[thelist] Re: Security code images

John.Brooking at sappi.com John.Brooking at sappi.com
Tue Aug 3 12:34:16 CDT 2004

>Date: Tue, 3 Aug 2004 15:12:34 +0100
>From: Richard Davey <rich at launchcode.co.uk>
>>> Interesting article. It intrigued me enough to play a bit. I can't 
>>> quite come up with the best way to distort the image to make it 
>>> difficult to read by machines. I tried arcs and dashed lines, both 
>>> with some degree of random placement.
>There is another way - instead of scrambling a code and telling the
>user to "type in what you see" - you could show a picture, of say
>3 rabbits and say "how many rabbits do you see?". The user types
>in 3 (obviously!).

But it obviously can't be 3 rabbits every time, or someone will just teach
their script to answer "3". I guess you could vary the number of rabbits,
but the number of variations, hence the pool of potential answers, would
necessary remain very small, therefore easily guessable. (I have an image of
a user sitting in front of the screen counting 1, 2, 3, ... 58, 59, ... 122,
123, 124! Wait, did I count one twice? Whaddya mean my session timed out?!)

You could also ask: What animal is being shown here? But the average person
probably only recognizes a relatively small number of distinct animals
(what's the difference between an elk and a caribou?), so you're still down
to a low number of choices.

Maybe if you asked for both the number and type, and maybe some other
features (color? gender? ;-) ), you might get enough possible combinations
to get at least a semblance of security. Maybe.

It seems to me that the reason for disguising a word as an image is because
there are a very large number of potential words, especially in combination
with numbers, to choose from, limiting the success rate of blind guessing.

John Brooking, Application Developer
Sappi Fine Paper
South Portland, ME, 04106 USA

This message may contain information which is private, privileged or
confidential and is intended solely for the use of the individual or entity
named in the message. If you are not the intended recipient of this message,
please notify the sender thereof and destroy / delete the message. Neither
the sender nor Sappi Limited (including its subsidiaries and associated
companies) shall incur any liability resulting directly or indirectly from
accessing any of the attached files which may contain a virus or the like. 

More information about the thelist mailing list