Hey everybody,

So I've been doing a bit of research.  I'm building a website that has to ensure ~100% real user authentication--actual users, no scripts or bots.  Captchas are no doubt annoying and ineffective as they're readily broken.  Some alternatives include audio captchas, false form elements, counting key presses etc.  So what I've decided on is asking logical questions with some basic concepts from captchas.  The first level of security is against OCR by using random fonts.  As the site is time-critical, it simply wouldn't be prudent for a program to try to do OCR against 200+ fonts.  The second level of security is that the content of my "captcha" contains logical questions, rather than just words you have to type.  These might include "what is two plus 4?", "when water boils does it become hot or cold?" and "what is the third letter in the word captcha?"  The third level of security will be be all the browser tricks (counting key presses, waiting a time period before loading the submit button, false form elements, session variables etc).

I believe that even if someone built something to successfully and efficiently do OCR against a ton of different (the set from which it's chosen may change by date or hour or something) font patterns, they wouldn't be able to resolve the logic in the question.  If for some reason this is also broken, their script or program will have to fully emulate a browser and user actions.  At this point, if they've made the most robust efficient program ever, they pretty much deserve whatever they can get with it.

So here's what I'm looking for.  I could use any sort of critiquing or suggestions to what I've outlined above.  Also, any new ideas or tips from people who have attempted this before would be excellent.  I would also appreciate some help coming up with creative questions.  There hasn't been a lot of activity on here lately, so we don't have much else to talk about.  Anyways, let me know what you guys think :).

I really love your ideas you have there.  Never thought of using questions in a captcha!  However, I would only expect this level of security to be on a bank website, lol, may I ask what type of website you are making?

I would be glad to help make up some questions for you but i'm at work right now on a 15 min break.  Tomorrow or sunday morning I will come up with a list and PM them to you or post them here if that is ok with you.

Also, when you get this completed I would like to test it out  ;D  Keep us posted!

Thanks.  It's not a bank website, but I have to be relatively obscure for non-disclosure reasons.  Essentially, users will pay no money and while doing things on our site can be given expensive items for free; very desirable items like iPods, Wiis, flatscreen TVs etc.  We don't want to be giving $3000 TVs to bots :).

Also, thanks for helping with the questions.  I appreciate it :).  I don't mind if you post them here, so people can comment, critique or improve upon anything we come up with.

When it's done (hopefully up and running by the end of the summer) I'll be sure to make an announcement here.  Also, I despise captchas; they're incredibly annoying.  We will only validate maybe every 10 actions per session so as not to piss people off.  They won't be super hard to read either, I won't implement slanted text or anything else like that, just random fonts (and possibly each character with its own font ;)).

As a side note, questions can have multiple answers when you submit them.  For instance, "what is two plus 4?" could be answered by either "six" or "6".  So don't feel restricted when posting :P.  Thanks again!

[quote author=pianka link=topic=17958.msg182809#msg182809 date=1243032127]
Thanks.  It's not a bank website, but I have to be relatively obscure for non-disclosure reasons.  Essentially, users will pay no money and while doing things on our site can be given expensive items for free; very desirable items like iPods, Wiis, flatscreen TVs etc.  We don't want to be giving $3000 TVs to bots :).

Also, thanks for helping with the questions.  I appreciate it :).  I don't mind if you post them here, so people can comment, critique or improve upon anything we come up with.

When it's done (hopefully up and running by the end of the summer) I'll be sure to make an announcement here.  Also, I despise captchas; they're incredibly annoying.  We will only validate maybe every 10 actions per session so as not to piss people off.  They won't be super hard to read either, I won't implement slanted text or anything else like that, just random fonts (and possibly each character with its own font ;)).

As a side note, questions can have multiple answers when you submit them.  For instance, "what is two plus 4?" could be answered by either "six" or "6".  So don't feel restricted when posting :P.  Thanks again!
[/quote]

Lets see... CAPTCHAs or being quized every 10 actions... I wonder what's more annoying. Simple CAPTCHAs can be broken, though.

It's not going to ask you something you don't know.  But considering they are still technically captchas, what you're really saying is being quizzed every time or every ten times, which is more annoying?  The answer is being quizzed every time, hence why I'm doing it every ten times.  Also, considering the nature of the site it's worth answering simple questions periodically for the chance to win something expensive.

And yes, I'm aware simple captchas can be broken.  I explained my solution to this in the first post.

you could just do all math questions though, just rephrase them and come up with a vast number of combinations like:
"what is six plus two"
"what is 6 + two"
"what is 2 plus 6"

----
"which animal barks? a cat or a dog?"
"how many legs does a cat have?"
"how many sides are there on a rectangle?"
"how many sides are there on a triangle?"
"what color is an orange?"
"what color is a carrot?"
"how many fingers are on a hand?"
"what is 1*1?"
"which is not an animal? dog, cat, bear, chair"
"is water wet or dry?"
"is the sun hot or cold?"
"which is the next ascending number? 1, 2, 3 _, 5"
"list a number between 20 and 30"
"what time is it?" (you'd have to work with timezones, and calculate a margin of error between say, 10 minutes)
"are bacteria small or large?"


take some, take them or all or take none, just ideas... hope it helped!

- dale

hi dale :) you never came to my apartment when you went to that show. loser.  anyways, thanks for the help.  I'm trying to avoid boring them with just math though.  So I like your other ones, especially colors.  The time I'm not so sure about, it's something a computer could very easily calculate, plus it means a lot more work clientside to pass the timezone through to the server.  Shapes and animals are also good :)

Thanks again, everything is appreciated.  Please post more everybody :)

yeah. I'm sorry the day we were going to buy tickets, they got sold out.. we were pissed...
I'll also try to think up some more qustions.. would you like me to put question:answer? so you can split them up easy?

Sure

[IMG]http://www.eyetricks.com/0603.gif[/img]
Things like that might do well.
Question what each row is, or parallel row vs horizontal row.
Ex; "What is in the Horizontal Row?" - User will type "ABC"

Various other Optical Illusion, or Psychological Photos would be the best logic orientated questionaires involving a "Captcha"
Another I could recommend is the Thematic Apprehension Test.
[IMG]http://3.bp.blogspot.com/_XXBfFv88x8M/SAn5AHqHLhI/AAAAAAAAADM/neK7VdG9wDw/s320/psychology1.JPG[/img]
An image like that could appear, and a question could be typed beneath it, i.e, "What is most visible on the table?"

Word, that's a good idea.  I'll keep image recognition like that in mind.  Only concerns that come to mind are that it'd be very easy to figure out which image is being displayed and easy to break the captcha if there's only one (or a handful of) questions per picture.

It's a twenty or so picture quiz.
Mind you, you could ask several different questions for each image.

So while the image may be the same, the question can be different, making your permutations of picture question combinations numerous.

If any bot would break *any* of these obstacles on any major scale it’d be so resource-intensive it'd have to be a targeted attack. If that’s the case it’d be much cheaper (for the attackers) to hire twenty people that sit for six hours, just creating new accounts.

Captchas (and similar system) won’t work in the long run. Because either it’d be too hard for a human being to solve, or simple enough for a smart bot. Are you sure you’re concerned more about *who* registers rather than at what volumes and/or speeds?

[quote author=Walkman link=topic=17958.msg183131#msg183131 date=1248787617]
If any bot would break *any* of these obstacles on any major scale it’d be so resource-intensive it'd have to be a targeted attack. If that’s the case it’d be much cheaper (for the attackers) to hire twenty people that sit for six hours, just creating new accounts.

Captchas (and similar system) won’t work in the long run. Because either it’d be too hard for a human being to solve, or simple enough for a smart bot. Are you sure you’re concerned more about *who* registers rather than at what volumes and/or speeds?
[/quote]
With a 20 picture quizzes having 10 pictures each, you're looking at 200 different resources.  Even though 200 sounds large, it's trivial to have a human solve them and then feed the pairing of questions and answers into a database.  I don't think that makes it resource-intensive.

I don't remember which site was doing this - I think a porn site - was showing users free images in exchange for solving Yahoo captchas.

Ultimately I think that you'll see automation techniques continue to be refined and the massive amount of internetworked brainpower continue to try to overcome them.

[quote author=MyndFyre link=topic=17958.msg183132#msg183132 date=1248793966]
With a 20 picture quizzes having 10 pictures each, you're looking at 200 different resources.  Even though 200 sounds large, it's trivial to have a human solve them and then feed the pairing of questions and answers into a database.  I don't think that makes it resource-intensive.

I don't remember which site was doing this - I think a porn site - was showing users free images in exchange for solving Yahoo captchas.

Ultimately I think that you'll see automation techniques continue to be refined and the massive amount of internetworked brainpower continue to try to overcome them.
[/quote]
Forgive my stupidity but… didn't you just say the same thing as I did in my post, adding porn sites already do the exact same thing as I describe? Although I do think you've misinterpreted what I mean by “resources”. I'm talking CPU power and bandwidth. :-\

For clarification, if I was unclear: use a simple system for keeping the web roaming bots off (hidden inputs, whatever; invisible and unobtrusive) and for targeted attacks just limit it to X accounts per IP/user agent/cookie every Y hours. Removal of inactive accounts wouldn’t be bad, either.

PS: I tend to use a javascript solution to keep 99% of the bots off, giving users who have javascript disabled the possibility of solving a captcha instead.

Thanks for the feedback,  but it's not spam I'm worried about.  Even after creating an account, the captcha will continue to be in effect.  There's a "bidding" system that will require consistently authenticated sessions.  Additionally, the revenue is from advertising...so I don't actually see a problem with real people using this en masse; they still have to look at the ads.