Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why the CAPTCHA Approach Is Doomed

Posted by timothy on from the how-do-you-feel-about-are-you-a-human dept.

TechnoBabble Pro writes "The CAPTCHA idea sounds simple: prevent bots from massively abusing a website (e.g. to get many email or social network accounts, and send spam), by giving users a test which is easy for humans, but impossible for computers. Is there really such a thing as a well-balanced CAPTCHA, easy on human eyes, but tough on bots? TechnoBabble Pro has a piece on 3 CAPTCHA gotchas which show why any puzzle which isn't a nuisance to legitimate users, won't be much hindrance to abusers, either. It looks like we need a different approach to stop the bots."

15 of 522 comments (clear)

  1. Re:My solution is simple & elegant: by Dynedain · · Score: 4, Informative

    The author was arguing that one of the primary reasons to do captcha breaking is to get freebee email accounts on GMail/Yahoo to send spam from.

    Limit the email the account can send, and you reduce the desire for the account. Reduce the usefullness of the account, and you reduce the desire to crack the captcha on new account signups, or at least the profitability in doing so.

    It's one approach that would make a difference, but it's clearly not the only solution.

    --
    I'm out of my mind right now, but feel free to leave a message.....
  2. Re:That wooshing sound.... by qoncept · · Score: 2, Informative

    I think you're missing the point. CAPTCHA isn't a speed bump. Anyone that is going to take the time to make a bot to spam your site is going to take an extra minute to add a hack for your CAPTCHA or cat picture or sound or simple question. And saying you have to make CAPTCHA difficult for humans to read to be effective is a pretty major understatement. It should read "Computers are better at it than people."

    --
    Whale
  3. Wrong implementation by js3 · · Score: 3, Informative

    Most CAPTCHAs are hacked because their implementation is amatuerish. They are hacked by resusing session ids or dictionary attacks and nothing to do with actual image itself. Long story short CAPTCHAs reduce the amount of spam by more than 50% simply because it's not worth the effort for a spambot to break it, after all they have the entire internet to spam.

    Some are good some are bad and most are downright horrible, but you wouldn't want your favorite forum to be trolled by spambots would ya? Might as well live with it. Nothing works 100% you should know that by now

    --
    did you forget to take your meds?
  4. Re:8==C=A=P=T=C=H=A==D by clone53421 · · Score: 3, Informative

    Already been done.

    --
    Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
  5. Re:Browsing Trends by Attila+Dimedici · · Score: 2, Informative

    I agree there are ways to circumvent it, but the majority of bots will not go to the trouble of doing that, and that's the key.

    Another idea would be to observe mouse movements through Javascript to detect a real user. This would be VERY inefficient for a bot, and probably not worth the while.

    This would work great until the majority of websites do it, then it is worth the overhead for the bot to go to the trouble of doing it. When CAPTCHA started it wasn't worth the bot writers' trouble to crack it. They just went to easier sites, but as more and more sites adopted CAPTCHA the value of cracking it became greater. Any successful system will eventually be adopted by a large enough number of websites to make it worth the bot writers' time to crack. At which time they will.

    --
    The truth is that all men having power ought to be mistrusted. James Madison
  6. Re:So what next? by uhoreg · · Score: 5, Informative

    This is known as hashcash. One big reason that it doesn't work on the web is that, currently, users will be stuck with some slow JavaScript version of the algorithm, while a sufficiently determined spammer can use a fast C version, and end up with much less work required to post. So it's nearly impossible to set a cost that is cheap enough for valid visitors, that will be a sufficient deterrent against spammers.

    --

    To get something done, a committee should consist of no more than three persons, two of them absent.

  7. Not really by willy_me · · Score: 4, Informative

    SPAM is sent from compromised computers. If you make people pay for posts then the owners of compromised computers will be billed - not the real senders of SPAM. Billing would help minimize the problem, but we would still receive a pile of SPAM. And a pile of people who only use their computer once a week would have to foot the bill.

  8. Re:That wooshing sound.... by kwerle · · Score: 4, Informative

    Yup. I used PHPBB2 and changed the CAPTCHA code.

    "Type the following text in the CAPTCHA box . Ignore the image below."

    All spamming stopped. Regular users were fine.

  9. Re:That wooshing sound.... by Java+Pimp · · Score: 2, Informative

    That's the way ReCaptcha works. It's more than an anti-spam device. It also serves as part of a service to help digitize old books and publications. The captchas are made from 2 parts, a word from a publication that OCR software couldn't figure out and a word that is known. To pass the captcha, you have to answer the known portion correctly. The system uses your answer to the unknown portion to help determine what that word might be.

    --
    Ascalante: Your bride is over 3,000 years old.
    Kull: She told me she was 19!
  10. Re:I really like the concept behind Re-Captcha by TheRaven64 · · Score: 2, Informative

    You can do this already, just go to the 'about' page on the site. When I first heard about ReCaptcha, I spent a little while filling them in to see how hard they were.

    --
    I am TheRaven on Soylent News
  11. Re:That wooshing sound.... by Gamma747 · · Score: 2, Informative

    The problem is that a spambot that can break CAPTCHAs 10% of the time is good enough, but OCR systems have to be much more accurate.

  12. Re:Stuck in the old ways by Eternauta3k · · Score: 4, Informative

    If your site gained any popularity, they would make bots specifically to register in your website.

    --
    Yeah. Would you choose a neurosurgeon who pokes around people's brains in his spare time? I wouldn't.
  13. Re:That wooshing sound.... by RobertB-DC · · Score: 2, Informative

    I tend to think using Recaptcha just earns somebody money, it is not really doing any particular good for the world.

    Would it be asking too much to suggest you check the FAQ or About Us links? Is it enough that "reCAPTCHA channels this human effort into helping to digitize books from the Internet Archive", or does it help that "reCAPTCHA is a project of the School of Computer Science at Carnegie Mellon University"?

    Or perhaps you'll take the word of Science magazine. Of course, the link is to a .pdf reprint hosted at recaptcha.net, so YMMV (depending on the tightness of your tinfoil hat). It could all be an evil spammer plot. Yes. Yes it could.

    --
    Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
  14. Re:That wooshing sound.... by bigbird · · Score: 3, Informative

    Yes, me too. I simply ask "How do you spell spam?" for my question. Stopped the spambots in their tracks :)

    --
    Great Windows SFTP Server!
  15. Re:That wooshing sound.... by Anonymous Coward · · Score: 1, Informative

    I'm ashamed to say I've written spam-bots for myspace (on rentacoder.com), and that's just not true. It really doesn't cost much to make a spam-bot, students like myself are very cheap (and I'm in a 1st world country).