I needed a captcha for a Java Web Project, I tried SimpleCaptha and ReCaptha….both worked fine. And then out of curiosity I checked wikipedia what a captcha is and this is what I got.
It is an acronym based on the word “capture” and standing for “Completely Automated PublicTuring test to tell Computers and Humans Apart”
So basically, we want to be able to tell computers (or bots) trying to use our service from humans. So I thought to myself, is it really necessary to use all these mangled, difficult to read, sometimes very funny images? We can just ask the user a simple question we think only a human can know, make this question random enough that guessing(which is what most brute force attacks rely on) will be difficult.
For example, I am yet to see someone who says he/she has successfully guessed a recharge voucher pin. Even if there are maybe one or two. And this pin is just numbers, sometimes as few as 10 digits. Your ATM Pin is most times 4 Digits.
I remember seeing on a website a very simple captcha, they ask you a mathematical question, (+, -, *) and you give an answer. That simple. No mangled image, no mangled audio, nothing fancy.
So I started writing down ideas for what we can really call SimpleCaptcha.
- Present five random characters and ask the user what is the n-th character, of course the n-th character is also random
- Present the user a simple arithmetic expression, and ask for the answer. The two operands and the operator are random.
- Ask Date based questions like today is thursday, two days before today is ?, yesterday was Friday, 9 days from now is, etc
Now these captcha ideas MAY or MAY NOT have very very serious security holes. I am not an expert in web security and captcha, I am just a guy who likes simple things.
Below is some part of the Single File Java Class that does No. 2.
public String getQuestion() { Random r = new Random(System.currentTimeMillis()); int operationRandInt = r.nextInt(3); String operationString = operations[operationRandInt]; int q1Rand = r.nextInt(100) + 10; int q2Rand = r.nextInt(100) + 10; //we don't want answers to have -negative results if (operationString.equals("-")) { while (q2Rand >= q1Rand) { q2Rand = r.nextInt(100) + 10; } } /* if you want to implement for division, be my guest. A few thoughts though. * 1. It will be easier if there are no reminders in answers. i.e q1/q2 = Whole Number * 2. It will be safer if q1 != q2. */ q1 = q1Rand; q2 = q2Rand; operation = operationString; return q1 + " " + operation + " " + q2; } public boolean solve(int answer) { if (operation.equals("+")) { return q1 + q2 == answer; } else if (operation.equals("-")) { return q1 - q2 == answer; } else if (operation.equals("*")) { return q1 * q2 == answer; } return false; }
The full source is here Captcha.java
Follow @trinisoftinc
john said
Really simple
Anon said
But none of your problems are difficult for a machine to solve.
If I want my computer to access your system ‘as a person’, I need only write an arithmetic evaluator (or, say, just use Python), or write a what-day-is-it solver, etc.
The reason websites use mangled images is because they are hard to make sense of in software, unlike your proposed ‘simple’ solutions.
Akintayo Olusegun said
@Anon,
I know. But I also know that no matter how mangled the image is, if it is software generated, it can be software hacked.
Ernest Lötter said
Not everything that can be generated by software can be easily inverted for using software. For example, given two 100-digit prime numbers, I can write a simple Java program that will quickly multiply them. However, a program that will efficiently factorize the resulting 200-digit number into its two prime factors may be very difficult or impossible.
Temidayo said
Yap, I support what Ernest Lotter said. That is why it is not possible to reverse algorithm like md5().
carlos alberto de oliveira said
Really simple, but i think, in case of ” minus operation, it will enter in a loop state ” if q2Rand = 109…”. Now, as a sugestion, imagine you can do a captcha based on a table ( perhaps a 5X5 table) and ask the user for a specific entry.
Thank you.
Carlos
David Paksy said
Good post! I don’t love image captchas either. However I recommend you to read this article about captchas, its very good too and has a “hidden captcha” idea:
http://coding.smashingmagazine.com/2011/03/04/in-search-of-the-perfect-captcha/
ReinoutS said
Reproducing a random string is something most people can do, regardless where they’re from. When you start asking questions involving weekdays, you assume a certain cultural background and fluency in the English language which may or may not be there.
captcha solver said
Pretty section of content. I just stumbled upon your site
and in accession capital to assert that I acquire actually enjoyed account your blog posts.
Anyway I’ll be subscribing to your feeds and even I achievement you access consistently fast.
decaptcha Service said
Hi there, I enjoy reading through your post.
I like to write a little comment to support you.
Akintayo Olusegun said
Thanks
Captcha Solver, Captcha Breaker said
As the admin of this website is working, no question very quickly it will be famous, due to its feature contents.