WebAIM - Web Accessibility In Mind

E-mail List Archives

CAPTCHA alternatives for commercial product?

for

From: Christian Heilmann
Date: Dec 13, 2005 9:00AM


Right now I am working on a project that will be a paypal-esque
financial application, and of course security is a big issue with this
one.
We had a great meeting talking about security measures that could be
added to the forms to ensure that only real users will be able to
log-in.
I collected the ones I could think of based on the W3C whitepaper and
own experiences and this is the list with pro and contra for each of
them:

1) CAPTCHA http://www.captcha.net/
This method generates imagery with distorted words which the user is
asked to enter.
The most common method it using GIMPY or .NET/Java alternatives:
http://www.captcha.net/cgi-bin/gimpy

Pros:
- Easy to implement
- Common control in Frameworks
Contras:
- hard to read for visitors with impaired vision
- impossible to use for blind visitors
- Heavy on server traffic / resources
- Already cracked by some scripts:
o http://www.cs.sfu.ca/~mori/research/gimpy/
o http://sam.zoy.org/pwntcha/

An other, more clever version is ESP-PIX which uses a logical
connection of images and text
http://gs264.sp.cs.cmu.edu/cgi-bin/esp-pix

Pros:
- Uncracked to date, not counting social engineering [1]
- Relatively easy to implement
- Localisation easier  if the images are universally known
Contras
- impossible to use for blind visitors
- Heavy on server traffic / resources

Lastly another CAPTCHA is ESP-TEXT which uses an image with several
words and imagery
http://www.captcha.net/cgi-bin/esp-text

Pros
- Uncracked, not counting social engineering [1]
Contras:
- hard to read for visitors with impaired vision
- impossible to use for blind visitors
- Heavy on server traffic / resources
-
2) Logical Puzzles / Multiple choice questions
These are multiple choice questions that change the question and the
order of answers on every reload of the page. The questions need to be
easy, and only understandable by a human:

Which of the following is a bird: