digg

Facebook Connect Join Digg About

ModernCaptcha - when captcha meets usability

cclair.nl — “ModernCaptcha” is a simple script in order to prevent spam in a very user friendly way. In a few words, your visitors don’t have to type some characters as you see on the most websites, the verification is made by choosing the company name belonging to the logo that is show.

Who dugg this? Made popular Dec 21, 2006

Add a friend

submitted by

nlkoenig Dec 20, 2006

110 diggs
digg

What is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

Top in Programming

Digg Bets Big On A New API

466

New language features in Java 7thumb

499

Everything you need to know about HTML5thumb

292

People Who Dugg This Also Dugg

How to Add Search to Google Reader

334

Have People Rate your Web Hosting Speed & See them on a Map

343

Google Maps API team says Stop it!

674

Drawing Techniques: Stylish molecule

13

Faulty sleep switch may cause near-death experience

400

61 Comments

tizz66, on 10/12/2007, -1/+18How completely useless.

Not only that, but logos are *static* images. A captcha defeating script just has to know what a particular logo looks like, and it will get through easily. Captcha's need to be randomly generated images, not static. At the very least a captcha script has to have an almost-infinite number of combinations.

Buried as omg lame.
eleven, on 10/12/2007, -1/+17Wait no - this doesn't work - or at least would not stop someone from taking advantage of it. The captcha image source should not describe the image itself. For instance the image that is used in the demo showing a Microsoft logo is named "captcha_microsoft.gif". I would imagine a true captcha would use a script eg: to populate the image and you would use a session variable to track what was chosen.
aleaalto, on 10/12/2007, -1/+10Bury.

..img src="images/captcha_yahoo.gif" alt="" title="Yahoo!"

It's not that hard to figure out what is the correct answer to the given captchas. And besides when the images are not dynamically changed in any way, it's very easy for a computer to either index a database of possible riddle-answer -pairs or just try basic OCR if there's no static or other "noises" to make the reading harder..
jiminoc, on 10/12/2007, -0/+7yes this is brilliant... blind people will be able to have their screen readers describe the logo for them. well done!
(insert sarcasm here)
rynoon, on 10/12/2007, -0/+5This defeats the entire purpose of the system. The problem is preventing automated registrations and posting by a large number of bots, simultaneously. If a bot or a group of bots try to register, say 500 times that means with this system 100 of those registrations would go through and those 100 accounts would be used to spam the website.

You need something a computer can't brute force in five or less tries.
perfectfire, on 10/12/2007, -0/+4This has the same weakness as the "find the kitten" captcha. There are a finite amount of logos. You just hire someone for cheap to classify the logos and then feed that info into a computer. Adding more and more logos to fix the problem only costs you more time and money. The whole point of traditional captchas are that they are easily computer generated so that you never generate the same captcha twice.
neoform, on 10/12/2007, -0/+4No kidding, there's a reason captchas are hard to read.. that way spammers can't make scripts that dissect and figure them out.. the second you make it "easy" to solve, it suddenly becomes very hackable.
chillybasen, on 10/12/2007, -0/+4this still gives robots a 1 in 5 chance of guessing correctly (times 5 tries and we're in). I still prefer KittenAuth :) http://www.thepcspy.com/kittenauth -- captchas do need a facelift though.
geminitojanus, on 10/12/2007, -0/+3Using images like this would actually be _easier_ for an OCR system to figure out, as it's pretty easy to compile a database of images from company logos and use the to generate your OCR weights. At least with Captcha systems the OCR system has to guess what the letters are from a set of noise, it's a harder problem to solve.

Captcha systems that use logic are better; shown a triangle inside a box inside a circle, ask the question like "Which geometric shape is nested inside the box?" A set of solutions can be generated by humans, but at least the computer itself couldn't solve the problem with some really creative codework.
surfing, on 10/12/2007, -0/+3On a side note, thanks digg for removing the captcha from comments!
funkytaco, on 10/12/2007, -0/+3http://us2.php.net/fopen
First one to break this gets a cookie.

All you have to do is fopen the file, search for the image tag, strip off .jpg from the picture and see which radio button option has a closely matching label.
RichGC, on 10/12/2007, -0/+3This is so, so, so flawed...

Anything that uses a static set of pictures can easily be bypassed, because its very easy to do a picture comparison.
Hell, you don't even need to do that, you can just scan the pixels for certain brand 'color' such as coke red, or flickr pink.
Then we have the multiple chose, unless you code a delay in there, a bot can retry the capture 20 times in a second, and theres good odds that one attempt will be the correct one.

This will only work for as long as it has not been targeted. If your going to make a capture, at least spend some time trying to break it.
tuxidomasx, on 10/12/2007, -0/+3OCR technology is very advanced.

a good OCR would rip this captcha method a new one
speaker219, on 10/12/2007, -1/+4Well isn't that just great. Now it takes bots FOUR TIMES longer to figure it out.
pumacub, on 10/12/2007, -0/+3I decided to test this out and ran the logos through the OCR program that comes with Microsoft Office, all the logos where easily converted to text.
EricAnderton, on 10/12/2007, -0/+3Maybe that's the "secure" part of this algorithm - if a person can't understand the instructions, then surely a machine won't get it, right?
joblessjunkie, on 10/12/2007, -0/+2"Choose the company in the list whereto this logo belongs" ?!?

Most user-friendly text ever!
pumacub, on 10/12/2007, -0/+2This is a bad idea. For one, company logos are designed to be easily recognizable. They already have programs to decipher text captchas, if they can do that then this thing would be a piece of cake.
inactive, on 10/12/2007, -0/+2Why is this being dugg down?

"Traditional" captchas, where you have to type in 4-8 characters, are much more effective. The odds of getting a 4-character, non-case-sensitive, alphanumeric phrase right are roughly 1 in 1.7 million.

With this system, it's a 1 in 5 chance.

I'm sure this is realized by the author. It's just targeted at a different market, that's all, I suppose.
Piku, on 10/12/2007, -0/+2Have you tried HumanAuth ? It requires people to choose 3 nature pictures. It also has a watermark and is accessible.
http://www.gigoit.org/humanauth/
EXreaction, on 10/12/2007, -0/+2Yep, at the very least they can just randomly guess what it is.

Or since 95% of people that would use it would still use the single default setup, the bot would just always guess the answer to that one...

Plus it could use an OCR to read the image, find out what the name of each of the radio buttons is, and then select that.

Marked as inaccurate as it won't reduce spam(for long, it will surprise them at first, but once one human who builds the bots visits your site it won't work anymore).

And I am quite into Anti-Spam methods for phpBB. ;-)
http://www.phpbb.com/phpBB/viewtopic.php?t=465600
EricAnderton, on 10/12/2007, -0/+2Correct. Even if the image name was something inscrutable, like a UUID, then @eleven's comment above still applies. The limited number of possible responses falls well within the range of a dictionary style attack. Just seed the system with human-acquired data, and off you go.

Now if the logos were 'captcha-ized', then *maybe* this would work - but It would hardly be worth the effort, let alone a "new" type of captcha system.
tuxidomasx, on 10/12/2007, -0/+2haha. in my captchas, i take out all letters and numbers that could be confused for each other

no S,5,8,B,0,O,1,I(eye),l(elle), i

all gone

sure it reduces the keyspace. but at least the users wont be frustrated. and it's "good enuf" for my needs.
lostradamus, on 10/12/2007, -0/+2Wow even more advertising. Why not just a picture of a dog or cat??
mysticmcj, on 10/12/2007, -1/+2So, you have to be exposed to and recognize corporate logos to prove you are a person?

That speaks volumes more about the world we live in....
unloud, on 10/12/2007, -0/+1Why not just have an index of a lot of pictures of animals and ask the user what kind of animal is displayed?
Bara, on 10/12/2007, -1/+2Personally, I don't think it should have the entire name on there either. Perhaps just something like the McDonalds logo: http://courtenaycentral.co.nz/whoshere/mcdonalds/logo_mcdonalds.gif
doyadigg, on 10/12/2007, -0/+1I'm getting sick of these captchas. I understand the need, but they are getting too difficult especially when the case of a letter becomes ambiguios. A few weeks ago, my parents and I were trying to order tickets off ticketmaster and it took about 8 tries to get it right. These go way too far in preventing bots from abusing their services. And I have to type my captcha in for digg, and I can't tell if it's a "C" or "c".
sw17ch, on 10/12/2007, -0/+1Yes. This is a very good point. If you have a limited number of choices, this means that your chance of being right goes up significantly. In this case, 5 choices. 1/5th of the time the spammer will guess correctly. With a 5 character captcha I think we're dealing with 11881376 options if you ignore letter case. With a 6 character, 308915776 or so options.
perkonis, on 10/12/2007, -0/+1The concept isn't bad, but I agree that it is way too easy to circumvent in it's current form. With all the stories that have come up lately about image recognition software, I think the bots could probably identify the logo quicker than humans.
EmmSee, on 10/12/2007, -0/+1Talk about an easy captcha to crack! Wow.
heptahedron, on 10/12/2007, -0/+1Yes, one-in-five doesn't seem like a high hurdle. Worse, the total universe of "recognizable" brandnames isn't that large (perhaps a few hundred?). If this captcha scheme becomes widespread, someone will write a image fingerprint program that recognizes all the common brandnames
MalDON, on 10/12/2007, -0/+1And let the lawsuits begin...
pumacub, on 10/12/2007, -0/+1Usually the case doesn't matter, although I'm not sure about digg.
perfectfire, on 10/12/2007, -1/+2It's being dugg down because it doesn't work. There are a finite amount of images they can show and once they pay a person to classify them all, their system has been defeated. You need something to generate new images each and every time.
tizz66, on 10/12/2007, -0/+1It asked me the background colour of the above image. A script would use OCR to realise it's asking for 'background colour' and then it wouldn't take any effort for it to get the background colour (or font colour or whatever was asked for).

As Eleo said, it only hasn't been broken because it's a unique system. Put it on a lot of popular sites, and it'd be very easy to break.

But, I DO like the idea. You need to have some distortion on the images though so that OCR can't easily be used to figure out what the question is asking and what the answer looks like.
inactive, on 10/12/2007, -0/+1All captchas can be bypassed with human farming - you just set up a website with something people want, warez, mp3s, porn, whatever, then as a requirement to get in or download the files they want they have to fill in a captcha, which the website has forwarded from another site, the human response is then forwarded back, captcha broken.
gauthierm, on 10/12/2007, -0/+1@quantumwraith

Unfortunately, there can only be a limited number of image/name pairs. All a spammer has to do is download all of them, hash the images and store the image hash plus the name in a lookup table.
Eleo, on 10/12/2007, -0/+1This is the worst idea ever, considering the limited number of logos. A script would just need to have a database of logos to guess right. It would require less fuzzy logic than pretty much any OCR script in existence. Whoever thought of this didn't think it through well enough.

Also it fails from a usability standpoint because there's no alternative for visually impaired users.
valkraider, on 10/12/2007, -0/+1There are catpcha systems that *always* fail a couple tries as another defense mechanism.
raccettura, on 10/12/2007, -0/+1Don't need to get technical. This is not practical since it uses trademarks. Can't be used without lawyers going after you.

Clever though.
yahoofrom, on 10/12/2007, -0/+1who dugg this?
Lazybones, on 10/12/2007, -0/+1True to a degree, but that requires the cracker to tie an application to your captcha output. You could randomize the location, name and format of the image output to make that difficult. You could also put a time limit on the images , like they do on VPN security tolkens, this would reduce the chance of success from external farming.
Beaver6813, on 10/12/2007, -0/+1Yeah, i think the best system would be an extremely simple random question from a fairly large database. Stuff like What colour is the grass? a) Blue b)Red c)Green d)Purple or even more simple stuff like What is the first letter in the word Digg? What is 3 x 3?

Would make much more sense, and gets rid of the images.. i hate em, harder to implement in some environments and text readers can't use captcha without giving the game away to the bots.
jwestbrook, on 10/12/2007, -0/+1buried as lame, good idea ... lame implementation of said idea.
come back when you have a workable script that is not easy to circumvent
Eleo, on 10/12/2007, -0/+1I like your system for its originality, but I think it works mostly because it's not mainstream, not because it's especially difficult to solve.
rubenito, on 10/12/2007, -0/+0I don't want to be mean, but this is one of the stupidest things I've seen. I'd call it "when captcha becomes crackable and unusable"....

Buried...
nlkoenig, on 10/12/2007, -0/+0Hi everybody,

I’ve updated the post with a “mea culpa” and some suggestions.

I hope you find the time to read it…

http://www.cclair.nl/blog/category/moderncaptcha/moderncaptcha-when-captcha-meets-usability/
vanadium77, on 10/12/2007, -1/+1CAPTCHA is too imperfect to work for too much longer; most all the "innovation" I'm seeing coming up nowadays in CAPTCHA mechanisms decrease not only usability, but are far too convoluted and apt to drive away users.

CAPTCHA is a stopgap for a better solution in the future; it's certainly not the end-all-be-all. Utilizing CAPTCHA as part of a greater anti-spam solution can be done, but alone most implementations are worthless. People should start thinking outside CAPTCHA a bit more to discover other ways of handling the issue. My team and I have come up with a good, effective way of eliminating and auto-banning these bots, but guess what? The moment any good solution is publicized, the bots will eventually and inevitably adapt. The best solutions are proprietary ones in this case, I'm afraid. Spambots simply cannot overcome 100,000 different ways of handling the problem. CAPTCHA (along with its variants) -- because most rely on the same central tenets and mechanisms -- actually make it easier to compromise a system's anti-spam measures, especially if the implementation is weak.

With this solution here, even if they assigned an ID to each of the logos rather than the company names, it still wouldn't be hard to exploit given the exact naming scheme between all the implementations that use it. Eventually, some ass will come up with an identification algo to identify these logos and then what?

Furthermore, what happens on the off-chance a company comes after you for unauthorized use of their logo? Ouch.

It's a nice idea, but I think a new direction needs to be taken.
gravitas, on 10/12/2007, -0/+0This is much better www.notonebit.com/projects/killbot/pro/
Show 51 - 61 of 61 discussions
Add a Comment

Login or register to comment!
Or, sign-in super fast with your Facebook account ...

Site Links: Home; Take a Tour; Search Digg; Digg Mobile; RSS Feeds; Popular Archive

Help: Frequent Questions; How Digg Works; Report a Website Bug

All About Digg: About Us; Contact Us; Community Guidelines; The Digg Blog; Digg Townhalls & Meetups; Jobs at Digg; Advertise on Digg; Diggnation Podcast

Digg Store: Get hats, shirts, hoodies, stickers, and more at the Digg Store.

Digg Tools & API: All Digg Tools; DiggBar Tools; Firefox Toolbar; Twitter Feeds; Add Digg to Google; Netvibes Widget; Integrate Digg Buttons; Digg Badges; Make a Digg Widget; API for Developers

Digg Dialogg!: Digg Dialogg lets you choose the questions.

Digg Labs: Get a real-time view beneath the surface of Digg.; Digg Labs Home; Arc, Swarm, Stack, Bigspy, Pics

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.