is this CAPTCHA any good?

[fry2010]

<?php

  function create_captcha()
  {
    $length1 = random_digit('1');
    $length2 = random_digit('1');
    $length3 = random_digit('1');

    $set1 = random_word($length1);
    $set2 = random_word($length2);
    $set3 = random_word($length3);

    $result['0'] = $set1;
    $result['1'] = $set2;
    $result['2'] = $set3;

    return $result;
  }

  function display_captcha()
  {
    $captcha = create_captcha(); 

    $length1 = strlen($captcha['0']);
    $length2 = strlen($captcha['1']);

    echo '<label for="captcha">For security reasons please enter the first <span>'.$length1.'</span> letters/digits and the last <span>'.$length2.'</span> letters/digits.</label>';
    echo '<div id="captch_box"><h3>'.$captcha['0'].$captcha['2'].$captcha['1'].'</h3></div>';
    echo '<input type="text" name="captcha" />';
    
  }

  function check_captcha($input)
  {
    $captcha0 = $_SESSION['captcha']['0'];
    $captcha1 = $_SESSION['captcha']['1'];
    $captcha2 = $_SESSION['captcha']['2'];

    $captcha_set = $captcha0.$captcha1;
    $captcha_input = $input;

    if($captcha_input == $captcha_set)
    {
      return true;
    }
    else
    {
      return false;
    }

  }

?>

 

Basically what this does is gets 3 sets of seperate length letters. I then ask the user to enter the first set and the last set, leaving out the middle set. The values are passed using a session for each set, not through a hidden input. The sessions are destroyed once the new page loads and value has been checked.

[PFMaBiSmAd]

Text based captcha's that are "find and enter something that appears on the page in plain text" are easy to write a script for because they don't require any human reading and reasoning skills. A script can parse the two lengths and get the correct digits easily.

[fry2010]

ok...

But how will a script know which values to enter when it displays all three sets?

The script would have to learn this from human input surely?

[fry2010]

i accept what you say you are clearly more experienced than me I am just trying to understand how a bot will get this, unless it is able to learn.

[Mchl]

It's enough that the person coding this bot sees through your method. They just need to code the bot to:

1. Get contents of <label for="captcha">

2. Parse the first and second number from it

3. Get contents of <div id="captch_box">

4. Use substr to get required letters

5. Put the resulting string into <input type="text" name="captcha" />

 

that's not really hard.

 

[PFMaBiSmAd]

At a minimum, you should use a dynamically generate image to display any text based question.

 

It is fairly easy to filter simple images to get OCR to recognize a typical 4-6 character captcha (enter the characters you see.) It is much harder to get OCR to correctly decode a multi-word question that is output as a dynamically generated image.

 

If you output your existing question as an image with some background noise and some non relevant accompanying text (both before and after the actual question), it will make it much harder for a bot script to decode your captcha.

[fry2010]

ok my understanding of bots is not correct then. I dont really know how they work i just fort this would have been a good way to solve it.

However you say that its easy, i still think not so.

It doesnt use the first letter and last letter as you suggest mchl. The first and last letter sets are dynamic, i.e. the number of letters is determined by random_digit();

 

Here is a code that it produced :

 

KPCXLXJ

 

Tell me now which letters are required?

 

This is how it prints in the html too they are not seperated into there sets.

 

<div id="captch_box"><h3>KPCXLXJ</h3></div>

 

The sets are stored as sessions so the only way it can get this is if it uses the sessions that are created. Is this possible? Or any other method you can think of. I do appreciate the critisism but i think you underestimate the difficulty in obtaining the correct data required.

[fry2010]

Here is another when i refreshed the page:

 

TMPFL

 

The reason I dont like to use image generated captcha is because they p*ss me off when i have to enter them because they are unreadable. I would much prefere to have people sign up to going overboard with spam protection. Obvoisly there needs to be a compromise. I was hopeing this would be good enough.

[Mchl]

How is human suposed to know what letters are required? You tell him:

"For security reasons please enter the first 2 letters/digits and the last 3 letters/digits."

 

Bot also sees that.

It's enough for the code to do this:

 

$captcha = "KPCXLXJ";
$a = "For security reasons please enter the first 2 letters/digits and the last 3 letters/digits.";
$words =  explode(" ",$a);

$length1 = $words[7];
$length2 = $words[12];
$answer = substr($captcha,0,$length1).substr($captcha,-$length2);
echo $answer;

[fry2010]

Yes but the number of letter used changes. In that example it was the the first 1 letter and the last 3. On the second example it is the first 2 letters and the last 1.

A human could probably code this but I dont think they will bother with my site. I am limiting the number of registered users anyway, the only bots i want to stop really are the automatic one if my thinking is correct?

[Mchl]

Yes you are. As your captcha would be pretty unique, you would be safe from the bots not targetting directly your site.

[fry2010]

ok cool. i also see in your last post that actually your code would work out the dynamic letters i didnt see this at first i havnt used that code before but just realised what it does.

What if I used words instead of integers to tell the number of letters user?

I dont mean to be getting your back up it just took me ages to code it and get it working to find out its basically useless, atleast against humans coding bots. and thanks for the critiques.

[JonnoTheDev]

I could break through that easily. Put it on a form and I will prove it!

[Mchl]

Each countermeasure you implement makes the task harder, but never impossible.

Another idea might be having several sentences describing the task to be done and picking them by random.

 

Example:

For security reasons please enter the first 2 letters/digits and the last 3 letters/digits.

For security reasons please enter the first two letters/digits and the last three letters/digits.

Please enter the first 2 letters/digits and the last 3 letters/digits.

For security reasons please enter first two letters/digits and the last three letters/digits.

(I'm just mashing up the original sentence, you might want to be more original )

 

Now the bot has to know the structure of all sentences (or use regular expressions, which will make it's task easier again)

 

Using text based captcha has this flaw, that it is relatively easy to write code for it.

 

You might try implementing captcha based on figlet fonts. These might be really hard to break.

[JonnoTheDev]

Using text for a CAPTCHA is a bad idea.

Your CAPTCHA is best created using the GD functions and the most obscure fonts. The actual code is stored in a session that a bot has no access to. The only method is OCR. The more obscure the font the harder to do.

 

Implement in the following way:

<img src="captcha.php" />

 

The best protection is recaptcha http://recaptcha.net/

I have never been able to break through this nor found anyone who has.

[Mchl]

The more obscure the font the harder to do.

 

This the way rapidshare went. "Count the cats, who are annoyingly similar to dogs, in this distorted picture". Somehow they resigned from it pretty soon. Wonder why.

[PFMaBiSmAd]

"one", "two",... can be easily replaced with 1, 2,... so using the word form of numbers won't slow anybody down in bypassing a captcha.

[fry2010]

neil, mchl already cracked it so i know its no good.

So is the only real way to beat the bots with email verification? or can they get passed this aswell?

as i said before i dont want to use unreadable captchas.

[JonnoTheDev]

Bots can read email

[JonnoTheDev]

This CAPTCHA is not unreadable at all: http://www.articlealley.com/contact.php

Nor has it been bypassed

[fry2010]

hmm.. yeah that looks good. Do you know where I can get that captcha from?

[angelcool]

Here are my two pennies.

I am using this image for captcha:

http://gift-a-cup.10-network.net/shopping_cart/images/captcha.php

 

Any ideas how anti-OCR safe it looks like?

 

I know at times the background noise is not high (this is good for user), but should at least give OCR a hard time when not, thus making it unreliable.

[shadiadiph]

i just use

 

<?
$random = rand(100,999);
?>

 

at the top of the page

 

then

<tr><td colspan="2">CONFIRMATION NUMBER</td></tr>
<tr><td colspan="2"><?=$random?> <input type="text" name="validate" maxlength="3" /></td></tr>

 

in my form

 

then on my submit form

 

$random = ($_POST['random']);
$validate = ($_POST['validate']);

if($random == $validate)
{

// sql insert or send email function.

}

 

 

don't know if this helps but its homemade and it works

[JonnoTheDev]

hmm.. yeah that looks good. Do you know where I can get that captcha from?

 

I wrote it

[Mchl]

shadiadiph: all it needs from bot is to use curl to send equal 'validate' and 'random' values through POST