New CAPTCHA

Discuss features as they are added to the new version. Give us your feedback. Don't post bug reports, feature requests, support questions or suggestions here.
Forum rules
Discuss features as they are added to the new version. Give us your feedback. Don't post bug reports, feature requests, support questions or suggestions here. Feature requests are closed.
Post Reply
User avatar
robertmf
Registered User
Posts: 52
Joined: Wed Jul 23, 2003 5:20 pm
Location: In PA, 55 min. via commuter RR outside Filthadelphia
Contact:

Re: New CAPTCHA

Post by robertmf »

dhn wrote:
naderman wrote: Hey, we've got something that is actually decipherable, so can we please think about how to improve readability and not about how to increase the difficulty? ;-)
What! You mean you cannot read that:
ucp.php.png
1 - U - 9 is that a W? WTF! 8 - I (I think) - A - that wasn't so hard. :o
ah, that's the one I dread having to decipher!!

..um.. 1 U 3 ? 8 1 A

User avatar
robertmf
Registered User
Posts: 52
Joined: Wed Jul 23, 2003 5:20 pm
Location: In PA, 55 min. via commuter RR outside Filthadelphia
Contact:

Re: New CAPTCHA

Post by robertmf »

dhn wrote:
naderman wrote: Hey, we've got something that is actually decipherable, so can we please think about how to improve readability and not about how to increase the difficulty? ;-)
What! You mean you cannot read that:
ucp.php.png
1 - U - 9 is that a W? WTF! 8 - I (I think) - A - that wasn't so hard. :o
If that was blood red I'd call the cops to a murder scene. My eyes are okay, but it's not ..umm.. "reasonably" legible.

More importantly tho', How'd you do that spoiler widget ?????

User avatar
Lastof
Registered User
Posts: 518
Joined: Wed Mar 17, 2004 8:10 pm
Location: Two weeks last wednesday

Re: New CAPTCHA

Post by Lastof »

Just use the [spoiler][/spoiler] tags. Someone played with the custom BBCode a while back, and we ended up with that.

And, the W is the only one in that I couldn't decypher, but the 9 was close.
Last edited by Lastof on 04 May 2008, 00:00, edited -1 times in total
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Look, I'm officially not a bug!!
SHS`: "Oooh Bertie, spank me with that casing stick, spank me spank me spaaaaannnnk mee!"
Image

Yawnster
Registered User
Posts: 342
Joined: Sat Jan 29, 2005 9:18 pm
Location: London, UK
Contact:

Re: New CAPTCHA

Post by Yawnster »

Wert wrote: David, custom backgrounds too?

Any options like the drupal thing where we can not only feed it fonts, but also make it stronger by messing with variables controlling size, spacing, rotation, noise, etc.?

I'm going to guess most modern hosts can handle at least some form of gd, so the drupal or phpBB ones shouldn't have to go to a fall back very often.

Being able to edit all these variables easily sort of makes it easier to have a semi unique captcha per site without having to get too weird with the kind of captcha used.
viewtopic.php?f=4&t=23549&p=143890&hilit=#p143890

:P

Personally I feel that user customisation/randomisation is the only real possible way to go to prevent again this form of attack.. I think that although the new captcha you have devised David is great, it can be broken, not easily and by no means quickly.. But it can feasibly be done.. especially if the images remain in stationary positions which I am guessing they will have to be in order to keep the kind of layout required for this set-up.. Maybe you can vary the position slightly but by no means you can drastically change the positioning without it being superbly hard for users to decipher..

I am not saying my way is the best way of them all but when you think about it all captchas can be broken, if a computer can store an image it has to be able to read it, right? It will just take time and patience on the part of the programmer.. So I ask a simple question, why not think about the future, we all know the current 2.x version of the captcha has been cracked, (FuntKlakow anybody?), and I certainly can see that this version, if used (I know big if), will be in time, im not saying a month or two, but if this product is going to have a shelf life of more than 6 months, which I am guessing it will, then a re-write of the captcha might well be needed, again. Why not build in an API that doesn't just rely on the brains on the developers, but on the wider community too? Obviously this is not going to mean that every Tom, Dick and Harry can be called a security expert and build extensions to the system that the public can trust and use, there will of course be a need for mediation but its better than the developers having to stop for yet another interruption that could have been easily prevented months even years ago.

See my point?

Yawnster

User avatar
dhn
Registered User
Posts: 1518
Joined: Wed Jul 04, 2001 8:10 am
Location: Around the corner
Contact:

Re: New CAPTCHA

Post by dhn »

Yawnster wrote: we all know the current 2.x version of the captcha has been cracked, (FuntKlakow anybody?)
Actually I don't know whether that was ever proven to be correct. Fact is that the phpbb 2.0.x VCS can be broken, as a proof of concept shows. But there is no evidence to my knowledge that FuntKlakow used that weakness. Or any other bot for that matter.
Image

User avatar
robertmf
Registered User
Posts: 52
Joined: Wed Jul 23, 2003 5:20 pm
Location: In PA, 55 min. via commuter RR outside Filthadelphia
Contact:

Re: New CAPTCHA

Post by robertmf »

Yawnster wrote:
Personally I feel that user customisation/randomisation is the only real possible way to go to prevent again this form of attack.. I think that although the new captcha you have devised David is great, it can be broken, not easily and by no means quickly.. But it can feasibly be done..

Yawnster
I know nix about designing a good CAPTCHA. Why not drop the [none] registrant account activation and just go with [user] and [admin] ?

User avatar
DavidMJ
Registered User
Posts: 932
Joined: Thu Jun 16, 2005 1:14 am
Location: Great Neck, NY

Re: New CAPTCHA

Post by DavidMJ »

Yawnster wrote: Personally I feel that user customisation/randomisation is the only real possible way to go to prevent again this form of attack..
Sure, the waiting users can yell at you instead of me for implementing this feature. :D
Freedom from fear

User avatar
EXreaction
Registered User
Posts: 1555
Joined: Sat Sep 10, 2005 2:15 am

Re: New CAPTCHA

Post by EXreaction »

robertmf wrote:
Yawnster wrote:
Personally I feel that user customisation/randomisation is the only real possible way to go to prevent again this form of attack.. I think that although the new captcha you have devised David is great, it can be broken, not easily and by no means quickly.. But it can feasibly be done..

Yawnster
I know nix about designing a good CAPTCHA. Why not drop the [none] registrant account activation and just go with [user] and [admin] ?
True...that will really help this time(since the user registering can't add in personal details untill after he registers...but since it will go that way, bots are just going to use random email accounts that work, and register themselves, then add in the info later)

With the way the phpBB3 registration is setup, I really don't see as many people targeting it...instead of just having to get by a VC, they would have to enter a real email account, figure out the VC, activate their acount via email(should be turned to user by default...that would definatly help for the people that setup the board, and don't tweak anything), then log in, go to their profile page, and update the profile details...

Its much harder this time around...but then again, once they start doing that, it will be much harder to be able to stop them...since they will actually activate and you won't be able to tell who is a bot as easy...

Yawnster
Registered User
Posts: 342
Joined: Sat Jan 29, 2005 9:18 pm
Location: London, UK
Contact:

Re: New CAPTCHA

Post by Yawnster »

DavidMJ wrote:
Yawnster wrote: Personally I feel that user customisation/randomisation is the only real possible way to go to prevent again this form of attack..
Sure, the waiting users can yell at you instead of me for implementing this feature. :D
What I proposed earlier was to include a forum within the MOD Development forums that specialised in producing new parts for the captcha system, phpBB is a big enough project that a number of people will jump forward to help and I'm sure that skilled enough people could produce captcha elements, I think that this topic itself shows, what is there, 5 or 6 people who have produced their own captchas? And this is just within this thread..

I would say that this is a step not to be taken lightly, and ultimately it will be down to a compromise, between ultimate security and developmental responsibilities, I mean do you guys want to be blamed for an insecure captcha element that perhaps I wrote, of course not.. But I feel that with the community support this project has that it would be silly not to harness it in some way or form to help with security in this way which requires obvious innovation..

Like I said earlier this would require mediation, but who says a small off shoot of the MOD Team couldn't handle the task?

As for user registration, I will add that there is already systems that can bypass email activation, unless my reading material from a few months back was incorrect, admittedly this would slow regisration attempts down dramatically, but I am guessing, thinking about vague logistics, that within a 10 minute period 500-800 users could still be activated, and who checks their sites every 10 minutes? Not to put a total downer on this, and run the risk of impersonating AnthraX101, I feel that the registration experience is actually vastly improved upon from 2.x, the lack of immediate options is a real godsend from a spam prevention point of view, but it would only take a few more lines of code to login and update the options..

Anyway, enough reading material from me today.. /me goes off to try and work out how match two images literally.. Yawnster

ElbertF
Registered User
Posts: 583
Joined: Fri Dec 03, 2004 4:35 pm
Location: tracing..
Contact:

Re: New CAPTCHA

Post by ElbertF »

Good idea, this could be a great community coding project. I'd also drop in a few lines of code :)

Post Reply