from Hacker News

How not to design a CAPTCHA

by DrewHintz on 7/12/11, 6:02 PM with 88 comments

  • by Slackwise on 7/12/11, 6:45 PM

    I work in medical IT. You'd be surprised how many government sites do similar.

    An example would be https://sso.state.mi.us/som/dch/enroll/reg_page1.jsp (You can enter any fake name/email, this is only step one of the registration script. The next page has the captch in question.)

    The captcha is plaintext, right on the page. The data from the captcha isn't even sent to the server, it is processed locally via JavaScript.

    So, the bots don't even have to do anything, but humans have to input a meaningless number...

        <input type="text" name="inputNumber" class="entry-field" size="5" tabindex="3">

    <!-- ... -->

    document.write('<div id="layerNum" class="verifyNumber" align="center">');
    document.write('<b>'+str+'</b>');
    document.write('<img src="generateGIF.jsp?number='+str+'">');
    document.write('</div>');
    document.write('<input size="5" type="hidden" name="rdNumber"  value="'+str+'">');

    <!-- ... -->

    <input type="submit" value="Continue" name="submit" onclick="return Valid();">

    <!-- ... -->

    function Valid(){
    // ...
            if(chkRandomNumber()){
              return true;
            }else{
              return false;
            }
    // ...
    }

    function chkRandomNumber(){
      str1=document.all.rdNumber.value;
      str2=document.all.inputNumber.value;
      if(str1!=str2){
        alert("Please check and type the number as shown in the box");
        return false;
      }else{
        return true;
      }
    }

  • by sthatipamala on 7/12/11, 6:53 PM

    Completely OT: I find it interesting that this post and several other HN posts this week are hosted on Google Plus. I definitely would not have predicted that G+ would encroach on the LiveJournal/Tumblr space.

  • by yid on 7/12/11, 7:30 PM

    If anyone ever wondered what the phrase "cargo cult science" referred to, this is a prime example. They're going through all the motions, but sadly their understanding of the universe is gratuitously flawed.

  • by RyanMcGreal on 7/12/11, 7:13 PM

    On a site I administer that used to be deluged in spam, I managed to eliminate it with a three-pass filter:

    1. Simple mathematical question, e.g. "What do you get if you add five and three?" Answer is processed on the server.

    2. Hidden form field that is supposed to remain blank.

    3. Blacklist of common spam words.

  • by alexitosrv on 7/13/11, 12:12 AM

    If you are in this, maybe you could find interesting this review of a paper from googlers to approach a CAPTCHA design, in which humans are asked to select the right image rotation: http://glinden.blogspot.com/2009/05/exploiting-spammers-to-m...

    As always, one of the most interesting part of truly great CAPTCHA systems is that they are advancing the state of the art in image recognition. But on the other hand we still have scams like this, and no real solutions.

  • by ghurlman on 7/12/11, 6:29 PM

    Sony... some part of me had really hoped that they would overreact to the hacking movement against them, and lock themselves down like Ft. Knox.

    Instead, it would seem they're taking the "we'll get hacked anyway, so let's not waste our time" approach.

  • by adamtulinius on 7/12/11, 6:43 PM

    A few years ago, or so i think, people went all crazy talking about a replacement for captcha's: Show a range of images, and make the user pick the image described by a block of text.

    How come nobody adopted that approach?

  • by desaiguddu on 7/13/11, 3:59 AM

    Need help for Open Sourcing the CAPTCHA research project. I have covered few points of CAPTCHA design in my presentation.

    Here is my CAPTCHA research paper:

    http://news.ycombinator.org/item?id=2754436

    http://www.slideshare.net/desaiguddu/drag-and-drop-captcha-a...

  • by mixmastamyk on 7/12/11, 11:44 PM

    Jesus, rootkits, psn, and now plaintext captchas ... the dev/it clowns at sony need to be fired en masse.

  • by dfc on 7/13/11, 2:51 PM

    On the subject of terrible captcha systems. I found the following gem while looking for OSS games for linux:

    "You are born into WHAT? (answer is one english word)* [1]

    It is not entirely clear to me what the expected answer is. A google search for "you are born into" does not return any answer that is clearly correct. If I had to guess I would go with "sin" but I am hoping that nobody would be so ignorant as to design a captcha system that assumes a certain cultural/religious background.

    [1] http://garden.sourceforge.net/drupal/?q=image/tid/3

  • by snorkel on 7/13/11, 11:39 AM

    What about just asking the user "Why would a benevolent God allow evil to exist?" and then the server checks if the answer mentions "freewill"

  • by Turing_Machine on 7/12/11, 6:32 PM

    A slightly less clueless (but still clueless) approach to CAPTCHA design is to 1) make the CAPTCHA case-sensitive, 2) use letters for which the lower-case representation is very similar to upper-case, and/or use both zero and the letter O, 1 and the letter l, and so on, 3) use an image munging algorithm that makes it next to impossible to disambiguate the cases in 2).

  • by Kwpolska on 7/13/11, 11:31 AM

    DON'T use a bloody CAPTCHA.

  • by rlf on 7/12/11, 8:25 PM

    I can't believe Google is criticizing how Sony does CAPTCHAs when I've been complaining for years about how difficult Google's are to read. But as to their point, based on Sony's recent security issues, it doesn't sound like Sony has a very good IT department.