Home page logo

basics logo Security Basics mailing list archives

Thoughts on CAPTCHA
From: "Chris Barber" <cmbarber () gmail com>
Date: Tue, 15 Apr 2008 15:04:39 -0700

I was just reading on the SANS NewsBites an article about how some
implementations of CAPTCHA seem to have been out smarted by software.
I have seen other articles and have not paid a lot of attention to
them (simply because I have been too busy).  But this got my gears

I do not know how other people feel about CAPTCHA in its current
state, but I think it needs to be upgraded.  You need some form of
interaction that requires the user (human) to make choices that a
computer would not be able to make.  Something that changes with every
mouse click or keystroke.  Now, my sons play an online video game
where you have to key in your passcode via a web-base keypad.  The
keypad is displayed with all keys in some random order, each time a
key is pressed the numbers change positions, like musical chairs.

Here is an example:

Passcode is 564

When the key pad is first displayed it may look like:

After the 5 is clicked


After 6 is clicked


Once you click on the 4 you have access to your account

This is pretty unique and I thought is was vary ingenious, you could
not determine the passcode by capturing the positions of the mouse
clicks because everytime you enter your passcode the keys are in
different places.

Now, to increase the security of this we use the same sort of random
"word" generators that are currently in place and if you want display
them in a similar manner with the deformed type and all.  But add the
layer of security where you must enter the CAPTCHA "word" with a ever
changing keyboard/pad.  Using 16 keys instead of 10 would give enough
choices but not take that long to find the keys needed to enter the
CAPTCHA "word".

Just some food for thought.  This is just a brain storm (or drizzle)
and thought I would put it out here and see what others thought of the


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]