Captcha

I needed a captcha for a Java Web Project, I tried SimpleCaptha and ReCaptha….both worked fine. And then out of curiosity I checked wikipedia what a captcha is and this is what I got.

 It is an acronym based on the word “capture” and standing for “Completely Automated PublicTuring test to tell Computers and Humans Apart”

So basically, we want to be able to tell computers (or bots) trying to use our service from humans. So I thought to myself, is it really necessary to use all these mangled, difficult to read, sometimes very funny images? We can just ask the user a simple question we think only a human can know, make this question random enough that guessing(which is what most brute force attacks rely on) will be difficult.

For example, I am yet to see someone who says he/she has successfully guessed a recharge voucher pin. Even if there are maybe one or two. And this pin is just numbers, sometimes as few as 10 digits. Your ATM Pin is most times 4 Digits.

I remember seeing on a website a very simple captcha, they ask you a mathematical question, (+, -, *) and you give an answer. That simple. No mangled image, no mangled audio, nothing fancy.

So I started writing down ideas for what we can really call SimpleCaptcha.

  1. Present five random characters and ask the user what is the n-th character, of course the n-th character is also random
  2. Present the user a simple arithmetic expression, and ask for the answer. The two operands and the operator are random.
  3. Ask Date based questions like today is thursday, two days before today is ?, yesterday was Friday, 9 days from now is, etc
I actually set out to implement the three above, but the project I am working on is also pressing, so I decided to pick the most basic one. No 2. Just as a proof of concept.

Now these captcha ideas MAY or MAY NOT have very very serious security holes. I am not an expert in web security and captcha, I am just a guy who likes simple things.

Below is some part of the Single File Java Class that does No. 2.

    public String getQuestion() {
        Random r = new Random(System.currentTimeMillis());

        int operationRandInt = r.nextInt(3);
        String operationString = operations[operationRandInt];

        int q1Rand = r.nextInt(100) + 10;
        int q2Rand = r.nextInt(100) + 10;

        //we don't want answers to have -negative results
        if (operationString.equals("-")) {
            while (q2Rand >= q1Rand) {
                q2Rand = r.nextInt(100) + 10;
            }
        }

        /*
            if you want to implement for division, be my guest.
            A few thoughts though.
         * 1. It will be easier if there are no reminders in answers. i.e q1/q2 = Whole Number
         * 2. It will be safer if q1 != q2.
         */

        q1 = q1Rand;
        q2 = q2Rand;
        operation = operationString;

        return q1 + " " + operation + " " + q2;
    }
    public boolean solve(int answer) {
        if (operation.equals("+")) {
            return q1 + q2 == answer;
        } else if (operation.equals("-")) {
            return q1 - q2 == answer;
        } else if (operation.equals("*")) {
            return q1 * q2 == answer;
        }
        return false;
    }

The full source is here Captcha.java

Advertisements

12 Comments »

  1. john said

    Really simple

  2. Anon said

    But none of your problems are difficult for a machine to solve.
    If I want my computer to access your system ‘as a person’, I need only write an arithmetic evaluator (or, say, just use Python), or write a what-day-is-it solver, etc.

    The reason websites use mangled images is because they are hard to make sense of in software, unlike your proposed ‘simple’ solutions.

    • @Anon,
      I know. But I also know that no matter how mangled the image is, if it is software generated, it can be software hacked.

      • Ernest Lötter said

        Not everything that can be generated by software can be easily inverted for using software. For example, given two 100-digit prime numbers, I can write a simple Java program that will quickly multiply them. However, a program that will efficiently factorize the resulting 200-digit number into its two prime factors may be very difficult or impossible.

      • Temidayo said

        Yap, I support what Ernest Lotter said. That is why it is not possible to reverse algorithm like md5().

  3. Really simple, but i think, in case of ” minus operation, it will enter in a loop state ” if q2Rand = 109…”. Now, as a sugestion, imagine you can do a captcha based on a table ( perhaps a 5X5 table) and ask the user for a specific entry.

    Thank you.
    Carlos

  4. David Paksy said

    Good post! I don’t love image captchas either. However I recommend you to read this article about captchas, its very good too and has a “hidden captcha” idea:
    http://coding.smashingmagazine.com/2011/03/04/in-search-of-the-perfect-captcha/

  5. ReinoutS said

    Reproducing a random string is something most people can do, regardless where they’re from. When you start asking questions involving weekdays, you assume a certain cultural background and fluency in the English language which may or may not be there.

  6. Pretty section of content. I just stumbled upon your site
    and in accession capital to assert that I acquire actually enjoyed account your blog posts.
    Anyway I’ll be subscribing to your feeds and even I achievement you access consistently fast.

  7. Hi there, I enjoy reading through your post.
    I like to write a little comment to support you.

  8. As the admin of this website is working, no question very quickly it will be famous, due to its feature contents.

RSS feed for comments on this post · TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: