WebApp Sec mailing list archives
Re: Defeating CAPTCHA
From: Michal Zalewski <lcamtuf () dione ids pl>
Date: Fri, 26 Aug 2005 16:12:07 +0200 (CEST)
On Fri, 26 Aug 2005, Subs wrote:
For instance a picture of our planet, with text overlaid something like "3rd Rock From the Sun", "Home" or "Planet" with a question like What Would You Call This?
Probably a so-so idea, for a couple of reasons: 1) Answers limited to dictionary words or trivial phrases; susceptible to brute force attacks with a chance of succeeding (you would realistically have what, 500-5000 options). 2) The attacker who gets a hold of your image database and associated terms can attack all installations rather easily - whereas random character, random modification captchas are harder. 3) Computers can and do succeed at recognizing simple objects on photographs or images, so even without the image database (but with a thesaurus), this can be attacked. In the short run, sure, it sounds more impressive; in the long run, it may be even more useless than text captchas. Cheers, /mz http://lcamtuf.coredump.cx/silence/
Current thread:
- RE: [WEB SECURITY] Defeating CAPTCHA, (continued)
- RE: [WEB SECURITY] Defeating CAPTCHA Michal Zalewski (Aug 25)
- Re: Defeating CAPTCHA Jayson Anderson (Aug 25)
- Re: Defeating CAPTCHA Mark Burnett (Aug 25)
- Re: Defeating CAPTCHA Chris Shiflett (Aug 25)
- Re: Defeating CAPTCHA Jayson Anderson (Aug 25)
- Re: Defeating CAPTCHA Andrew van der Stock (Aug 25)
- Re: Defeating CAPTCHA Mark Burnett (Aug 25)
- Re: Defeating CAPTCHA Stephen de Vries (Aug 25)
- RE: Defeating CAPTCHA Glenn Euloth (Aug 26)
- Re: Defeating CAPTCHA Christopher Kunz (Aug 31)
- Re: Defeating CAPTCHA Michal Zalewski (Aug 26)
- RE: [WEB SECURITY] Re: Defeating CAPTCHA Marian Ion (Aug 29)
- Re: Defeating CAPTCHA Devdas Bhagat (Aug 28)
- RE: Defeating CAPTCHA wilsonc (Aug 29)
- Re: Defeating CAPTCHA Devdas Bhagat (Sep 05)