Check out this author’s run down of why linear transformation is not enough:

http://churchturing.org/captcha-dist/captcha/final.medium.png
http://churchturing.org/captcha-dist/

I’d like to think that means I’m open to correction, but I usually seem to end up with roughly the same opinion I had before but for better reasons so either my instincts are fantastic or I can justify any irrational prejudice. I don’t really know how to tell the two apart. I usually enjoy the process, though, so I don’t worry about it much.

The “answerhash” isn’t just the md5 of the answer, by the way. It’s salted with a site ID and some material unique to the page it’s on, so a stored answer would only work on one page. If I have to change it again I’ll add to that a question ID so that when a question is retired all hashes associated with it are retired as well. It’d mean checking five hashes instead of one, but that’s okay.

With image-based ones, the gap between “what computers can’t do” and “what humans can do” is closing fast, and probably closed long ago if you consider humans with any kind of disabilities. I don’t even think captchas on individual sites are the right approach, long term. We need to stop the spam being sent in the first place — the web traffic it generates is problematic and expensive enough and the tests to block it are the antithesis of most modern interface design principles.

(Personally, I think we need to start identifying the people whose computers are spam-sending zombies and taking away their broadband. They can’t be trusted with it.)

Firstly, you CANNOT allow the user to see the relationship between the captcha question or image and it’s solution. You’d be surprised at how often this is done. For example, the md5 hashing of the question that you provide on this site does just this (the md5 “answerhash” is embedded in the form code and thus visible to any HTML parser). Once one solution is calculated (which is easy in your case), it can be applied since they know the relationship between the hashing and the solution, even though it changes. Banning ip addresses wouldn’t work either because spam bots typically work in groups to avoid this, and you don’t want to ban a potential website visitor because they’ve slipped typing in the answer. Once spammers get it, they share the methods to other spammers so that everyone may enjoy the security hole.

Secondly, you MUST generate a unique captcha every time. A question or image should never come up twice, no matter what. It is pretty clear why this is important. This is typically why text verification is rarely used, at least by itself.

Thirdly, a good, foolproof, changing, and unique captcha image needs to be developed. For example, you may have an external chunk of php code using gd to generate an image, generate an id for this image, and put both the id and the solution in a database somewhere unbeknownst to the user. Then upon submission of something, check the id against the solution in the database, maybe have a script on the db return either true or false, and automatically and immediately delete that entry from the database.

I’ve always been interested in seeing how easy captcha images are to crack, and maybe even writing some code myself to do so. You should put a small section up on your site where users can submit a link to a chunk of code somewhere that outputs an image, and see how long it takes to develop a crack for it (one that can be applied to any image that is generated, and computes the correct solution 100% of the time). I firmly believe that with the proper linking of the characters with lines, and the correct usage of colors, fonts, scaling, rotation, overlapping, etc…that captchas are extremely effective.

In all fairness, you’ve attacked weak catpchas in your post above. There are some good ones!

A general algorithm would be more interesting, yes, but it would be a major investment of time and I’d be the wrong person to do it. My point was just that I could spend a week or so, crack phpBB’s captchas, and then spam all the phpBB forums in the world, which to my mind is a far greater weakness than a susceptibility to advanced computer vision algorithms, because as you pointed out there are so many people who could do what I just did. A few of them are bound to do it.

On the subject of my own captcha, I think to be fair you’ve underestimated it. It actually was broken once, but not by “entering two letter q’s”. That’s just one of five or six questions that loop around the comments form, which are all simple tasks involving maths and/or moving letters around, and about a year ago, a spambot learned to add two numbers (which is a common question in captchas anyway). All I did was load up the captcha file and delete that question (leaving four or five others). That secured the site again without blocking real comments, and later that day I replaced it with a new question so no harm was done. Yes, the questions are weak but the system that surrounds them is much more robust. I could put in a conventional image-based captcha if I wanted, although that would reduce accessibility, so for the amount of traffic I have now it would probably do more harm than good.

But that’s the only time I’ve had any spam (other than pingbacks, which are so problematic they’ve all but shut down Technorati) since I installed it, whereas phpBB’s captchas are broken daily even on low-traffic forums. Okay, so the smarter spammers you enjoy might learn to enter two “q’s” in a day, but I can remove that question that same day. I expect an automated system could remove it in a moment the first or second time WordPress detected a “spammy” comment getting through. Unless they can reverse-md5 long and meaningless strings, they’ve got nothing long-term but cracking individual questions as they appear.

Computer Vision is (and has been for some time) quite advanced. Trust me when I say that if Computer Vision is powerful enough to race autonomous robots through unknown terrain, navigate cars through a city on their own, take facial fingerprints (not images, but measurements) of every single person entering the stadium for the Superbowl in 2001, it can be used to crack a stupid captcha image.

The problem is that you are focusing on each individual captcha that you are cracking, and engineering a crack based on that particular image. So what? Any green-horn should be able to do that, and if they can’t should not even be trying. Why wouldn’t you push toward designing a program to read ANY image captcha that it encounters? You may have to put aside your trusty old Matlab for that one, and no, I won’t send you any code.

The rant about a administrator approving each and every attempt to register a user is about as brute force of a solution as I can think of. There are effective captchas out there, some of which I have written that have never been cracked a single time and have been up on forums, guestbooks, blogs, etc… for years with thousands of visitors a day. Don’t claim that you have accomplished something because you have cracked phpBB’s image captcha, which, by the way, is not cracking anything at all, since it is open source to begin with.

Maybe you should submit your solution “entering two letter q’s” to open source forums so they can benefit from this knowledge.

If I was an asshole, I’d redirect the spam traffic that I get on all the websites I’ve written and maintain to here; they’d have you cracked in a day or so and fill you up so full of crap you’d actually have some content on the site.

Sorry if I sound mean, I actually spit out my coffee when I read the letter ‘q’ thing because I was laughing so hard. You made my day man. Thanks.

Do you crack yahoo captcha in any of your articles? Do you know where I can find it?

Thanks,

Nick

I don’t know anything much about Java programming, though. I expect there’s something out there.

It’s a clever captcha in a sense: it looks so utterly unlike other captchas that most generic cracking programmes would probably not work. But it’s going to be so widely used by almost everyone who installs phpbb3 that it’ll be worth writing routines specifically to crack it.

I think they’d be better off making it very easy for users to create and install their own captchas. Granted, a lot of users wouldn’t know how to do that, but if enough do it’ll become far less worthwhile cracking the default one, and at least it’ll mean some people get a secure forum.