12 Replies Latest reply: Jun 13, 2012 7:39 AM by Tarik :: Creativaholic RSS

    recaptcha?

    kenneth_rapp Community Member

      The captcha being served with my site is not at all secure. Is it possible to integrate recaptcha?

        • 1. Re: recaptcha?
          Liam Dilley CommunityMVP

          Hi Kenneth,

          No you can not add another captcha system

           

          May I ask why you think the BC captcha is not secure?

          • 2. Re: recaptcha?
            kenneth_rapp Community Member

            Untitled.jpg

             

            This captcha just doesn't seem obscured enough to be effective against software attack. The background is too even and the text is too regular -- although the spacing, font size and position are altered slightly, there still doesn't appear to be any rotation or deformation applied, and like the background, the font color and direction remain constant. Also, it only appears to use letters, no numbers or special characters.

             

            Unless I just haven't found where these settings can be applied or changed as with securimage (and if so I apologize and please point me to them.)

            • 3. Re: recaptcha?
              Liam Dilley CommunityMVP

              OCR screen reader attacks are not that common yet and I do not believe there has been any verified and confirmed breaking of the current captcha version.

               

              To that if you also view the source there is also a honeypot method implementation as part of that captcha. If you used the firefox addon developer toolbar now and tried to auto fill a form, the form will not submit.

              Further to that the form action has had a number of improvements to verify things like location, referrer etc as well.

               

              You can also modify and change the background colour and text colour if you wish:
              http://kb.worldsecuresystems.com/478/bc_478.html#main_Adding_an_Image_Verification__CAPTCH A__field

              • 4. Re: recaptcha?
                dft-au Community Member

                I'd be interested to know how much is getting through. For the amount of sites we have that use the BC Captcha it does a tremendous job at keeping things at bay.

                 

                If you want to obscure it a bit more you could always change the text/background colours to something that's a bit harder to read, but it doesn't make it so usable for users:

                 

                http://www.directfusion.com.au/_blog/Resources/post/Captcha_Image_Colours/

                • 5. Re: recaptcha?
                  Liam Dilley CommunityMVP

                  I also just personally hate captcha that is to hard to read, puts me off filling in the form.

                  • 6. Re: recaptcha?
                    kenneth_rapp Community Member

                    LiamDilley wrote:

                     

                    I also just personally hate captcha that is to hard to read, puts me off filling in the form.

                     

                    That is kind of supposed to be the idea...

                     

                    But i guess if it works it works... it just looks too easy. I would rather bother people a bit more if it means fewer bots get through.

                    • 7. Re: recaptcha?
                      Liam Dilley CommunityMVP

                      Not the case Kenneth,

                      Everyone hates them and the sites that do not have them and use other methods are a god send.

                      4 nice images - "Select the cat" For example are other methods, which are far nicer to use and are full proof.

                       

                      Because it is hard for the user does not make it more secure though

                      • 8. Re: recaptcha?
                        kenneth_rapp Community Member

                        LiamDilley wrote:

                         

                        Not the case Kenneth,

                        Everyone hates them and the sites that do not have them and use other methods are a god send.

                        4 nice images - "Select the cat" For example are other methods, which are far nicer to use and are full proof.

                         

                        Keycaptcha's supposed to be good as well (where you assemble an image like a puzzle,) but I can't imagine people putting up with it after the novelty wears off. 

                         

                        LiamDilley wrote:

                        Because it is hard for the user does not make it more secure though

                         

                        Correct Battery Horse Staple.

                        • 9. Re: recaptcha?
                          FriscoTX Community Member

                          Hard to find anything 100% -- and doing something on a web form to make sure a human is responding will fail if... a human responds.

                           

                          New York Times had an article a couple of years ago about spammers paying people in super-poor areas to view and respond to the CAPTCHAs... see http://txzz.com/7f -- excerpt below:

                           

                          "Sophisticated spammers are paying people in India, Bangladesh, China and other developing countries to tackle the simple tests known as captchas, which ask Web users to type in a string of semiobscured characters to prove they are human beings and not spam-generating robots.

                          The going rate for the work ranges from 80 cents to $1.20 for each 1,000 deciphered boxes, according to online exchanges like Freelancer.com, where dozens of such projects are bid on every week."

                          • 10. Re: recaptcha?
                            Tarik :: Creativaholic MeganK

                            Agree with FriscoTX, there is no 100% fully proofed spam protection. the captcha is made for lazy spammers and robotic spam applications.

                             

                            The only solution and REALLY ONLY which is a Million% fully proofed is to HOPE that you don't get a lot of spams

                            • 11. Re: recaptcha?
                              kenneth_rapp Community Member

                              You're right, but it not being foolproof is no reason to consider it effective. The problems (at least, what I consider problems) I listed earlier have been added to captchas for a reason - specifically to throw off ever more capable ocr readers and bots. I mean this is obsolete but apparently it could defeat more difficult captchas than bc's.

                               

                              I'm just suggesting that if there is a captcha, it should at least have some options (besides the background color) that might make it more progressive. Otherwise it only works against people who aren't trying to break it (while being easy for those who are.)

                              • 12. Re: recaptcha?
                                Tarik :: Creativaholic MeganK

                                I'm not disagreeing with you at all, I'm just saying that there isn't a 100% accurate and secure way. I can even confirm my agreement with you in this subject, because from the captcha problem, it leads to this issue:

                                 

                                http://forums.adobe.com/message/4458157#4458157

                                 

                                I suggested few times to use captcha to stop getting Adobe's servers Blacklisted, but probably the issue comes from the weakness of the captcha in the first place.