as far as i read from here, the fact that captchas are not 100% secure.what can be used instead of capcha?,as a programmer what do you think? how to solve this issue?
Edit: thanks for all answers.
+6
A:
- Captcha involving human reflexion (like calculation, really simple question, and the like).
- Session tokens
- randomly generated hidden input which requires to be null, on the server side generate a random identifier, keep it in a session for a while. If the input is filled and not null, then it might have been filled by a robot, do your users will fill an hidden input ?
I think it really depends on what you are trying to control over the use of captcha.
Boris Guéry
2010-05-21 08:50:07
@Boris Guéry thanks, what do you mean by randomly generated hidden input which requires to be null?
berkay
2010-05-21 08:57:35
I edited my anwser.
Boris Guéry
2010-05-21 09:09:44
Scripts tend to fill in every input field with some data, although when this prevention technique starts gaining traction, those automated scripts will simply ignore hidden inputs fields, while populating the rest of the form.
Anurag
2010-05-21 09:11:20
Then, generate two hidden input, one which needs to be filled but no others.
Boris Guéry
2010-05-21 09:52:57
@Boris that's clever
Anurag
2010-05-21 17:53:00
How were you going to fill that extra hidden input field? Ask the human to handcraft their HTTP POST?
calmh
2010-05-21 18:09:35
@calmh.. the second input field can be linked to any of the visible input fields through JavaScript that has to be filled.
Anurag
2010-05-22 02:00:59
@anurag Yes, but Javascript is no problem for bots. It tends to get executed.
calmh
2010-05-22 06:03:16
A:
Captcha's are used to determine that an actual human being is doing the request, not a machine. Captcha's and captcha-like systems will upgrade, and so will the technology to break them.
So how do you proof that you're talking to a human and not a computer? You could for instance require users to engage in a chat session and have small conversation. There's no AI nowadays that pass the turing test.
So the answer is, no system is perfect. Don't try to solve this issue, but try to find a way to reduce the impact of this.
Evert
2010-05-21 08:50:23
+7
A:
This is an unsolved problem, and will become more unsolved as time passes. The better the OCR tools get, the smaller the gap between humans and computers, and the harder it will be to tell them apart. Eventually, computers will be indistinguishable from humans, and then the game will be up.
If your server wants to make sure that a human is at the other end of a TCP pipe, there isn't a turing-test in existence that won't eventually be defeated (and there probably never will be one). CAPTCHA is doomed, it's just a matter of how soon.
Of course, that doesn't mean it's all over as far as human authentication is concerned. It just means that automated turing tests, as convenient as they are, won't be an effective way to achieve this for very much longer.
Marcelo Cantos
2010-05-21 08:52:54
+1 I bet the next hurdle is facial or retinal scans. Most computers have webcams to do this already. The software side maybe a little behind.
Anurag
2010-05-21 09:08:38
"Eventually, computers will be indistinguishable from humans", yeaa .. I don't think so. They will get harder to distinguish for a computer maybe.
hasen j
2010-05-21 18:06:54
@hasen j, I think you are missing the point. We are not talking about a cyborg approaching a bank teller. We are talking about an unknown agent at the other end of a TCP pipe that simply has to respond with the right set of bits to convince another machine that it is a human sending those bits. I'm not saying this is an easy problem, but significant progress has been made, and CAPTCHA technology is already beginning to buckle under the strain.
Marcelo Cantos
2010-05-22 00:09:46
+5
A:
Further explanation of a suggestion made by Boris:
randomly generated hidden input which requires to be null
The idea is that your form contains several invisible inputs, their type should probably not be set to hidden, but they should be invisible to a human (e.g. set width or height to 0). The initial content of these fields should be empty. If a human fills out the form, the field will be empty, because the human cannot see the field in order to enter anything into it, but if a bot fills out the form the field will (possibly) not be empty, because bots usually just blindly enter something into every field.
Thus, you can distinguish between a bot and a human based on whether the content of this field is empty.
Don
2010-05-21 09:00:05
A:
In the long run government could run openid servers as digital passports for their citizens. It would be a clean way to identify human beings and prevent sockpuppeting.
Christian
2010-05-21 09:25:47
A:
At the moment on my website I opted for simple questions. Some questions I've used in the past:
- What is two to the power of one?
- What is 2+2? (this one was hacked though so don't use it)
- What is the name of this website domain?
- What is the sum of two and two?
Some other nice ones could be
- type in 'stuff' to this box as a spam check
- What does 1337 look like? (using only letters)
- the current year is?
Earlz
2010-05-21 18:03:01
+1
A:
Although captchas can be broken, Capthca's only add to security reCapthca is very good, and a trained OCR like Tesseract is going to have very limited success in breaking it. However, there are outfits that use Human Computation to break them for pennies. But this makes attacks against your system more expensive, and thats the best you can hope for. Cryptography can be broken with brute-force. All password hashes are breakable, but we still use them because it makes it harder for the attacker.
Most of the "solutions" on this thread are "Security Though Obscurity" and you should be wary of these quick fixes to a very complex problem.
Rook
2010-05-21 18:09:20
A:
The best way I can think of is using something unconventional, like a special hidden field that should be null (or another specific value) that robots will mess with.
If some robot maker adjusts his robot for your site, you'll have to quickly change the captcha to something different. It will (hopefully) take a good while before another robot maker adjusts his robot for your site.
Basically, it's a security through obscurity that has to constantly change to remain obscure.
This won't work very well if someone is specifically targeting your site.
hasen j
2010-05-21 18:12:43