This is an article discussion thread for discussing the SitePoint article, "Toughen Forms' Security with an Image"
| SitePoint Sponsor |
This is an article discussion thread for discussing the SitePoint article, "Toughen Forms' Security with an Image"
nowhere in the article do you actually call these images by their more common name: CAPTCHAs http://en.wikipedia.org/wiki/Captcha
and before everybody rushes off to implement them, it's worth considering the accessibility implications: out of the box, this proposed system shuts out anybody who can't actually see the image (visually impaired / blind users, for instance).
Who cares if it shuts out blind and and visually impaired users? It's much more important to have an up-to-date website with the latest fad, right?
Actually I am joking! If you want a ready to run a CAPTCHA script and have audio back-up redundancy for blind users check out my signature.
Location: Alicante (Spain)... Hot and Sunny...
Texas Holdem Poker Probability Calculator | DNS test
Avatars | English Spanish Translation | CAPTCHA with audio
Email | PHP scripts | Cruft free domain names | MD5 Cracker
Please give the man a break.. I mean, even though CAPTCHA isn't really user (visually impaired user) friendly, people can learn a whole lot from this nice tutorial! I think you could imagine that many programmers wonder how these things are created and end up here.. The tutorial is fine! What is really missing is an explanation of the negative side of using CAPTCHA..
The CAPTCHA package (with audio variant) you give in your signature (http://bokehman.com/captcha_verification) is REALLY nice, but let's face it.. There's probably a better version of whatever you code already out there on the internet.. However as I've said before having these kind of tutorials is nice too ...
Yesterday, I attended a speech by Jitendra Malik (UC Berkeley) about computer vision and object recognition. Just for the heck of it he tried his algorithms on captchas and reached a >90% hit rate, even though his sample captchas were way harder to read than these ones (nonlinear distortion, more noise and clutter). I guess it won't take too long until his work will be available as part of a spam script.
But there is an even simpler way to solve captchas by using a man in the middle attack: For example, create a porn page where, whenever a user wants to see the next picture, he has "solve" a looped through captcha.
I just found out that wikipedia offers all this information as well so if you want more details, follow redux' link. :-)
The title of this article is very misleading as it implies that CAPTCHA are a security measure, when in fact they are not. If your idea of security is "a human can be trusted but a computer cannot", you have some problems.
True. It's more of an anti-spam measure than a security measure. Its best use is to prevent repeated automated form submissions.Originally Posted by mmj
Thanks for all the feedback everyone - much appreciated.
Redux - I should have named them as Captchas, thanks for adding the link to the wiki page though.
I did think about the lack of accessibility for blind users but for this example I didn't want to over complicate things - particularly I wanted to demonstrate the PHP/GD side of creating them. I'll look to produce a follow up to this article which addresses the accessibility issue.
I agree. Edward Eliot's article is informative and interesting even for people not in the slightest bit interested in CAPTCHA. There is something for everyone: classes and objects, use of the GD library and a good explanation of how the code works.I got that together because I was fed up listening to people complaining about the accessiblity issues but doing nothing to help. When something is very fashionable it is hard to tell people not to use it because it causes problems for < 1% of users.Probably, but I like to write my own scripts because I enjoy it.
I'm sure that's a joke. Isn't it?
Location: Alicante (Spain)... Hot and Sunny...
Texas Holdem Poker Probability Calculator | DNS test
Avatars | English Spanish Translation | CAPTCHA with audio
Email | PHP scripts | Cruft free domain names | MD5 Cracker
@bokehman
Lol, didn't even realise you posted the reply.. I looked at your script yesterday and e-mailed you (saying I loved it, remember).. It's only now when looking back at the thread I recognise your name
Nice going Bokeh!!
Quaint Tech - Blog on web development and web technology.
itīs not a great capthca though, some bots can easily read the image in the end of your article.
To test your captcha image you could for instance see what WhatTheFont can read from it: http://www.myfonts.com/WhatTheFont/
Just a few grey lines won't break it.
Richard Heyes' solution to the usability issue is to print out a number as a word on the page and require the user to enter it as a number. For example, if the captcha is "two thousand five hundred twenty eight", the user would type "2528".
I have excellent close-up vision but I'm still having issues reading the captcha, what about users with poor sight?
It would be better to have the site name somewhere in the image, so it can't be used by spammers on others sides.
Converting "two thousand five hundred twenty eight" to "2538" isn't that difficult.
It could be if the machine doesn't realize it's a captcha and not part of the page content.
Seems like a very long path to go down in order to break a site's accessibility.
I'd agree it is not very accessible if images are turned off or the user has problems viewing the digits.
Then obviously you'd require an alt attribute at the minimum, possibly the title too.
I'm with "will_". Why are we still discussing forms of CAPTCHA? Write an article on how to do a good turing test without obscured images and accessibility problems, please. Or at least with accessible fallbacks.
Just reading the title of this article gave me an idea.
Rather than using captchas, we could have pre-stored images of well known animals or items, like "cat", "dog", "bird" etc... with a drop down menu corresponging to the available images.
The server would then send an image to the form at random and the user would have to select from the drop down menu the corresponding name.
The image would be embedded into the HTML file. (see http://www.bennherrera.com/EmbeddedImage/)
--------
Another solution could be to use some javascript and AJAX to ensure the a the user is "real" and not a robot.
Something like, the user has to click on a button that will activate a javscript "alert" box that will contain a code generated on the server and pulled in using AJAX. (so there is not way to see the code unless you activate the "alert" box.)
There may be holes in this approach, but thought I would mention it anyway, so someone else can improve on it.
Last edited by wwms; Apr 18, 2006 at 21:09.
www.SQLrecipes.com A free cookbook for SQL recipes.
I didn't believe someone could make over $19,000 a month...
...with Google Adsense, until I read this.
I like this idea, but...
...that's pretty heavy engineering for a captcha. Why not just give all of the image files an MD5'ed filename, store the real name of the item shown in the image file in the session object, and load it with an ordinary IMG tag?
Yes, you are correct. After submitting my post I thought about that. There is no need to embed the image, simply renaming the file will be good enough. Actually embedding the image would defeat the purpose since it is a recognisable pattern....that's pretty heavy engineering for a captcha. Why not just give all of the image files an MD5'ed filename, store the real name of the item shown in the image file in the session object, and load it with an ordinary IMG tag?
This method would also work well with 'audio', since those who can't see well could easily recognise the sound each animal makes. However this may not be needed in the first place since unlike captchas a good clear image of an animal is a lot easier to recognise than some captchas. (I mean those that are so good that it is even hard for 'us' to figure out what the characters represent ...)
The script is great for beginners (e.g. = me).
But like what I've read, there is complications for using the script. The site will have to be aimed for the public who don't have a disability, which in my opinion is quite hard to come across. Their are many other ways to make the form submission(s) spam proof.
Care to share some of them?
Posting Permissions
Bookmarks