WebApp Sec mailing list archives
Re: Account Lockouts
From: Alexander Klimov <alserkli () inbox ru>
Date: Tue, 7 Dec 2004 11:28:57 +0200 (IST)
On Sun, 5 Dec 2004, The Amazing Dragon wrote:
From: Mark Burnett <mb () xato net> There has been some talk of CAPTCHA's in this thread and I wanted to comment on them further. Although CAPTCHA's are very effective at blocking automated abuse, in their current form they are not an effective long term strategy. The problem is that with our current image enhancement, OCR, and AI technology, they can be cracked with quite good accuracy. Their limited use and proprietary implementations still makes them useful for now but once someone releases a script kiddie tool to automate CAPTCHA cracking, they will become mostly ineffective.I'm surprised that no one has implemented one yet. Though OCR programs are at least halfway there.
It is very hard to be sure that "no one has implemented one yet" :-) Quite some time ago I had an argument with my friend web-master about total insecurity of this approach and in less than one day I wrote a program to recognise numbers written on an image. The program was in no way AI: I downloaded several images and crop out all different digits, so the program simply load an image and the images of all digits and for every place in image, every digit, and every transformation calculates the difference between the image of the digit and the image (I used simple sum of squares of differences in each pixel for this). The program works less than a second (there are not so many points in image times number of digits times *sufficiently different* transformations). Most of the time I spent was to capture images and classify transformations, so I agree that using CAPTCHA makes your site more vulnerable to script-kiddies, but even implementing it youself does not protect you that much from somebody with moderate patience and programming skills. -- Regards, ASK
Current thread:
- RE: Account Lockouts, (continued)
- RE: Account Lockouts Michael Silk (Dec 03)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Account Lockouts Valdis . Kletnieks (Dec 03)
- Message not available
- RE: Account Lockouts Michael Silk (Dec 03)
- RE: Account Lockouts Skander Ben Mansour (Dec 06)