Sunday, March 09, 2008

CAPTCHA Is Broken?

Says this article: CAPTCHA is Dead, Long Live CAPTCHA!

The most reliable CAPTCHA implementations were announce to have been defeated.

I don't know much about CAPTCHA, but couldn't they somehow mimic the "salting" done in password hashing? Maybe split the CAPTCHA images into random partitions: "gh9p3845" for example could be posted as two images with "gh9" and "p3845", or maybe even 4 partitions with "gh" + "9" + "p38" + "45" or, better yet, one image per letter -- what's important is the partitioning being random.

The article suggests "Distinguish pictures of dogs from cats". Since this might boil down to a somewhat a multiple choice question, bot could possibly get lucky. I'm thinking we could extend the salting to use a picture: CAPTCHA phrase "lk2s" + dog picture + some instructions that it should be typed as "lkDOG2s"..


1 comment:

jem said...

from the intarweb'z immense collections of lolcats, show a random image with text, have the user convert text into a random number of formats (normal language, l33tsp33k, etc), and ask the user to determine which animal is portrayed (cats, dogs, lolruses, etc).

the image database is huge, the principle builds on the suggestions stated, and it's fun. win-win.