.in&#x2F;pnr_Enq.html<p>And just select the captcha using Mouse. You will get what I actually mean.
======
codegeek
They do generate it using js and Math.random :)

    
    
        <body onload="DrawCaptcha();">
    

......

    
    
        <script type="text/javascript">
    	//Generates the captcha function   
    	function DrawCaptcha()
        	{	    
    	    var a = Math.ceil(Math.random() * 9)+ '';
    	    var b = Math.ceil(Math.random() * 9)+ '';      
    	    var c = Math.ceil(Math.random() * 9)+ ''; 
    	    var d = Math.ceil(Math.random() * 9)+ ''; 
    	    var e = Math.ceil(Math.random() * 9)+ ''; 
    	       
    	    var code = a + b + c + d + e;
    	    document.getElementById("txtCaptcha").value =   code;
        document.getElementById("txtCaptchaDiv").innerHTML = code; 
    	}
    	</script>

~~~
namelezz
You are kidding, right?

~~~
codegeek
notice the :)

------
nacs
The best part about this CAPTCHA is that not only is the data contained within
the CAPTCHA in plain-text in the source (more than once) but they actually add
a background image to the text ( mirrored here:
[http://i.imgur.com/xlYbYZ7.jpg](http://i.imgur.com/xlYbYZ7.jpg) ) so it's
harder for humans to decipher it but easy for bots..

    
    
      <span id="txtCaptchaDiv" style="background-image:url(1.jpg);
      font-weight:bold; font-family:Modern font-size=12">67839</span>

------
girish_h
Its easier to criticize a group without understanding the background of what
they have achieved.

The Indian Railways runs one of the largest ecommerce sites in India - a site
that has seen a consistent YoY growth over the last few years since its
launched. Last year, they are believed to have earned a revenue of nearly 100M
USD.

The guys who built their reservation system have very good engineering chops -
in fact these systems hit peak load of about a million queries (every day)
during 10 AM - 12 noon (IST) when users and reservation agents try to access
the site irctc.co.in from browsers / mobile / reservation counters etc.

The "captcha" was not even in this page a month back. The "PNR Enquiry" for
which this page is intended is a feature that can be accessed through SMS &
also from the irctc website. This is possibly the least visited page in
indianrail.gov.in

I have been an active user of both irctc.co.in & indianrail.gov.in over the
last 7-8 years and have seen how these sites have grown.

~~~
phaus
No one is claiming anything other than the fact that the captcha is really
horrible.

That being said, your defense of the site makes it sound even worse. Not only
is the captcha horrible, but it took them almost all the way until 2014 to
even implement one.

It is quite possible to have exceptionally good engineering chops and still be
completely clueless when it comes to security.

I hope that the rest of the code powering this $100 million annual eCommerce
traffic isn't as fundamentally flawed from a security aspect.

------
user24
I bet it stops spam though, at least for a while. I've seen captchas that
literally just say "Type the word 'whistle' in the box".

They work because spammers often don't target specific sites but just run
generic bots.

As soon as you throw something, even trivial, in the way, the spambots give
up.

It wouldn't work for a high-value target of course.

If Indian Railway is a high-value target, then maybe they're just trying a
'dumb' solution and keeping an eye on spam to see if they need to put
something cleverer in place.

------
techaddict009
Two possible reasons: 1) Incompetent developer. 2) It is being deliberately
done so that other sites that give Railway information can still leech the
information. And also, on-papers Railway can show that they have implemented
proper security or whatever they think it is.

~~~
korvenadi
I don't say they are incompetent. They might have some cost constraints and
that is why it doesn't look appealing to you.

~~~
krapp
Recaptcha is free and takes minutes to implement. Those aren't valid excuses.

------
girish_h
More information about irctc.co.in here in this forbes-india interview. Its
got every bit of a startup journey in there:

[http://forbesindia.com/article/leaderhip-
awards-2013/rakesh-...](http://forbesindia.com/article/leaderhip-
awards-2013/rakesh-tandon-steering-the-resurgence-of-irctc/36363/1)

------
dapatil
<input name="lccp_cap_val" value="12323" id="txtCaptcha" type="hidden">

------
mattwritescode
____i was hoping no body would find my code. Thats what happens when you
outsource your site to the west.

------
factorialboy
Given that their website is down or extremely slow all the time, the captcha
won't be my #1 complaint. (-:

------
vasundhar
Simple shouldn't be stupid,it should be smart. Why not recaptcha for example?
Less code Better work

