
Worst CAPTCHA Ever - ZeljkoS
http://svedic.org/programming/worst-captcha-ever
======
davidroberts
D&B executive's spouse: You've really got to help my little brother. He hasn't
had a job since he got fired from McDonald's two years ago.

Executive: What can he do?

Spouse: He's really good at programming. He took a class in it in high school
five years ago, and I'm pretty sure he didn't fail. He even has his own web
page.

Executive: Hmmmmm. I think we have something he can work on....

------
don_draper
Hey D&B developer here. I'm excited to see so much interest in my work. If the
captcha is correct we categorize it as a bot and don't let it through. If the
captcha is incorrect then it must be a human and we let them through.

Good news: we're hiring! We have day long meetings Mondays and Wednesdays, but
other than that it's great.

~~~
aprescott
I don't really understand this approach. Won't the false positive rate be
close to 100%? Humans are going to get the captcha right every time. If it's
supposed to be a honeypot system, the input should be hidden from human users
to avoid that problem.

~~~
bjxrn
Pssst. I don't think that was seriously a post from a D&B developer.

~~~
aprescott
Damn you, Poe! :(

------
_ikke_
Well, it is a good way to tell computers and humans apart. Computers can read
it, while humans can't.

They should reject corectly filled in captchas.

~~~
fakeer
I still loathe reCAPTCHA more than any other captcha out there. I've given up
hopes of logging in on many occasions simply because of it.

Looks like it's designed for not to be deciphered either by humans or
computers.

~~~
drostie
Fun tip: reCAPTCHA is actually two things, the "re" and the "CAPTCHA". In
other words, one half is about testing that you're not a human, while the
other half is a legitimately unknown word from a source of failed optical
character recognition.

You actually don't have to get the latter one anything close to right; and I
think you're given the option of at least one typo in the actual CAPTCHA test.

So when a CAPTCHA looks impossible, try doing the possible half and typing in
"balls" for the other half. It actually works with pretty reasonable accuracy.

~~~
anoncow
> try doing the possible half and typing in "balls" for the other half

That doesn't help with the digitization of books. :)

~~~
jodrellblank
Who gives a crap about helping Google digitize books that they scanned without
publisher or author permission and that we won't be able to to read afterwards
because we have to respect copyright where they didn't?

Capchas are a pox on the web, and reCaptcha a sleazy immoral one, too.

~~~
htm
Plus you can guess (with absolute certainty since they changed the domain to
read the google.com cookie) they use it as an unblockable tracker to build a
database of sites you're registered on.

------
6ren
Every expense was spared to give the impression that no expense had been
spared. It's a credit report site; they want you to _think_ they are secure.

~~~
dornab
Exactly. It probably increases conversion because it looks secure.

Credit card forms are sometimes used that way too, they get a lot of extra
information because if they don't, people feel that they're scammy.

~~~
krapp
But surely a working captcha would increase conversion as well _and_ have the
added benefit of being a captcha?

~~~
just2n
And you really have to wonder, because the last time I had to implement a
CAPTCHA (around 5 years ago), it was about 5 minutes of work. Google query,
found a library, downloaded the library, copied the example into a form, and I
was done.

I can't imagine coming up with your own clever hacked-together bogus CAPTCHA
would be simpler than that. So they actually did it the hard way?

------
ef4
A wonderful example of cargo cult programming.

~~~
sabe__
It's like all these sites that requires you to enter your current password
before you can change it, but deleting the entire account is just ticking a
check box (at least twitter and dribbble worked this way back when I had
accounts there).

Some things we been doing for so long that we forget why we do them at all.

~~~
nostrademons
Or ones that make you confirm an e-mail address by entering it twice.

The reason you confirm a password is because you can't see the password, and
so you never know if you mistyped it. Confirming an e-mail address, in a
normal text field, is just stupid busywork.

~~~
sabe__
I was not talking about retyping the new password, but about requesting the
old password before you can change it. The reason you do this is because even
if you theoretically could hijack the session, you still can not hijack the
account. But the priority seems a bit off when the password is more important
then the account, which makes you believe that the people behind the sites
only added the extra password validation because they seen it every where
else, and not because they understand the principle behind it.

~~~
roto
Its to prevent people from being able to change your password if you step away
from the computer for a few minutes to take a piss.

~~~
ef4
Exactly. The original commenter's point is that they prevent someone from
changing your password, but they don't prevent that person from deleting your
account.

------
superdude
One of my buddies worked in the accounting department at our state government.
He needed to get a bunch of documents from another agency (like hundreds every
month) to process claims. Well this other agency requires everyone to go
through their website and download each document one at a time. They said it
was to prevent abuse. For some reason they couldn't just send a batch of them
to us, even a fellow state agency. So I made a scraper to download an entire
month at a time. I figure it was a webforms site because it was filled with
postbacks and viewstates which made it a bit of a pain, but the ridiculous
thing was the CAPTCHA code:

<input name="actualSpoofValue" type="hidden" id="actualSpoofValue"
value="TFU3P">

and TFU3P was the CAPTCHA code!

~~~
pavel_lishin
Isn't that one ambitious DA away from being a felony these days?

~~~
superdude
No, it was publicly accessible information from a public-facing website.

~~~
ivix
Since when was that a defence?

You circumvented COMPUTER SECURITY on a GOVERNMENT WEBSITE. This is how the
judge will see it.

------
codesuela
While this captcha is truly a display of ignorance I could imagine that
"corporate developers" at D&B aren't web developers. All I am saying is that
if you force me to write enterprise software (which I have zero experience
with) on a tight schedule I'm probably going to make a stupid mistake or two
even though I hope I am not of "lower quality". I imagine someone in
management refused to hire web devs because "we've already got developers
inhouse". Just a wild guess though.

~~~
krapp
It doesn't matter though. This isn't just a 'stupid mistake' made by a dev
rushed for time, this is literally 'not a captcha.' It's not. Not even a
poorly designed and incompetently executed captcha... it just isn't even one
at all.

It doesn't take long to find out that best practices exist for captchas, what
they are, what the typical vulnerabilities are, and then pick one from the top
shelf of existing solutions once you realize captchas are hard to do properly
and you're probably not being paid what it's worth to roll your own.

~~~
laurent123456
The funny thing is that the dev is apparently competent enough to make it look
like a captcha, yet not enough to know what the purpose of a captcha is.

Actually, even if it was real captcha, a computer could still easily guess the
answer because the random parts are outside the answer text.

~~~
krapp
Yeah the regular grid and text would probably make ocr even easier if it were
necessary. It wouldn't surprise me if they just used uppercase letters, too.

Maybe they assumed that bots would interpret the page the way a human being
would, when they're not looking at the source code? Though my money's on
someone just not caring.

~~~
aoloe
You know, it could have been gone this way:

Manager: Make me a captcha. Dev: We don't really need one, all we need is a
simple way to avoid dumb automatic submits. M: Use a simple one, then.

... a few minutes later...

D: Here it is, the user just has to copy over those four letters. M: Hey this
is not a captcha. It does not look like a captcha.

... a few minutes later...

D: Here it is, now it looks like a captcha.

On the other side, it could be very true that if you don't put some annoyances
behind it, "normal" people don't recognize it as a captcha... And most of the
time (on most custom low traffic sites...) you don't really need much more
that a static "write the result of 2+2".

I've been there, I've already done it :-)

------
jmorton
But wait, how else would you make the automated tests pass?

~~~
tomjen3
Stub the captcha generator with one that returns a known value...

------
d23
Funny coincidence, I ran into this on another website yesterday. And if it
weren't bad enough that it was printed in plain text in the source code, it
was only checked _client side_ with javascript. Seriously?

~~~
kevin_p
Just because something is checked client-side doesn't mean it's _only_ checked
client-side. I've used JS checking on anti-bot questions[1] quite
deliberately: it doesn't have any effect on 99%+ of bots, but it stops posts
by humans from accidentally being flagged as spam.

[1] admittedly questions like "type _someword_ in this box to prove you're not
a spambot"[2] rather than actual captchas, which I agree would be rather
silly.

[2] if this is what you meant by a "printed in plain text in the source code"
question, remember that most spambots aren't customised to an individual site,
they just roam the internet submitting their crap to anything that looks like
a comment form. Sure, it's trivial to write a script to parse the page and
find the answer to the question - but nobody's actually going to do that for a
typical company's "Contact Us" form. Adding this sort of check cuts down on
spam enormously (from hundreds a day to zero), and is way easier for humans
than solving a captcha.

~~~
__david__
> admittedly questions like "type someword in this box to prove you're not a
> spambot" rather than actual captchas, which I agree would be rather silly.

This is not silly. This works _extremely_ well for the low traffic forum I
run. Since there are a _huge_ number of phpbb3 forums out there, spammers have
made spam bots specifically targeting the platform. If you make your forum
epsilon different from the default then the bots don't work without manual
intervention. That's enough to keep you off of autospam lists for very, very
long periods of time.

And when someone inevitably adds your extra form element to their spam bot
(it's happened to me 2 or 3 times over about 6 years) then you just change the
answer and it stops working (and they might not even notice since it's a bot).

~~~
kevin_p
Updated to be clearer about this. I meant that fake captchas like the one in
the OP (which put HTML text on top of a confusing background image to make it
harder to read) were silly, not simple question checks.

~~~
Evbn
It is the same thing. For a low priority target, it is sufficient.

------
dmazin
Speaking of, has anyone else noticed that captchas (especially recaptcha) have
gotten a lot harder over the last year?

~~~
nlh
I have indeed. Anyone have more details? At one point I recall (re)CAPTCHAs
being about helping OCR slightly less-readable words from book scans. But they
were actual words. They seem to be gibberish words now.

~~~
SolarNet
Maybe they ran out of non-gibberish readable things to OCR?

------
pkulak
I find it hard to believe that you could be smart enough to build something
like this, while also being dense enough to think that it's actually a
CAPTCHA. My guess is that some pointy-haired boss really wanted a CAPTCHA and
the developer didn't think it was needed. Everyone's happy.

Of course, the developer could have also just slapped RECAPTCHA on there and
been done in even less time...

------
GuriK
Have a fun guys ...

<http://pro.sony.com/bbsc/jsp/forms/generateCaptcha.jsp>

~~~
metaphorm
too easy. try again.

<!-- Layer contains table with 5 cols (width is divide by no of chars)
contains Captcha Chars --> <div id="captchdiv" style="position:absolute;
left:10; top:15;"> <TABLE BORDER="0" CELLSPACING="0" WIDTH="170" height="30">
<tr> <td width="34" align="center" valign="top"><span style="font-
family:cursive; FONT-SIZE:13.2 pt; color:#FFFFFF; text-decoration:none;">
<b>L</b></span></td> <td width="34" align="center" valign="bottom"><span
style="font-family: cursive; FONT-SIZE:13.2 pt; color: #FFFFFF; text-
decoration: none;"> <b>K</b></span></td> <td width="34" align="center"
valign="top"><span style="font-family: cursive; FONT-SIZE:13.2 pt; color:
#FFFFFF; text-decoration: none;"> <b>T</b></span></td> <td width="34"
align="center" valign="bottom"><span style="font-family: cursive; FONT-
SIZE:13.2 pt; color: #FFFFFF; text-decoration: none;"> <b>F</b></span></td>
<td width="34" align="center"><span style="font-family: cursive; FONT-
SIZE:13.2 pt; color: #FFFFFF; text-decoration: none;"> <b>B</b></span></td>

</tr> </table></div>

------
robbyking
I've worked for managers who would've ask for features like this; they just
wanted it to look like it functioned so our non-technical audience would think
it was impressive.

------
mschuster91
D&B?! Aren't these the guys everyone including Apple trusts for their DUNS
number?!

Are you fucking serious?

~~~
mzahir
Exactly. They're not the people everybody trusts to determine if incoming
traffic is human/machine.

Your response implies that they are inept at their area of expertise.

~~~
SoftwareMaven
It's relevant if being able to automate the connection allows you to
circumvent the checks Apple, et al, have put in place with the DUNS number. I
have no clue, so I can't render an opinion.

------
dreamfactory
I like the fact that it is case-sensitive and yet instructs to be typed in ALL
CAPS :)

------
JoaquinRoca
This is hilariously awful. Thanks for sharing. I recently moved all my
CAPTCHAs to games with AreYouAHuman.com and I love it.

------
qntmfred
see also: <http://i.imgur.com/G8fV1IV.jpg>

------
exodust
I don't see the problem. It's easy for people to see the word and type it in.
Lightweight but not insignificant measure of protection. Compared with no
protection, this form will receive less spam.

There is no impact on the user except a better user experience.

The corporate developer may have looked at the spam levels and decided that a
basic measure would be fine considering the exposure to the page, or other
reasons.

CAPTCHA is anti-people. It's a step back to the dark ages every time a website
asks you to type in a fuzzy word, often just a jumbled string making it even
worse for reading.

Surprised some comments are taking aim at the developer, who at least isn't
using the stupidly backwards, barely visible full version of captcha. Check
en.wikipedia.org/wiki/CAPTCHA it's a joke that the examples posted there seem
so much easier than the overly-abstract usual suspects out there in reality.
That wikipedia article needs a new section, something like 'criticisms' or 'UX
Fail'.

D&B's 'captcha' is whack? So is Google's.

~~~
WatchDog
Why even bother adding the background image if you are just trying to stop
dumb spam crawlers.

~~~
exodust
Very true, why indeed. A misunderstanding of how spam crawlers work? Btw, how
do spam crawlers work?

People must prove they are people. And spam crawlers don't need to prove
anything. Turing wouldn't have liked his name associated with a test that
humans fail often (needing to refresh the captcha), and a test that machines
must fail in order to be effective.

------
meistro
Two years ago I had to deal D&B's flagship product, which came packaged in a
Java applet. I remember one day I upgraded to the latest version of Java(a
security patch) and it broke their tool. After contacting them they said the
only solution was to downgrade to the Java version with a known security
hole...

------
Eliezer
Wow. That's... we're lucky Homo sapiens didn't get its intelligent species
license revoked for this.

~~~
krapp
The notice of our species' Sapience Rating revocation has been on display at
our local planning department on Alpha Centauri for 50 years now....

------
d0m
There are different levels of "captcha". Some bots just fill any forms on any
sites with their spam.. a simple client-side question goes a long way to
mitigate this. It obviously is a very different story if it's a script created
especially for this form.

------
nelse
That reminded me the captcha I got some time ago:
[http://24.media.tumblr.com/tumblr_lvy7sl13MV1r839zio1_500.pn...](http://24.media.tumblr.com/tumblr_lvy7sl13MV1r839zio1_500.png)

------
ricardoz17
Twitter does something similar with 3rd-party authentication. The user puts in
their name and password but then the rest of the process can be done by a bot.
1. click on a button to confirm granting access 2. provide the code in an
image to he App but the HTML for the code hass the following:

<span id="code-desc">Next, return to TrainerLists and enter this PIN to
complete the authorization process:</span>

<kbd aria-labelledby="code-desc"><code>7996044</code>

------
drakaal
D&B is in the business of selling your corporate data to marketing companies.
They claim that they never share their data base in an automated way, and to
protect this information, so that it is only human readable but it is in their
best interest to let companies have access. Likely this is there to allow
miners, not specifically because they are incompetent, but because they are
dishonest.

------
rhapsodyv
[https://gist.github.com/rhapsodyv/5279369/raw/88af15fdba655b...](https://gist.github.com/rhapsodyv/5279369/raw/88af15fdba655b01db0cfe896a5376d033511fd2/gistfile1.txt)

This is a cpf (something like social security number in brazil) validator from
this site: <http://via7solucoes.com.br/curriculos/cadastro.asp>

------
njbooher
Wrong. The worst CAPTCHA ever is <http://www.solvemedia.com/>

------
jpdoctor
LOL. So someone is doing automated lookups on the D&B site, they noticed, and
then they put a broken captcha on the site.

Really, the only thing wrong with this picture is that they got called out on
HN, so now whoever is doing the automated lookups won't be able to kill off
D&B by releasing their information.

------
petercoolz
I hate hate hate D&B. so scammy and spammy and worthless. I think their
corporate structure reflects the scam... One company issues the DUNS # but
another is the telemarketing spammy one that calls you for years afterward.

------
cefarix
My company got a couple of emails from a "credit advisor" Stacy at D&B with no
subject. Then in the third email, from the same person... the email was typed
out in the subject and there was no body. _facepalm_

------
ericz
You know, maybe it's because they just wanted to slow down legitimate users
for some reason, and spam wasn't a big problem. Ok I'm just trying to be
optimistic.

------
brevityness
One odd quirk I've noticed with CAPTCHA's is that requesting a new one almost
always returns one that is far more legible to discern. Is this by design?

------
thomaslutz
I thought you meant the reCaptcha Audio-Version (unsolvable for humans after
it got broken a few times). This is just hilarious.

------
lucb1e
I've seen some company's code that generated captchas too. It were the first 5
characters of md5 output of rand(1,1000)...

------
niggler
How do audio captchas compare to the visual ones? Is it harder or easier for a
computer to crack / people to understand ?

~~~
dEnigma
Audio captchas are pretty hard to solve for me personally, much harder than
even almost unreadable Captchas. But maybe that's just me. Still can't imagine
a bot solving the audio captchas I've heard though.

Edit: Just listen to it:

<https://www.google.com/recaptcha/demo/>

~~~
niggler
That is awful. In most of the triplets, the middle sound is completely drowned
out by the noise

~~~
codesuela
Wow yes I agree first time I hear reCAPTCHA. I am seriously wondering whether
ANYBODY is able to solve this. I know it was broken before but now it seems
reCaptchaing something means straight up denying it to visually impaired
people.

------
heroic
Beats this! <http://www.hmv-news.co.uk/register.php>

------
smegel
Security by "no one would be that stupid"

------
jmotion
Thing is, this will actually stop most contact form spam software.

------
rsobers
I love the use of the <font> and <b> tags, too.

~~~
stan_rogers
<b> is valid in HTML, and different from <strong>. It's actually being used
correctly here.

~~~
saraid216
It's valid, but it's one of those things that shows they're not a web
developer. We don't use <font> or <b> anymore. That's what CSS is for.

~~~
zopticity
Nope, you're wrong. <b> is actually still being used to differentiate between
<strong>. <strong> is used for accessibility reasons (making the words
enunciate with emphasis, while <b> just makes the words bold by default). If
you want to bold a part of the sentence without having emphasis, you'll need
to use <b>.

~~~
Evbn
What's the difference between <strong> and <em>.

Em is for emphasis.

~~~
stan_rogers
<em> is for intonational emphasis, the way you'd give a little extra stress on
a word when you are speaking. <strong> is an indicator of importance, and may
not correspond to intonational emphasis in spoken language.

As for the older tags, they were deprecated in XHTML, but have been redeemed
in HTML 5. <i> is used for elements that are traditionally set it italics but
are neither emphasized nor citations. Often that will be foreign words (where
one ought to use a lang attribute). Similarly <b> is used to indicate elements
that are traditionally set in bold face, but which do not indicate importance
(as headings or <strong> in running text would do). Both are better than the
semantically-meaningless <span> tag, and _vastly_ better than misusing the
<em>, <cite> and <strong> tags for their presentation effects.

------
natemcguire
After the D&B signup process, well, I am not surprised.

------
unlucky
Seems almost too simple... I feel like I am being tricked.

------
ed2417
Your data will be safe with us!

------
1bitwonder
I've seen one where it was always:

"What is 2+4?"

~~~
Jeremy1026
I put a super basic human authentication system on my wedding website in the
online guestbook. It was just a simple form that was getting hit with
spammers, so I added a super quick "What is the groom's name?" field to the
form for authentication. Spam stopped completely. Sometimes, depending on the
website, a super secure captcha isn't needed.

------
iambibhas
Somebody is gonna get fired.

------
aragot
That's an April Fools!

...or isn't it?

------
bjoe_lewis
D&B. Trolled.

------
polskibus
this should be submitted to thedailywtf.com

------
L0j1k
This should give you a really good idea what it's like trying to get a DUNS
number (a requirement for doing contract work with the government as a
business). Their entire business is basically the front-end to a scam.
Somebody pulled a network contact to wedge their company in between businesses
and the federal government.

You are _guaranteed_ to get scammy-sounding emails and phone calls from D&B
after signing up. Emails with subjects like "Your business is in danger!" or
messages like "Your business credit report has some big issues!" and you find
out that in order to get "protection" or to find out what these "issues" are,
you have to pay Dun and Bradstreet a shitload of money.

That company is a SCAM and a perfect example of how completely
retarded/bought-and-paid-for the United States government is.

~~~
harryh
It's not just contract work with the government. Once you are a business of
sufficient size it's almost inevitable that you'll run into some random thing
where you're required to have a DUNS number before proceeding (and it's always
unclear why this is a requirement). So dumb.

