E-mail List Archives

You are here: Home > Community > E-mail List Archives > View Message

CAPTCHA alternatives for commercial product?

From: Christian Heilmann
Date: Dec 13, 2005 9:00AM

Next message: Austin, Darrel: "RE: CAPTCHA alternatives for commercial product?"
Previous message: Robinson, Norman B - Washington, DC: "RE: CAPTCHA alternatives for commercial product?"
Next message in Thread: Austin, Darrel: "RE: CAPTCHA alternatives for commercial product?"
Previous message in Thread: None
View all messages in this Thread

Right now I am working on a project that will be a paypal-esque
financial application, and of course security is a big issue with this
one.
We had a great meeting talking about security measures that could be
added to the forms to ensure that only real users will be able to
log-in.
I collected the ones I could think of based on the W3C whitepaper and
own experiences and this is the list with pro and contra for each of
them:

1) CAPTCHA http://www.captcha.net/
This method generates imagery with distorted words which the user is
asked to enter.
The most common method it using GIMPY or .NET/Java alternatives:
http://www.captcha.net/cgi-bin/gimpy

Pros:
- Easy to implement
- Common control in Frameworks
Contras:
- hard to read for visitors with impaired vision
- impossible to use for blind visitors
- Heavy on server traffic / resources
- Already cracked by some scripts:
o http://www.cs.sfu.ca/~mori/research/gimpy/
o http://sam.zoy.org/pwntcha/

An other, more clever version is ESP-PIX which uses a logical
connection of images and text
http://gs264.sp.cs.cmu.edu/cgi-bin/esp-pix

Pros:
- Uncracked to date, not counting social engineering [1]
- Relatively easy to implement
- Localisation easier if the images are universally known
Contras
- impossible to use for blind visitors
- Heavy on server traffic / resources

Lastly another CAPTCHA is ESP-TEXT which uses an image with several
words and imagery
http://www.captcha.net/cgi-bin/esp-text

Pros
- Uncracked, not counting social engineering [1]
Contras:
- hard to read for visitors with impaired vision
- impossible to use for blind visitors
- Heavy on server traffic / resources
-
2) Logical Puzzles / Multiple choice questions
These are multiple choice questions that change the question and the
order of answers on every reload of the page. The questions need to be
easy, and only understandable by a human:

Which of the following is a bird:

Next message: Austin, Darrel: "RE: CAPTCHA alternatives for commercial product?"
Previous message: Robinson, Norman B - Washington, DC: "RE: CAPTCHA alternatives for commercial product?"
Next message in Thread: Austin, Darrel: "RE: CAPTCHA alternatives for commercial product?"
Previous message in Thread: None
View all messages in this Thread