====== Captcha Design ====== ====== Requirements ====== * Unique * Easy to use * answer question or type in word. * slicing the image. * Minimal Effort * Session time out * Hidden Web input fields, that need to stay blank * Mixed up form labels * invisible fake post buttons and comment boxes maybe * Fake captcha image (hide it's display) and a bogus captcha box( turn off it's display, move it out of page, size it to 0, etc) * Maximum number of tries * after one failed attempt, you must make two consecutive successful. * use animated gif for captcha with a question ====== Web Research ====== What about just making it hard for spammers to actually submit the comments? Like use different names and order for HTML form elements on every blog? The key enabler for spam is software monoculture after one failed attempt, you must make two consecutive successful. Count the number of images have a form field that is hidden by css and must stay blank ir will block spam. Call it email. Be non-descript about your form field titles. I have a phpbb2 message board that I run and I was getting boatloads of spam. Adding in the default captcha did *not* reduce the spam in the slightest. That is, it was *completely*, 100% broken, contrary to your assertion that it isn't being used in the wild. I ended up adding a single extra required field and that blocks out 99.99% of the spam. I've gotten maybe 2 or 3 spams since implementing it. It's not even a question. And it's not even a picture. It's just a field in the form that says "please type 1234 here". I think the key isn't captcha, per se, but just being different. Security through obscurity in a sense. There's no benefit for some spammer to fix his script to handle my dorky custom web forum. But there's a huge benefit to cracking the default phpbb2 captcha algorithms because most users are going to just use the defaults. -David David on October 29, 2006 04:47 PM * per-character perturbation * characters that overlap * noise or lines that overlay and touch the characters Which re-emphasizes the "researchers are really good, and the attackers really are not" quote. I wrote a javascript client-side CAPTCHA generator that worked in IE6 and Firefox but gave up on the idea when I heard IE7 was dropping XBM image support but wasn't going to add data:url support, so there's no effective way to handle client side image generation. How about slicing your CAPTCHA image horizontally into 10 images? It would look the same for a user, but would be another complication for automated attacks. Better still, what about slicing the image and rendering the images out of order, then fix ing the ordering via javascript? The javascript would be pretty trivial, but parsing javascript adds a more significant technology hurdle for spammers. One thing that people seem to miss is that there is no obvious way to automatically determine what image is the captcha image, you would need to test every image on the page. Also mentioned in the Wikipedia article is the possibility of using a challenge that requires thinking, such as solving a simple math equation or answering a trivia question. While this inevitably isn't totally safe from compromise, it seems at least as good as using the images, and it's nice that it could include virtually eveyrone. maybe even add some "honeypot" form elements (invisible fake post buttons and comment boxes maybe?). Another thing to do to block bots and improve accessibility is to have them input the same text they put in a previous part of the form (chosen randomly, preferably a required element, i.e. name (on this blog)). And to keep bots even more confused, have the captcha image, except hide it (turn off it's display, move it out of page, size it to 0, etc) so bots pick up on it and enter wring info into the captcha box. This method maintains accessibility for all users (since they don't need to read an image or hear a sound byte). I admit to not having read everything on the page properly, but the thought occurs to me - and my apologies if this is way out dated - would a captcha made from either 1. a fading in and out set of letter (each fading from background colour to a different colour at different rates)..an animated gif or 2. a flash animation with moving characters be a lot more difficult to break? I wanted a control that meets the following requirements. Easy to use. Only one assembly to reference. Is invisible. Works when javascript is disabled. The best form of anti-spam, is still, in addition to some form of CAPTCHA similarity, image-hotlink protection, and image-content that is not a word. Three ducks, A dice showing side FIVE, a simple math problem (3+1=?), "Answer in the BLUE box", all doubled up with a full content rotation and a time window. An initial 1-2 minute delay, "Pretend loading", and a 5-7 minute "Page Expired". That kills "BOB" who has a robot load 40 pages, while he sits back an answers 40 CAPTCHA codes, an hour. (Would require a LOT more effort.) Whats wrong with you commenters?! You completely missed the point of this post. Captcha is not effective because it is unbreakable, it is effective because breaking it requires knowledge and/or computing power. Breaking captcha will increase costs of spamming, thus making spamming unprofitable.