All we need is an easy explanation of the problem, so here it is.
Security is about balancing costs and risks, nothing is impossible to beat, specially not typical CAPTCHA implementations, but they do add something no other system seems to offer.
I’ve been reading around about these CAPTCHAs for a while and possible alternatives… (so please don’t refer me to other sites/answers unless they truly answer the following question).
I have no experience whatsoever, so for me it is hard to estimate the costs and risks associated with this decision: should I employ CAPTCHAs (I’m thinking of JCaptcha or reCaptcha), or are a combination of other techniques enough?
EDIT: Thank you so much for your answers, it certainly has helped me clarify ideas, specially the link to OWASP about avoiding brute-force attacks (got my +1, but I did not accept it since it didn’t feel like a solution, but it does help find one. If you think I should accept it because I find it the best answer so far, please comment saying so since I may be misinterpreting the workings of the site).
On the other hand Asirra is quite fun and easy, and a lot better than traditional CAPTCHAs, I certainly would recommend it over other services. The puzzle is a lot more fun, and even if you fail, you would only fail once… pity:
Asirra is still in beta-testing; the service and its API may both be unstable.
Final Edit: Just in case it is found useful, here are the steps I’ve taken to ensure users are not bothered by CAPTCHAs but I feel safe from bots.
- honeypot field (so easy to implement it cost me nothing though I don’t feel very secure with it.)
- e-mail verification link (or OAuth access) since it was always on my plans to add it. only validated users are migrated to my user table, the rest stay as registered.
- time check: server time-stamp with signature loaded through ajax, user needs to take at least 5 seconds to fill the form before sending (the password) or it is discarded.
- confirmation page (with server signed token to ensure the request has passed through the server first) after registration that warns the user that confirmation e-mail is required and has a button to send the confirmation e-mail. (In which case the data is also registered on the DB)
This will not stop a very dedicated attacker but I hope they will not want to spend hour and hours tuning his attack to gain nothing, just bothering me.
How to solve :
I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.
Google has come up with a new technique called reCaptcha that is simpler and reportedly more reliable than existing solutions.
It consists of a single checkbox, that when clicked, sends metadata to Google’s servers, which in turn uses some proprietary AI to determine if the click originated from within a script, or a human.
See this venture beat article for additional information.
Thinking outside the box…
In most cases this applies: The business purpose for CAPTCHAs is to identify that the person accessing a page is a human being. The underlying reason for needing to know it it’s a human is to prevent automated form submission, and the main reason for preventing that is to prevent brute force attacks.
So the ultimate purpose of a CAPTCHA in most cases is as a tool to prevent brute-force attacks.
If this is your underlying reason for wanting to use a Captcha, read on. Note that there are other reasons for using CAPTCHAs, and these suggestions may or may not be applicable.
That said, there are alternatives to CAPTCHA for preventing brute-force attacks. The OWASP web site lists a few with pros and cons of each approach:
1. Locking Accounts
The most obvious way to block brute-force attacks is to simply lock out accounts after a defined number of incorrect password attempts. Account lockouts can last a specific duration, such as one hour, or the accounts could remain locked until manually unlocked by an administrator. However, account lockout is not always the best solution, because someone could easily abuse the security measure and lock out hundreds of user accounts. In fact, some Web sites experience so many attacks that they are unable to enforce a lockout policy because they would constantly be unlocking customer accounts.
The problems with account lockouts are:
- An attacker can cause a denial of service (DoS) by locking out large numbers of accounts.
- Because you cannot lock out an account that does not exist, only valid account names will lock. An attacker could use this fact to harvest usernames from the site, depending on the error responses.
- An attacker can cause a diversion by locking out many accounts and flooding the help desk with support calls.
- An attacker can continuously lock out the same account, even seconds after an administrator unlocks it, effectively disabling the account.
- Account lockout is ineffective against slow attacks that try only a few passwords every hour.
- Account lockout is ineffective against attacks that try one password against a large list of usernames.
- Account lockout is ineffective if the attacker is using a username/password combo list and guesses correctly on the first couple of attempts.
- Powerful accounts such as administrator accounts often bypass lockout policy, but these are the most desirable accounts to attack. Some systems lock out administrator accounts only on network-based logins.
- Even once you lock out an account, the attack may continue, consuming valuable human and computer resources.
2. Inject random pauses when checking a password.
Adding even a few seconds’ pause can greatly slow a brute-force attack but will not bother most legitimate users as they log in to their accounts.
3. Lock out an IP address with multiple failed logins
4. Design your Web site not to use predictable behavior for failed passwords.
As for this:
I have a registration form to be filled, but I don’t want my user
table to be filled with trash.
In your particular case, I’d go with the a two-tier approach:
First, I’d use the “Inserting random pause” option just to limit how many bogus submissions could be entered in the first place.
To deal with potentially bogus registration attempts, use a verification mechanism. Register them but not as active, send them an email with an “Activation” link. For those that activate – at least you know you have a valid email address of someone who actually wants to register. Then implement a scheduled task that automatically deletes un-activated accounts after X hours or X days.
One alternative to a classic captcha is Microsoft Asirra (which I consider quite interesting). Instead of reading scrambled text, you have to select the cats from pictures containing either cats or dogs.
They have over 3 million photos, so you should be safe against the more determined attackers. It is not very probable that someone will index all these images just to fill your database with junk, and moreover, the chance of not being able to select the cats from the first try is low.
UPDATE: Google can solve Cat Captchas.
Captcha is not a solution at all!
There is an overall captcha killer who could pass every captchas existing and even not already invented !
It’s based on social engineering:
Simple and easy, a 15 year old spammer student could build this:
- Build a trivial free puzzle captcha game site, looking harmless:
- Little funny game, playing with many captcha for accessing further game level
- … leave users playing with captchas …
- By a simple server script, when a captcha is asked for, the server go to the target site for getting the target’s captcha, than forward them to the players of the captcha game site.
- The players will try to answer captchas as quick as possible for reaching second game level.
- Server has simply to forward captcha checking and answers between target site (the real victim) and the gammers (unwanted complicity: collateral victim)
- Whith each captcha successfully passed, the server could create one spammer account to target…
A network human assistance… for bots.
Where robots could use people’s help for doing his (bad) work.
A big thank to @GennadyVanin–ГеннадийВанин for the idea of attractive free puzzle game captcha! The first idea was to create a barely legal porn or monney maker site and use captchas for validating new accounts.
This idea of captcha game puzzle add
- trivial site (not barely legal)
- more than one captha will be resolved by one user.
There are several ways to prevent spams, from bayesian tools to mail confirmation based on PGP.
Just one sample: you could use bogofilter with progressive policies:
At begining, every post on your blog will be submited to your bogofilter environment…
In first time, all post have to be manualy validated (grey list), while teaching bogofilter.
Once enough spam and ham reviewed, your bogofilter become able to
- validate automatically a lot of post
- reject automatically and efficiently a lot of post
- then grey list some new post not well classified… Which will be manually validated, teaching bogofilter again… and again…(see my comment;)
Of course, this will require active monitoring, not perfect at all, sometime some tuning operating and post retrieving could be usefull…
- captcha consume a lot of time,
- will alway become hackable,
- may be confuse and
- don’t add gain to prettiness of a welcome page!
an alternative to images are human interpretable questions; but this could incur some development cost, strategies I’ve seen:
- user identifiable images: trialled by a Uk bank; they asked users to upload photos of people they knew and did a multi-choice with other random photos, “Who’s your aunt?”. Worked well until it was totally abused. 🙂 please note this is really just an “alternative password” strategy and thus has the same problems.
- arithmetic questions: “what is 10 divided by 2?” with some entropy on the format and mechanisms used to formulate the sentence, e.g. “what is ten divided by 2?”
- puzzle. multiple choice questions that describe a photo. e.g. a blue house on a green field.
Please be aware that NONE of these will pass disability legislation. Where I live (UK) the RNIB and their consultancy arm Foviance will threaten large companies for using non-DDA compliant mechanisms. The big problem I’ve always faced is that the security is only as strong as the weaker of the two strategies (if you also provide a DDA compliant mechanism).
Spam bots are already smart enough to do Google searches, so something like asking the color of the sky is pretty ineffective. Generally things like simple math word problems or pictures with math problems can be reasonably effective. nuCaptcha is an animated captcha which is much easier to read though I’m not sure if it has been broken yet or not. IP black lists are pretty effective at recognizing common spammers and blocking them. There are also domain blacklists that look for any links to known spam sites by users as well as known spam e-mail accounts. Requiring a user to click a link sent to them in e-mail is also helpful as it forces the e-mail address used to be legit.
I’m pretty sure Microsoft’s Assira project is dead, or at least no longer actively supported. There’s another, similar, approach called Confident CAPTCHA that is pretty much the same thing — user’s are asked to click on a couple of pictures to prove they’re human. It also has an audio option for the visually impaired, which Assira does not.
Huh, I failed even to find any question.
The CAPTCHA is not synonym to antispam protection and there are NO spam-bots without human spammers behind. Spam is created by humans, sometimes bot assisted, and paid-requested by humans.
There are no spam created by bots themselves and ordered-paid by machines. Those is called viruses.
In the root, spam protection is protection against spammers, i.e. humans. And CAPTCHA, by definition, is neither protection nor from humans, it is Completely Automated Public Turing Test to tell Computers and Humans Apart. It can be used as prevention against bot-assisted posting.
Also, bot-assisted posting is not synonym of spam. Most social networking is based on bot-assisted sharing of articles, news, re-posting and retweeting by schedule.
There will be no solution to never formulated but only hinted question with never formulated terms (what is spam, spammer, etc.).
And it is quite naive to seek universal silver bullet once, for everything and forever against creative human spammers.
Maybe client puzzles are a solution. The idea is to let the client perform a computationally intensive operation that is easy to verify by the server. The idea is to gradually increase the complexity of the operation.
A one way hash is such an operation that can be used. On the first submission of a form you can have the client to find a word where the md5 checksum ends with a specific character. This can be found reasonably quick and is even faster for the server to verify. If somebody tries to brute force your service you require more matching characters of the checksum making the puzzle harder for the client.
I think that CAPTCHAs day is over. It cannot be secure when there are websites offering to solve 1000 for 3 dollars all over google if you do a search. It is widely know that a lot of spamming these days is by humans in countries with emerging economies as opposed to machines. I personally hate CAPTCHA and I use software called RUMOLA to read and fill them in for me and, although i just use this software to make blogging less frustrating, it just prooves that for a little money you can get past all CAPTCHAs… Ps. If you feel the same way as me about CAPTCHA you can try RUMOLA at skipinput.com
I have a suggestion that giving picture to user similar like captcha image. But that image will contains a simple mathematical expression like 55+12. The user want to enter the answer of that expression that 67 in this case.
To improve security you can dynamically create image or you can use a set of predefined image set.
You might want to check out “are you a human.” It reminds me of what Asirra is trying to do.
Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂