WebApp Sec mailing list archives
Re: Account Lockouts
From: Valdis.Kletnieks () vt edu
Date: Thu, 09 Dec 2004 11:06:52 -0500
On Thu, 09 Dec 2004 01:26:31 EST, David Robert said:
3) map out the parameter space so that humans have an easy time and OCR programs don't. This would be a bit of work but I expect the parameter space to be contiguous. I'm not sure this would be possible otherwise.
Satisfying the "humans" and "OCR" requirements at the same time is a lot harder than it looks. (OK.. Maybe it's just the fact it's a dreary morning out there, and I'm fighting off a rather nasty cold, and my eyesight isn't all that hot on a GOOD day. But right now I'm having *enough* trouble reading a nice ISO9241 font - if I hit a captcha distorted enough to stop an OCR program, things would come to a screeching halt. That's just me, today - but good user interface design requires that you realize that users *DO* have days like that....)
5) to generate a CAPTCHA, just generate a random series of alphanumeric characters, create an image from them, and apply a random transformation.
As somebody else already noted, you don't even need good OCR - they managed to apply a mostly-brute-force attack that did fairly well. Remember, you can't apply *TOO* big a distortion, because otherwise you have problems with users not being able to distinguish 'c' and 'o', and so on. Knowing that, and the legal charset, it's not a hard problem at all (remember that the biggest problem in doing "true" OCR is the possibility that the program has to deal with input that includes doodles, wrinkles in the paper, coffee stains, and the like - none of which is an issue with trying to decode a captcha).
I agree this is not perfect. There is a chance that the CAPTCHA will be too hard to read. But that can be tuned to minimize this to an acceptable level.
OK.. are you advocating inflicting the tuning process on your end users, or do you have a human-factors test lab in place? Note that this *is* an important question - if you release the product with the level mis-tuned, you have some *real* problems. If it's "too easy", an OCR program can beat you and you're providing false security, but if it's "too hard", you've just prevented legitimate users from getting at the resource. And keep in mind that "users" often mean "fickle customers" who might go to the competition if you piss them off too much...
Attachment:
_bin
Description:
Current thread:
- RE: Account Lockouts, (continued)
- RE: Account Lockouts Skander Ben Mansour (Dec 06)
- RE: Account Lockouts Matt Fisher (Dec 03)
- Re: Account Lockouts Haroon Meer (Dec 03)
- RE: Account Lockouts Stephen de Vries (Dec 03)
- Re: Account Lockouts Jason Coombs (Dec 03)
- Re: Account Lockouts Mark Burnett (Dec 03)
- Re: Account Lockouts Michael Silk (Dec 06)
- Re: Account Lockouts Alexander Klimov (Dec 08)
- RE: Account Lockouts Cunningham, Andy (Dec 08)
- RE: Account Lockouts Alexander Klimov (Dec 14)
- Re: Account Lockouts Valdis . Kletnieks (Dec 14)