
How not to design a CAPTCHA - DrewHintz
https://plus.google.com/107276867598285658079/posts/KcJXYamu12X
======
Slackwise
I work in medical IT. You'd be surprised how many _government_ sites do
similar.

An example would be <https://sso.state.mi.us/som/dch/enroll/reg_page1.jsp>
(You can enter any fake name/email, this is only step one of the registration
script. The next page has the captch in question.)

The captcha is plaintext, right on the page. The data from the captcha isn't
even sent to the server, it is processed _locally_ via JavaScript.

So, the bots don't even have to do anything, but humans have to input a
meaningless number...

    
    
        <input type="text" name="inputNumber" class="entry-field" size="5" tabindex="3">
    
        <!-- ... -->
    
        document.write('<div id="layerNum" class="verifyNumber" align="center">');
        document.write('<b>'+str+'</b>');
        document.write('<img src="generateGIF.jsp?number='+str+'">');
        document.write('</div>');
        document.write('<input size="5" type="hidden" name="rdNumber"  value="'+str+'">');
    
        <!-- ... -->
    
        <input type="submit" value="Continue" name="submit" onclick="return Valid();">
    
        <!-- ... -->
    
        function Valid(){
        // ...
                if(chkRandomNumber()){
                  return true;
                }else{
                  return false;
                }
        // ...
        }
    
        function chkRandomNumber(){
          str1=document.all.rdNumber.value;
          str2=document.all.inputNumber.value;
          if(str1!=str2){
            alert("Please check and type the number as shown in the box");
            return false;
          }else{
            return true;
          }
        }

~~~
codabrink
Wow, that is very surprising. Is it that the web development industry hurting
that much for good programmers, or are just the wrong people being hired?

~~~
rmc
There is also a skills shortage in programmers. If people like this can get
work then imagine if you actually knew about programming. Remember that next
time your thinking about your unsatisfying job or at pay review time.

~~~
icebraining
> If people like this can get work then imagine if you actually knew about
> programming.

You're assuming the client/employer can actually distinguish between the two.
I'm not sure that's the case for many jobs.

------
sthatipamala
Completely OT: I find it interesting that this post and several other HN posts
this week are hosted on Google Plus. I definitely would not have predicted
that G+ would encroach on the LiveJournal/Tumblr space.

~~~
carbocation
On a similar tangent to your OT post: we're getting to the point where seeing
(plus.google.com) would be useful, since it conveys quite a different meaning
to me from (google.com).

~~~
nantes
If you use Chrome, you might be interested in
<http://news.ycombinator.com/item?id=2240646>

~~~
carbocation
Actually, yes, that did the trick for me; thanks! (Though I still think it's a
feature that everyone would appreciate, so if it could go into news.yc, that
would be even better.)

~~~
nantes
You will hear no disagreement from me. Glad it worked for you.

------
yid
If anyone ever wondered what the phrase "cargo cult science" referred to, this
is a prime example. They're going through all the motions, but sadly their
understanding of the universe is gratuitously flawed.

~~~
drenei
+1 for cargo cults: <http://en.wikipedia.org/wiki/Cargo_cult>. Its a great
idea to keep in mind for a creator/designer/programmer. People/users/everyone
all too often intuit through imitation.

------
RyanMcGreal
On a site I administer that used to be deluged in spam, I managed to eliminate
it with a three-pass filter:

1\. Simple mathematical question, e.g. "What do you get if you add five and
three?" Answer is processed on the server.

2\. Hidden form field that is supposed to remain blank.

3\. Blacklist of common spam words.

~~~
__david__
On a forum I run (phpbb3) I eliminated 99% of the spam by adding 1 field that
says "enter 42 here to prove you are human". No image, no hidden field,
nothing.

We still get the occasional spammer but the real problem was our phpbb3 board
showing up in the automated spam programs. As soon as we were _slightly_
different than the default install, nearly all the spam stopped.

The interesting thing was that even the built-in captcha didn't stop the spam
--it was worth cracking since everyone uses it.

~~~
Jach
Yeah, even recaptcha is broken. A new board I helped set up at my company got
some spam before even being publicly announced!

On my blog I generate two random sequences of characters and tell the user to
join them together without a space. This seems to have worked really well.
(Though in the past I've also had static strings like "join 'bow' and 'ser'
together" or "join 'doc' and 'tor' together".) I used to have the addition
challenge like the GP but it was broken. My comment form was _slammed_ with
hits, so I rate-limited attempts, but a few still got through (since it's
actually not a big set of responses to go through and you can defeat rate
limits). That's when I implemented my string scheme and changed the comment
form submission url (which only lives in Javascript now), haven't had a
spammer get through yet.

On another forum I used to moderate (I think it was an Invision Powerboards
one) I fixed it with a second field asking something like "What makes things
fall down? gravity or noodles?" And if they entered gravity it would let them
register. It lasted a few years, then a few randomly got in but by that time
the forum had died.

------
alexitosrv
If you are in this, maybe you could find interesting this review of a paper
from googlers to approach a CAPTCHA design, in which humans are asked to
select the right image rotation:
[http://glinden.blogspot.com/2009/05/exploiting-spammers-
to-m...](http://glinden.blogspot.com/2009/05/exploiting-spammers-to-make-
computers.html)

As always, one of the most interesting part of truly great CAPTCHA systems is
that they are advancing the state of the art in image recognition. But on the
other hand we still have scams like this, and no real solutions.

------
ghurlman
Sony... some part of me had really hoped that they would overreact to the
hacking movement against them, and lock themselves down like Ft. Knox.

Instead, it would seem they're taking the "we'll get hacked anyway, so let's
not waste our time" approach.

~~~
dennisgorelik
The Sony's CAPTCHA we are discussing here was likely written years ago (before
Sony security vulnerability scandal).

It just indicates pathetic state of Sony Security development team - something
that cannot be changed overnight.

------
adamtulinius
A few years ago, or so i think, people went all crazy talking about a
replacement for captcha's: Show a range of images, and make the user pick the
image described by a block of text.

How come nobody adopted that approach?

~~~
lbrandy
Because the math doesn't work. Most "next-gen" captcha fundamentally fail (by
orders of magnitude) one of the many pillars that make captchas scale....

1\. Is it trivial for a human to answer correctly? This affects growth.

2\. Can humans do it quickly? This affects growth.

3\. How is the random guess-rate? This better be abysmal.

4\. How good is the “opposing” technology?

5\. How is the guess rate of a sophisticated attacker, using said technology?

6\. How much human input is required to create your captcha? You better be
asymptotically better than human-solving the captcha.

7\. What are the cultural and accessibility issues?

~~~
Joakal
8\. The user may have a slow computer.

I remember suggestions of using computing power to slow down guess-rates.
Probably related to bitcoins. However, it doesn't work since some users don't
seek better computer performance.

------
desaiguddu
Need help for Open Sourcing the CAPTCHA research project. I have covered few
points of CAPTCHA design in my presentation.

Here is my CAPTCHA research paper:

<http://news.ycombinator.org/item?id=2754436>

[http://www.slideshare.net/desaiguddu/drag-and-drop-
captcha-a...](http://www.slideshare.net/desaiguddu/drag-and-drop-captcha-a-
better-approach-to-captcha)

------
mixmastamyk
Jesus, rootkits, psn, and now plaintext captchas ... the dev/it clowns at sony
need to be fired en masse.

------
dfc
On the subject of terrible captcha systems. I found the following gem while
looking for OSS games for linux:

"You are born into WHAT? (answer is one english word)* [1]

It is not entirely clear to me what the expected answer is. A google search
for "you are born into" does not return any answer that is clearly correct. If
I had to guess I would go with "sin" but I am hoping that nobody would be so
ignorant as to design a captcha system that assumes a certain
cultural/religious background.

[1] <http://garden.sourceforge.net/drupal/?q=image/tid/3>

------
snorkel
What about just asking the user "Why would a benevolent God allow evil to
exist?" and then the server checks if the answer mentions "freewill"

------
Turing_Machine
A _slightly_ less clueless (but still clueless) approach to CAPTCHA design is
to 1) make the CAPTCHA case-sensitive, 2) use letters for which the lower-case
representation is very similar to upper-case, and/or use both zero and the
letter O, 1 and the letter l, and so on, 3) use an image munging algorithm
that makes it next to impossible to disambiguate the cases in 2).

~~~
hammock
What I think is cool are the captchas that make fake words that actually look
like they could be real words (as opposed to a random string of text). Makes
it easier for a human to read and figure out, but no easier for a bot. I dont
know how they do that.

~~~
ignifero
(vowel+consonant).times(6).join('')

~~~
jrockway
if(failed_attempts > 20){ ban for ten minutes }

------
Kwpolska
DON'T use a bloody CAPTCHA.

------
rlf
I can't believe Google is criticizing how Sony does CAPTCHAs when I've been
complaining for years about how difficult Google's are to read. But as to
their point, based on Sony's recent security issues, it doesn't sound like
Sony has a very good IT department.

~~~
kijinbear
It's not Google criticizing Sony, it's Andrew Hintz posting on his Google+
page.

