Heyes Captcha
Saturday, 26 May 2007
I’ve spent a lot of research over the last few weeks trying to create a different type of captcha. The basic idea is to try and produce one without images and try to make it as accessible as possible. I started off with a checkbox idea which allowed you to choose different fruits, this was easily broken by the clever guys over at sla.ckers.org forum (Trev, kuza55), so I took the useful info I gathered from their techniques in breaking this simple captcha and started to create a new one.
The new captcha uses code from my Keypress authorisation technique and the basic idea is you hold keys down for a number of seconds, this makes it difficult for an attacker to reproduce the key presses with executing the javascript. Of course the attacker could just scan the source code to gather the correct key presses, this is were my next technique comes into play, random javascript code is created which is stored by the server which is then compared against the client version, then the combination is hashed using md5 and then sent to the server.
Update…
I’ve had some great feedback on my captcha, WhiteAcid from the Slackers forum in particular has been very helpful in highlighting the problems with javascript protection. I plan to update my captcha soon so watch this space…
My question is, can it be automated? …..
It turns out yes it can via javascript, although server side it would be more difficult.
Source code released
I’ve decided to release the source code for my captcha, I’m currently working on timing based protection so the will be another update shortly. If anyone wishes to contribute to the development, please let me know and I will be happy to include your code and credits.
No. 1 — May 26th, 2007 at 11:04 pm
I don’t think a captcha like this would be good for many people.
For example:
1. It is taking too long, waiting 5 seconds to post a nice comment?
2. it require JS, some people don’t have them
3. the first time I use it, I go pass the time >.
No. 2 — May 27th, 2007 at 12:17 am
The reason there is a time delay at the moment is because it would prevent manual bulk submissions (for example if someone was paid to submit the captcha on a site) this could be disabled or reduced to reduce the annoyance.
No way to get round the javascript issue I’m afraid but Javascript is required to use the majority of web sites anyway.
No. 3 — May 28th, 2007 at 10:54 am
IMHO if you require JS then implement a unobtrusive solution. Perhaps a timer in the textarea which times the seconds it took to write N chars, if that check fails (either an automated program or cut-and-paste) then route the visitor to the ‘captcha’.
I would certainly be interested in some clever JS checks like computing the time-per-char ratio as above or the path described by the mouse, which in most cases could separate legit visitors from spammers.
No. 4 — May 29th, 2007 at 8:31 am
Yep good idea, I was experimenting with producing a js based captcha that would also slow down manual submissions, which was the logic behind this method.
I could add some timer checks but of course they could be faked with enough variance from an average time. It is a difficult problem to solve because the attacker can see and manipulate anything you can.