WebAIM - Web Accessibility In Mind

E-mail List Archives

Thread: CAPTCHA alternatives for commercial product?

for

Number of posts in this thread: 3 (In chronological order)

From: Christian Heilmann
Date: Tue, Dec 13 2005 9:00AM
Subject: CAPTCHA alternatives for commercial product?
No previous message | Next message →

Right now I am working on a project that will be a paypal-esque
financial application, and of course security is a big issue with this
one.
We had a great meeting talking about security measures that could be
added to the forms to ensure that only real users will be able to
log-in.
I collected the ones I could think of based on the W3C whitepaper and
own experiences and this is the list with pro and contra for each of
them:

1) CAPTCHA http://www.captcha.net/
This method generates imagery with distorted words which the user is
asked to enter.
The most common method it using GIMPY or .NET/Java alternatives:
http://www.captcha.net/cgi-bin/gimpy

Pros:
- Easy to implement
- Common control in Frameworks
Contras:
- hard to read for visitors with impaired vision
- impossible to use for blind visitors
- Heavy on server traffic / resources
- Already cracked by some scripts:
o http://www.cs.sfu.ca/~mori/research/gimpy/
o http://sam.zoy.org/pwntcha/

An other, more clever version is ESP-PIX which uses a logical
connection of images and text
http://gs264.sp.cs.cmu.edu/cgi-bin/esp-pix

Pros:
- Uncracked to date, not counting social engineering [1]
- Relatively easy to implement
- Localisation easier  if the images are universally known
Contras
- impossible to use for blind visitors
- Heavy on server traffic / resources

Lastly another CAPTCHA is ESP-TEXT which uses an image with several
words and imagery
http://www.captcha.net/cgi-bin/esp-text

Pros
- Uncracked, not counting social engineering [1]
Contras:
- hard to read for visitors with impaired vision
- impossible to use for blind visitors
- Heavy on server traffic / resources
-
2) Logical Puzzles / Multiple choice questions
These are multiple choice questions that change the question and the
order of answers on every reload of the page. The questions need to be
easy, and only understandable by a human:

Which of the following is a bird:

From: Austin, Darrel
Date: Tue, Dec 13 2005 9:40AM
Subject: RE: CAPTCHA alternatives for commercial product?
← Previous message | Next message →


> We had a great meeting talking about security measures that
> could be added to the forms to ensure that only real users
> will be able to log-in.

Wouldn't adequate username/pwds be enough for that?

Captchas are really only useful for preventing automated responses to
non-password protected forms.

The traditional captcha...an image with distorted text...is a pain in
the ass for even fully sighted folks. (IMHO, of course). Personally,
captchas make the user experience worse, not better.

*If* one must have a captcha, I'd use a very simple text-based one:

- enter the letter 'd':
- type the number one:
- what's the first letter of the alphabet:

Etc.

These are like your logic ones, but are even simpler than that.
Afterall, a captcha is just to see if a person is a human.

These would be the most accessible (albeit there might be some language
issues and/or cognitive comprehension issues).

I've also read a little bit about human-tests that don't require any
human input. These are typically used to prevent blog comment spam and
consist of passing random querystrings or hidden text fields. Not sure
if that would apply outside of the context of blog commenting, though.

Personally, I don't consider captchas a form of security, as any human
can 'crack' it anyways.

> 5) Multi - channel distribution
> This involves sending the user an SMS to confirm or ask him
> to call a hotline to confirm his identity

That would be real security, and I'd group that in a different category
than the captchas.

-Darrel




From: Robinson, Norman B - Washington, DC
Date: Tue, Dec 13 2005 10:20AM
Subject: RE: CAPTCHA alternatives for commercial product?
← Previous message | No next message


Christian Heilmann mentioned CAPTCHA alternatives for commercial
products and along with posting lost of pro and cons of each approach
asked "Anything I forgot?"

Christian,

In your research you may be interested in viewing the URL
http://sam.zoy.org/pwntcha/ if you haven't already done so.

Regards,


Norman B. Robinson