[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: Simple CAPTCHA?
- From: Mike Pall <mikelu-0708@...>
- Date: Sun, 19 Aug 2007 22:25:37 +0200
> Anyone has a suggestion for a simple (simplistic?) CAPTCHA mechanism?
[ ] Check this box if you are human
Don't insert anything in this field: [ ]
It helps to make the internal names of the input fields random
with some (slow) time variation. Should work well enough unless
you're designing Yahoo's account creation page. Don't raise the
barrier higher than you need to -- diversity helps here.
> Here is a rather feeble attempt which generates a simple mathematical
> question (e.g. 27 + 58), compute its result (85), and generates a HMAC
> of the challenge using its result as the key (e.g. HMAC( '85', '27 +
> 58' ) ) for later validation:
Umm, you need to protect against replay attacks ... and there are
many more known attacks against CAPTCHAs. If circumventing them
makes big money, somebody will find a way to do it. So, unless
you continually evolve your CAPTCHAs, you'll loose the game:
But if you must ... try to avoid reinventing the wheel: