Hi all

I've released a new version of my captcha:-
http://www.thespanner.co.uk/2007/07/12/return-of-the-heyes-captcha/

This version works with most likely sentences, for example:- "a creepy forest" not "creepy dog". The idea is to arrange the sentence in the correct order. Sentences would be different each time and at the moment it only displays 1 sentence.

My future plans include display a hint for the sentence but in a way that could only be understood by a human without mentioning the words in the sentence.

It's early days with the prototype but I really think this one could work.

captcha are becoming too much complicated for human
i keep thinking captcha is not the solution, but well, as long nobody find something way better...

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher

I've just uploaded an update to make it more usable.

Okay, where to begin?

Firstly, lots of people will never solve this correctly. Sorry, it's a fact. People just aren't very good at solving things. For instance "Sarah ran through the grassy fields" is proper english, but so is "the Sarah ran through grassy fields" depending on what a "Sarah" is. Clearly the second is non-nonsensical but not everyone is a native English speaker either, or paying enough attention to what they are doing to get it right.

Secondly, you have one of the highest probabilities of brute force solving I've ever seen in a CAPTCHA - 1/720 with six words and 1/5040 with seven words. That's less than a normal CAPTCHA of 4 digit characters. The numbers listed actually makes an assumption that each word is unique - which in several of your examples they were not ("the" is used twice in the sentences more than once). In that case your probability of guessing the correct answer skyrockets to 1/120-1/720). That's worse than a three digit CAPTCHA.

Third, to actually break this would require only a split second with all possible combinations against a grammar checker since there are so few combinations.

Fourthly, I can refresh until I get an old (known/solved) CAPTCHA.

Lastly, since you have to build each sentence you can only have a limited number of sentence structures that are short enough to be easily solvable, making it incredibly easy to build a lookup table of solved CAPTCHAs.

Sorry, this CAPTCHA has serious security implications. I'd never implement this as-is.

- RSnake
Gotta love it. http://ha.ckers.org



Edited 1 time(s). Last edit at 07/12/2007 05:59PM by rsnake.

Yep I know it has major problems and I wasn't suggesting anyone use it at this stage but I have had a couple of thoughts about this and expect a new release shortly.

Thanks for your great feedback though, the information you provided will be very helpful to me when I create my next release. Stay tuned :)

Glad it helped, but I bet a buck I'll be able to break any changes you make. CAPTCHAs are simply flawed. I've looked at hundreds of them and broken every single last one of them. I don't see any technologies that make me think I couldn't do it (unless you also make it unusable in the process).

- RSnake
Gotta love it. http://ha.ckers.org

I've just updated my CAPTCHA version 3.2

http://www.businessinfo.co.uk/labs/HeyesCaptcha3.2/heyes_captcha_test.php

It's still early stages but it grabs 2 random sentences from a story stored in a table. Then it displays the first sentence and mixes up the second which is related to the first.

There are a few problems with it, at the moment it returns either too long or too short sentences sometimes which I need to fix.

We all need to realize CAPTCHAS are fruitless. The bots get smarter the CAPTCHA gets harder, the bots get even smarter and the CAPTCHAS get even harder. But in the end a human being just stays dumb. Make it hard for a bot make it even harder for a human, make it very hard for a bot and make it impossible for the average human.

CAPTCHAs should only be used to limited protection. If you run a site which gets 15K views a month and you have a custom built forum, then in reality you will not need to have a hard CAPTCHA if one at all, because the chances of someone pointing a bot at your site to break into your account, post spam would be very unlikely. Now if you were running popular software like phpBB then yeah a bot might be more likely to target you since the bot would likely have the code to break it, but still its lower than if your site was say myspace.com and having CAPTCHA protection would actually be beneficial, but you have to say is it worth it? You are basically turning users away who can't solve them as easily, and the ease of a site determines if a visitor will come back again. Yeah we would all love to shun stupid people, but come on when you want visitors to your site you take all you can get. There are other avenues in protecting a form which will be as effective if not more which would not prohibit the site's use by the average computer illiterate user.

Just my 2 cents.

Gareth - now you have actually made it impossible for me to solve it to even tell you what's wrong with it. I think you've failed on two accounts:

1) you haven't changed the problem, making it easy for robots to use grammar checks still (if they encounter one that's too long they can hit refresh and get a new one).
2) you've made it so difficult to solve I can't even figure out what you want me to do anymore.

This proving that it is a failed Turing test. I think it's time for you to stop the madness.

- RSnake
Gotta love it. http://ha.ckers.org

I don't really know what the hope was, but if it was something along the lines of making the user so confused they'll never visit your site again, you have succeeded for sure.

You can't make a machine ask a question a machine can't answer. It's plain logic.

Writing information down on a post-it and slap it on your monitor is safer then let it be guarded by a CAPTCHA.

Spyware Wrote:
-------------------------------------------------------
> You can't make a machine ask a question a machine
> can't answer. It's plain logic.

Yeah that's the challenge.

I admit my CAPTCHA wasn't a success, but I haven't given up so expect a new post and I'll expect the backlash :) but hopefully not.

Maybe if you implement dynamic answers instead of dynamic questions it could work. But I am still unsure of the whole thing, I dunno if it's possible.

If you think about it, in the end everything isn't 100% secure, mouseclicks, keystrokes, voices, pictures and even IRIS-scans are hackable.

EDIT: typo



Edited 1 time(s). Last edit at 09/10/2007 09:43AM by Spyware.

Yeah I'm gonna try a different technique soon. I know the problems of creating one but I just enjoy trying the impossible :)