There is no reason for me to take it back at all. A well designed strong captcha can be used by as many people as a weak captcha. A poorly designed strong captcha will result in fewer people being able to use it.
That’s like me saying I am 99% sure it is correct and please, please give me proof that it isn’t
I can’t give you commercial examples of my captcha’s because all my clients’ commercial websites have a link back to my personal website where I have my photo and identity. For obvious reasons I am not going to reveal my identity, directly or indirectly, in forums like this.
Your request for proof could also be interpreted as a sly attempt to get some free captcha code which you could then do whatever you like with if you wanted to. I don’t see any point in providing free captcha generating code when you might be able to write your own or at least look for some on the www yourself.
The bottom line here is - if you don’t believe anything I post, that’s fine :).
I certainly don’t believe everything I read in forums like this either
Breaking an image CAPTCHA is far simpler than working out the relevant time interval so as to work around it (particularly when the time interval used is going to effectively prevent their getting around it even if they do work out the interval).
In most cases the bot will not even consider the possibility that there is a time interval to work around - it would take a real person analysing the site to have any chance at all to do that and they’d need to run manual tests of their own on the site in order to work out if there is a time delay built in and what period it is set to. Only a real person can break a time interval check whereas a bot might be able to break an image CAPTCHA without prior human intervention.
Even your statement itself agrees that a timeout requires a real person to break it and so makes an excellent “Completely Automated Public Turing test to tell Computers and Humans Apart” (or CAPTCHA for short) since bots are not someone.
As 99.99999% or bots are not targetted against a specific site anything out of the ordinary that you use can defeat most bots if it is something that the bot isn’t set up in advance to handle.
For someone to be able to figure out theat you are using a time interval delay and then run the tests to work out what that delay is and then built a bot to make an automated attack against your site would mean that you have the very rare situation of someone specifically targetting your site rather than the web in general. Presumably that means that they are going to be able to steal millions of dollars or something of equivalent magnitude if they do manage to bypass your CAPTCHA.
I’ve built my own captcha based on the information in the link I posted earlier.
I steer away from using time outs because if someone is determined to break through a time out, they can work out what the relevent time intervals are and then code to get around them.
I use captchas only on email and registration forms, not on login forms. On login forms I lock the user out after 3 failed login attempts.
@kalon, excellent article. I’m not a fan of captchas and near the end of the article they pointed out a usability issue I never considered, What happens if someone has an Arabic keyboard?
Anyway, great read, Thanks.
I’m not sure why you want code of a bad or difficult to read captcha, but if you’re considering building your own captcha, this imho is a very good read on what makes a good captcha.
I was reading through this captcha thread and I see you argue against visual captcha’s and yet you use one on your contact form (I assume it’s yours)
What I find really puzzling is that even if you use a visual captcha, the one you are using is very weak and totally useless against anyone who wanted to break it and knew what they were doing.
I downloaded a captcha image from the above contact form (see “before” attachment) and then reduced the threshold level in the image down to 1 and the test characters were reduced to an easily readable and programatically findable black on white (see “after” attachment). The “after” image clearly shows the test characters to be dc036
Once a malicious programmer can reduce a visual captcha to 2 colours like in this case, it becomes a trivial task to programatically find and decode the test characters especially when they are in the same location every time.
A strong visual captcha will have at least a significant portion of the test characters disappear as well as the background “noise” as the threshold is reduced.
My recommendation would be to either practise what you preach and not use visual captchas or at least use a strong one.
The attachments show a much stronger visual captcha.
The aim of reducing thresholds on the image (from the hackers point of view) is to remove any background/foreground “noise” and leave just the test characters as black on white as I did on the actual captcha in the previous post. As I mentioned in the previous post, a strong captcha will also result in at least a significant portion of the test characters being removed as the threshold is reduced.
From left to right are the original captcha image followed by the image as the threshold is reduced to 200, 170, 160, 140.
You will see that as the threshold is reduced to eliminate the “noise”, more and more of the test characters are being removed as well and at 140 all of the characters have been removed and there is still some background noise left over which hasn’t been removed yet.
To help make a captcha even stronger you can postion the test characters so that their locations overlap with each other slightly, making it more difficult to programatically determine where the characters are.
