Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why the CAPTCHA Approach Is Doomed

Posted by timothy on from the how-do-you-feel-about-are-you-a-human dept.

TechnoBabble Pro writes "The CAPTCHA idea sounds simple: prevent bots from massively abusing a website (e.g. to get many email or social network accounts, and send spam), by giving users a test which is easy for humans, but impossible for computers. Is there really such a thing as a well-balanced CAPTCHA, easy on human eyes, but tough on bots? TechnoBabble Pro has a piece on 3 CAPTCHA gotchas which show why any puzzle which isn't a nuisance to legitimate users, won't be much hindrance to abusers, either. It looks like we need a different approach to stop the bots."

12 of 522 comments (clear)

  1. That wooshing sound.... by ivan256 · · Score: 5, Insightful

    ...is the point going right over the author's head.

    A CAPTCHA works well enough for the same reason greylisting works well enough. They may be trivial to bypass (for some definition of 'trivial'), buy many applications only need a tiny speed-bump to make a huge difference in undesirable traffic.

  2. Re:8==C=A=P=T=C=H=A==D by RemoWilliams84 · · Score: 5, Interesting

    This troll actually gave me an idea. Why not ascii art?

    Give an ascii art picture and asc the user to tell what it is.

    In this case cock would let you through.

    --
    "I don't have to think. I only have to do it. The results are always perfect, but that's old news." - Meat Puppets
  3. Stuck in the old ways by Anonymous Coward · · Score: 5, Insightful

    Everyone seems to think that the answer to this is to challenge the user somehow. Why isn't a technical solution possible that doesn't require any interaction from a person?

    On my own contact forms, I use a really simple obfuscation technique, it doesn't require any user interaction, and I don't get any spam. I've chosen to name my form elements with meaningless names, because obviously automated spammers rely on field names to fill in the blanks. If they see a form like this:

    <input type="text" name="email">
    <input type="text" name="subject">
    <input type="text" name="message">

    Obviously it's pretty easy to fill out. If they see this instead:

    <input type="text" name="sj38d74j">
    <input type="text" name="9sk2i84h">
    <input type="text" name="m29s784j">

    Then they probably won't even make it past the email validation part, unless they catch the error that my page is printing and try all combinations (or get lucky).

    It makes it even more effective when you use fields with good names, but hide them from users with either CSS or Javascript:

    <input type="text" name="email" style="display: none;">

    That's a honeypot, if it's filled out then it's a robot. You can use the same CSS or Javascript techniques to also print messages informing users not to fill those out if their browser decides to not run my code and instead shows them.

    Really simple solution, requiring no user interaction, and is at least if not more effective than a challenge and response type of solution. I don't know why everyone is hung up on a visual challenge when it's a lot easier to distinguish between a real web browser and a scraper that doesn't bother to execute Javascript or apply CSS. I've been saying this for years though, so I don't really expect anyone to start paying attention now.. at least my own inbox is spam-free though.

  4. Re:So what next? by Ralph+Spoilsport · · Score: 5, Interesting
    Making people pay for posts. Making people pay for email. That will stop spam dead in its tracks.

    Now, I didn't say you'd LIKE what 's next...

    RS

    --
    Shoes for Industry. Shoes for the Dead.
  5. Re:So what next? by Mordok-DestroyerOfWo · · Score: 5, Funny

    Maybe a different type of system? Show a series of animals and ask which one is a pet. Show a series of letters and ask which one is the vowel. A series of types of food and ask which one would go best with Natalie Portman. Show an action shot and a series of similar actions, ask which one would occur in Soviet Russia.

    --
    "Never let your sense of morals prevent you from doing what is right" - Salvor Hardin
  6. Stopping bots is easy... by MrBippers · · Score: 5, Funny

    Solve the following math problem to continue:
    1/0 = ?

  7. Re:It's a Turing test by Chad+Birch · · Score: 5, Funny

    This is my favorite captcha, some are ridiculous: http://random.irb.hr/signup.php

    Refresh the page a bit, fun to see what you can get.

    --
    Sturgeon was an optimist.
  8. Re:So what next? by crazyvas · · Score: 5, Funny

    So if the CAPTCHA is doomed, what is the next approach?

    Torture

    You mean, TORTCHA?

  9. Re:So what next? by Arancaytar · · Score: 5, Funny

    Place Goatse on the front page. After everyone's eyes are bleeding, the only remaining visitors will then be robots. Behold, you have isolated the set of spambots from the set of humans.

    Inverting the set to get the humans instead of the bots is left as a trivial exercise to the reader.

  10. Re:So what next? by silent_artichoke · · Score: 5, Funny

    Pardon me, but I do believe that Natalie Portman can be both a pet AND a tasty treat.

  11. Re:So what next? by uhoreg · · Score: 5, Informative

    This is known as hashcash. One big reason that it doesn't work on the web is that, currently, users will be stuck with some slow JavaScript version of the algorithm, while a sufficiently determined spammer can use a fast C version, and end up with much less work required to post. So it's nearly impossible to set a cost that is cheap enough for valid visitors, that will be a sufficient deterrent against spammers.

    --

    To get something done, a committee should consist of no more than three persons, two of them absent.

  12. Re:My solution is simple & elegant: by lewiscr · · Score: 5, Insightful

    Limit the email the account can send, and you reduce the desire for the account. Reduce the usefullness of the account, and you reduce the desire to crack the captcha on new account signups, or at least the profitability in doing so.

    Doesn't this increase the desire to get more accounts faster?