why stick with letters and numbers?!?
We know that letters and numbers can easily be read by any OCR program. The current approach it to make it as hard as possible for the OCR software to determine with letter/number is being used.
Why not user normal small images? And let the user select from a dropdown box with, say for example, 10 possibilities what he can see on the image. You can randomize the pictures being used and you can randomize the options that a user can select. If you use a combination of enough picture and possibilities I guess that the change that the computer can guess the correct answer would be very small.
The only problem is that you have to make sure that there aren’t any confusing elements in de list, e.g. rabbit and hare. So obviously only one answer can be the correct one.
phpBB can be shipped with a series of images and answers that must be so common that every user, not matter were he or she lives can describe what is on the image. The administrator can set after the installation a custom set of images and answers. That way every phpBB installation canhave a unique captcha.
I think it would also be a good idea to have the board administrator enter a random key. This key could be used so every generating algorithm would be different.
I think I’m missing something.. so feedback why this would be a good/bad idea is appreciated.
Visual Confirmation
Forum rules
Discuss features as they are added to the new version. Give us your feedback. Don't post bug reports, feature requests, support questions or suggestions here. Feature requests are closed.
Discuss features as they are added to the new version. Give us your feedback. Don't post bug reports, feature requests, support questions or suggestions here. Feature requests are closed.
Re: Visual Confirmation
I think that is rather a good idea.. but how exactly can you account for multiple language strings, plus if there is only ~10 possibilities from the dropbox that can easily be matched up against the picture URL from the code.. Just my first impressions.. But its a fresh new idea which I can see working.._Kilian_ wrote: why stick with letters and numbers?!?
We know that letters and numbers can easily be read by any OCR program. The current approach it to make it as hard as possible for the OCR software to determine with letter/number is being used.
Why not user normal small images? And let the user select from a dropdown box with, say for example, 10 possibilities what he can see on the image. You can randomize the pictures being used and you can randomize the options that a user can select. If you use a combination of enough picture and possibilities I guess that the change that the computer can guess the correct answer would be very small.
The only problem is that you have to make sure that there aren’t any confusing elements in de list, e.g. rabbit and hare. So obviously only one answer can be the correct one.
phpBB can be shipped with a series of images and answers that must be so common that every user, not matter were he or she lives can describe what is on the image. The administrator can set after the installation a custom set of images and answers. That way every phpBB installation canhave a unique captcha.
I think it would also be a good idea to have the board administrator enter a random key. This key could be used so every generating algorithm would be different.
I think I’m missing something.. so feedback why this would be a good/bad idea is appreciated.
Yawnster
Re: Visual Confirmation
I agree its an excellent idea. Infact, a UK bank have recently started using something similar as a security measure for internet banking, except in their case, when you register they show you a photo, and you have to enter a phrase that doesn't describe that photo, but that you associate with it. In future when you enter your customer, you see the same image, and your own phrase. If they match, you know it is safe to enter your password.
In relation to phpbb, accounting for languages is easy - translators translate the text for the pictures just like they do existing language files.
The problem would be that the image library could be stored in a spammer's database, and the downloaded image matched to the library. There would have to be some sort of image mangling to stop a match against a database, but still keep it human decipherable.
In relation to phpbb, accounting for languages is easy - translators translate the text for the pictures just like they do existing language files.
The problem would be that the image library could be stored in a spammer's database, and the downloaded image matched to the library. There would have to be some sort of image mangling to stop a match against a database, but still keep it human decipherable.
- Cheater512
- Registered User
- Posts: 245
- Joined: Thu Mar 23, 2006 1:29 am
- Location: Brisbane, Australia
- Contact:
Re: Visual Confirmation
People know what a Captcha is. When you start doing weird things then they get confused.
Its not too hard to make it extremely hard to OCR.
Take a look at this:

Thats just two extra lines in phpBB's code.
Oh btw Symbols wouldnt confuse most OCR software.
Its not too hard to make it extremely hard to OCR.
Take a look at this:
Thats just two extra lines in phpBB's code.
Oh btw Symbols wouldnt confuse most OCR software.
-
- Registered User
- Posts: 198
- Joined: Fri Jan 02, 2004 3:44 pm
- Location: United Kingdom
- Contact:
Re: Visual Confirmation
Oh, its harder than you think. Here's the result after a few simple image operations on that image using GD and 61 lines of PHP:Cheater512 wrote: People know what a Captcha is. When you start doing weird things then they get confused.![]()
Its not too hard to make it extremely hard to OCR.
Take a look at this:
Thats just two extra lines in phpBB's code.
Oh btw Symbols wouldnt confuse most OCR software.
It's harder than it looks because it is easy to break down a CAPTCHA into simple ideas with which to break it. Also, you're running from the default setup. So the letters have the same y-offset as the default, there's the same range, limits, etc.
If you're going to modifiy phpBB's captcha, I would first suggest to start by changing the default letters..
NeoThermic
phpBB release date pool!
The NeoThermic.com... a well of information. Ask me for the bit bucket so you can drink its goodness. ||新熱です
The NeoThermic.com... a well of information. Ask me for the bit bucket so you can drink its goodness. ||新熱です
- Cheater512
- Registered User
- Posts: 245
- Joined: Thu Mar 23, 2006 1:29 am
- Location: Brisbane, Australia
- Contact:
Re: Visual Confirmation
Actually that is still very difficult for OCR to read.
I just tried it (limiting it to the upper case alphabet and numbers) and gibberish came out.
Its primarially because your code has destroyed any recognisable outline. Plus all those spots everywhere distract the OCR.
I just tried it (limiting it to the upper case alphabet and numbers) and gibberish came out.
Its primarially because your code has destroyed any recognisable outline. Plus all those spots everywhere distract the OCR.
Re: Visual Confirmation
First off, although I know what CAPTCHAs and OCRs are(the basics only mind you), I have never tried to make one myself. However, it strikes me that the fact that the string is produced from a set list, gives you a very nice option.
Wouldn't it work if the admin panel had a section that forced a user, on their first visit, to change the characters in the string? Not just the order, but the actually characters used.
Also, how about rotation and things like that? If everything regarding the way the CAPTCHA was built was forced to be tweaked on the first visit to the admin panel, wouldn't that make, well, a whole lot of variables. Thus making it almost impossible to use the same system that cracked one board to crack another.
Or have I gone completely out to lunch?
Wouldn't it work if the admin panel had a section that forced a user, on their first visit, to change the characters in the string? Not just the order, but the actually characters used.
Also, how about rotation and things like that? If everything regarding the way the CAPTCHA was built was forced to be tweaked on the first visit to the admin panel, wouldn't that make, well, a whole lot of variables. Thus making it almost impossible to use the same system that cracked one board to crack another.
Or have I gone completely out to lunch?
"And that's why I always wear a seatbelt. Thousands of people die every year from car accidents. So buckle up. Why... Agent Smith never buckles up. Or Hitler. You don't want to be like Hitler, do you? So make the right choice. Be The One, in safety. Brought to you by the Zion Department of Matrix Safety." ~ Neo, The Matrix Still Has You
- pentapenguin
- Registered User
- Posts: 618
- Joined: Sun Jul 18, 2004 6:07 pm
- Location: GA, USA
- Contact:
Re: Visual Confirmation
And you have to your code in sync with third party code? That can be hard to do and it's inconvenient to say the least....code reader wrote: 1) by choosing a live project, which keeps on improving, you get a "free ride": whenever they add something to improve performance, functionality or security, your project can assimilate the advantage with very little effort.
phpBB.com Support Team Member and Incident Investigation Team Member
My phpBB MODs || Professional phpBB Customization, Transfers, and Conversions
My phpBB MODs || Professional phpBB Customization, Transfers, and Conversions
-
- Registered User
- Posts: 198
- Joined: Fri Jan 02, 2004 3:44 pm
- Location: United Kingdom
- Contact:
Re: Visual Confirmation
Cheater512 wrote: Actually that is still very difficult for OCR to read.
I just tried it (limiting it to the upper case alphabet and numbers) and gibberish came out.
Its primarially because your code has destroyed any recognisable outline. Plus all those spots everywhere distract the OCR.
Well, here's the killer: that image is good enough to do shape matching with phpBB's default VC letters. After playing about with various orders of operations, the outline of all the letters was sufficent and not broken (actually I only needed to get the D to be fixed).
The script I made then works through the image doing some simple checks, and then compaires the charaistics of each character to a pre-built list of charaistics. Using this method, I'm able to fully read the image without problem with an 80% accuracy over 10 images. To put that into perspective, I only need a 33% accuracy over 10 images to get past the default 3 try limit which your CAPTCHA will be running from.
NeoThermic
phpBB release date pool!
The NeoThermic.com... a well of information. Ask me for the bit bucket so you can drink its goodness. ||新熱です
The NeoThermic.com... a well of information. Ask me for the bit bucket so you can drink its goodness. ||新熱です
- Cheater512
- Registered User
- Posts: 245
- Joined: Thu Mar 23, 2006 1:29 am
- Location: Brisbane, Australia
- Contact:
Re: Visual Confirmation
Wait are you using the default phpBB one or my improved one?
I've already cracked the default phpBB one with 100% accuracy and submitted my script to the bug tracker.
Did I mention it cracks it in 0.024s on my P4 2.4ghz?
I'm using standard OCR software too. Nothing special.
I've already cracked the default phpBB one with 100% accuracy and submitted my script to the bug tracker.
Did I mention it cracks it in 0.024s on my P4 2.4ghz?
I'm using standard OCR software too. Nothing special.