Visual Confirmation

Discuss features as they are added to the new version. Give us your feedback. Don't post bug reports, feature requests, support questions or suggestions here.
Forum rules
Discuss features as they are added to the new version. Give us your feedback. Don't post bug reports, feature requests, support questions or suggestions here. Feature requests are closed.
Post Reply
_Kilian_
Registered User
Posts: 46
Joined: Mon Mar 29, 2004 10:14 am
Location: Rotterdam, Netherlands

Re: Visual Confirmation

Post by _Kilian_ »

why stick with letters and numbers?!?

We know that letters and numbers can easily be read by any OCR program. The current approach it to make it as hard as possible for the OCR software to determine with letter/number is being used.

Why not user normal small images? And let the user select from a dropdown box with, say for example, 10 possibilities what he can see on the image. You can randomize the pictures being used and you can randomize the options that a user can select. If you use a combination of enough picture and possibilities I guess that the change that the computer can guess the correct answer would be very small.

The only problem is that you have to make sure that there aren’t any confusing elements in de list, e.g. rabbit and hare. So obviously only one answer can be the correct one.

phpBB can be shipped with a series of images and answers that must be so common that every user, not matter were he or she lives can describe what is on the image. The administrator can set after the installation a custom set of images and answers. That way every phpBB installation canhave a unique captcha.

I think it would also be a good idea to have the board administrator enter a random key. This key could be used so every generating algorithm would be different.

I think I’m missing something.. so feedback why this would be a good/bad idea is appreciated.

Yawnster
Registered User
Posts: 342
Joined: Sat Jan 29, 2005 9:18 pm
Location: London, UK
Contact:

Re: Visual Confirmation

Post by Yawnster »

_Kilian_ wrote: why stick with letters and numbers?!?

We know that letters and numbers can easily be read by any OCR program. The current approach it to make it as hard as possible for the OCR software to determine with letter/number is being used.

Why not user normal small images? And let the user select from a dropdown box with, say for example, 10 possibilities what he can see on the image. You can randomize the pictures being used and you can randomize the options that a user can select. If you use a combination of enough picture and possibilities I guess that the change that the computer can guess the correct answer would be very small.

The only problem is that you have to make sure that there aren’t any confusing elements in de list, e.g. rabbit and hare. So obviously only one answer can be the correct one.

phpBB can be shipped with a series of images and answers that must be so common that every user, not matter were he or she lives can describe what is on the image. The administrator can set after the installation a custom set of images and answers. That way every phpBB installation canhave a unique captcha.

I think it would also be a good idea to have the board administrator enter a random key. This key could be used so every generating algorithm would be different.

I think I’m missing something.. so feedback why this would be a good/bad idea is appreciated.
I think that is rather a good idea.. but how exactly can you account for multiple language strings, plus if there is only ~10 possibilities from the dropbox that can easily be matched up against the picture URL from the code.. Just my first impressions.. But its a fresh new idea which I can see working..

Yawnster

profpete
Registered User
Posts: 140
Joined: Wed Dec 08, 2004 10:49 pm
Location: Wales, UK

Re: Visual Confirmation

Post by profpete »

I agree its an excellent idea. Infact, a UK bank have recently started using something similar as a security measure for internet banking, except in their case, when you register they show you a photo, and you have to enter a phrase that doesn't describe that photo, but that you associate with it. In future when you enter your customer, you see the same image, and your own phrase. If they match, you know it is safe to enter your password.

In relation to phpbb, accounting for languages is easy - translators translate the text for the pictures just like they do existing language files.

The problem would be that the image library could be stored in a spammer's database, and the downloaded image matched to the library. There would have to be some sort of image mangling to stop a match against a database, but still keep it human decipherable.

User avatar
Cheater512
Registered User
Posts: 245
Joined: Thu Mar 23, 2006 1:29 am
Location: Brisbane, Australia
Contact:

Re: Visual Confirmation

Post by Cheater512 »

People know what a Captcha is. When you start doing weird things then they get confused. ;)

Its not too hard to make it extremely hard to OCR.
Take a look at this:

Image

Thats just two extra lines in phpBB's code.

Oh btw Symbols wouldnt confuse most OCR software.

NeoThermic
Registered User
Posts: 198
Joined: Fri Jan 02, 2004 3:44 pm
Location: United Kingdom
Contact:

Re: Visual Confirmation

Post by NeoThermic »

Cheater512 wrote: People know what a Captcha is. When you start doing weird things then they get confused. ;)

Its not too hard to make it extremely hard to OCR.
Take a look at this:

Image

Thats just two extra lines in phpBB's code.

Oh btw Symbols wouldnt confuse most OCR software.
Oh, its harder than you think. Here's the result after a few simple image operations on that image using GD and 61 lines of PHP:

Image

It's harder than it looks because it is easy to break down a CAPTCHA into simple ideas with which to break it. Also, you're running from the default setup. So the letters have the same y-offset as the default, there's the same range, limits, etc.

If you're going to modifiy phpBB's captcha, I would first suggest to start by changing the default letters..

NeoThermic
phpBB release date pool!
The NeoThermic.com... a well of information. Ask me for the bit bucket so you can drink its goodness. ||新熱です

User avatar
Cheater512
Registered User
Posts: 245
Joined: Thu Mar 23, 2006 1:29 am
Location: Brisbane, Australia
Contact:

Re: Visual Confirmation

Post by Cheater512 »

Actually that is still very difficult for OCR to read.
I just tried it (limiting it to the upper case alphabet and numbers) and gibberish came out.
Its primarially because your code has destroyed any recognisable outline. Plus all those spots everywhere distract the OCR.

User avatar
Thoth
Registered User
Posts: 5
Joined: Mon Dec 13, 2004 5:45 pm

Re: Visual Confirmation

Post by Thoth »

First off, although I know what CAPTCHAs and OCRs are(the basics only mind you), I have never tried to make one myself. However, it strikes me that the fact that the string is produced from a set list, gives you a very nice option.

Wouldn't it work if the admin panel had a section that forced a user, on their first visit, to change the characters in the string? Not just the order, but the actually characters used.
Also, how about rotation and things like that? If everything regarding the way the CAPTCHA was built was forced to be tweaked on the first visit to the admin panel, wouldn't that make, well, a whole lot of variables. Thus making it almost impossible to use the same system that cracked one board to crack another.

Or have I gone completely out to lunch?
"And that's why I always wear a seatbelt. Thousands of people die every year from car accidents. So buckle up. Why... Agent Smith never buckles up. Or Hitler. You don't want to be like Hitler, do you? So make the right choice. Be The One, in safety. Brought to you by the Zion Department of Matrix Safety." ~ Neo, The Matrix Still Has You

User avatar
pentapenguin
Registered User
Posts: 618
Joined: Sun Jul 18, 2004 6:07 pm
Location: GA, USA
Contact:

Re: Visual Confirmation

Post by pentapenguin »

code reader wrote: 1) by choosing a live project, which keeps on improving, you get a "free ride": whenever they add something to improve performance, functionality or security, your project can assimilate the advantage with very little effort.
And you have to your code in sync with third party code? That can be hard to do and it's inconvenient to say the least....
phpBB.com Support Team Member and Incident Investigation Team Member
My phpBB MODs || Professional phpBB Customization, Transfers, and Conversions

NeoThermic
Registered User
Posts: 198
Joined: Fri Jan 02, 2004 3:44 pm
Location: United Kingdom
Contact:

Re: Visual Confirmation

Post by NeoThermic »

Cheater512 wrote: Actually that is still very difficult for OCR to read.
I just tried it (limiting it to the upper case alphabet and numbers) and gibberish came out.
Its primarially because your code has destroyed any recognisable outline. Plus all those spots everywhere distract the OCR.

Well, here's the killer: that image is good enough to do shape matching with phpBB's default VC letters. After playing about with various orders of operations, the outline of all the letters was sufficent and not broken (actually I only needed to get the D to be fixed).

The script I made then works through the image doing some simple checks, and then compaires the charaistics of each character to a pre-built list of charaistics. Using this method, I'm able to fully read the image without problem with an 80% accuracy over 10 images. To put that into perspective, I only need a 33% accuracy over 10 images to get past the default 3 try limit which your CAPTCHA will be running from.

NeoThermic
phpBB release date pool!
The NeoThermic.com... a well of information. Ask me for the bit bucket so you can drink its goodness. ||新熱です

User avatar
Cheater512
Registered User
Posts: 245
Joined: Thu Mar 23, 2006 1:29 am
Location: Brisbane, Australia
Contact:

Re: Visual Confirmation

Post by Cheater512 »

Wait are you using the default phpBB one or my improved one?

I've already cracked the default phpBB one with 100% accuracy and submitted my script to the bug tracker.
Did I mention it cracks it in 0.024s on my P4 2.4ghz? :lol:
I'm using standard OCR software too. Nothing special.

Post Reply