[thelist] Re: Security code images

Richard Davey rich at launchcode.co.uk
Tue Aug 3 13:25:07 CDT 2004


Hello John,

Tuesday, August 3, 2004, 6:34:16 PM, you wrote:

JBsc> But it obviously can't be 3 rabbits every time, or someone will just teach
JBsc> their script to answer "3". I guess you could vary the number of rabbits,
JBsc> but the number of variations, hence the pool of potential answers, would
JBsc> necessary remain very small, therefore easily guessable. (I have an image of
JBsc> a user sitting in front of the screen counting 1, 2, 3, ... 58, 59, ... 122,
JBsc> 123, 124! Wait, did I count one twice? Whaddya mean my session timed out?!)

Like I said, it's was an example. You would have to keep the number
relatively low granted, but that's only if a numeric "count the X" is
required. Any script worth its salt should be checking to see just how
many incorrect attempts have been made and block accordingly.

JBsc> You could also ask: What animal is being shown here? But the average person
JBsc> probably only recognizes a relatively small number of distinct animals

I can't see it asking questions that specific and working. Equally
you cannot ask "what colour is this?" (etc) because that doesn't help
those who are colour blind. There are other approaches too - ask the
user to "click on the rabbit" - and catching their x/y coords, if the
potential area was small enough then a script trying to register
itself on your site (which is all these are designed to block), would
have a relatively low chance of success - depending on the size of the
image. Sort of like a game of battleships. Ask a user to click on
"both the rabbits" and the scripts chances then reduce dramatically.
Again it's just an example.

JBsc> Maybe if you asked for both the number and type, and maybe some other
JBsc> features (color? gender? ;-) ), you might get enough possible combinations
JBsc> to get at least a semblance of security. Maybe.

Sorry but what have these scripts got to do with security in that
sense? They're not used for password validation or anything similar,
they're merely to stop bots and allow humans access, surely? To
that end having to make a human extract something of meaning from a
photograph, no matter how small the pool, would still stop a bot in
its tracks and that, I believe, was the objective here.

Best regards,

Richard Davey
-- 
 http://www.launchcode.co.uk - PHP Development Services
 "I am not young enough to know everything." - Oscar Wilde




More information about the thelist mailing list