|
Posted by shimmyshack on 05/01/07 03:37
On May 1, 12:29 am, Stuart Millington <n...@dsv1.co.uk> wrote:
> On Mon, 30 Apr 2007 15:57:54 -0700, zach <wackzi...@gmail.com> wrote:
> >type. At least for me this seemed faster and easier. I get confused with
> >some captcha's because I can't tell if a letter is an l or i or o and 0.
>
> Indeed, in many image based schemes it's hard for sighted, let alone
> partially sighted, people to see the difference between a zero and an
> "oh".
>
> >Just a thought on speed and usability. Is there a security reason why
> >using only numbers shouldn't be used?
>
> In terms of usability, image-only schemes should never be used (in the
> UK at least), as they discriminate in violation of the DDA 1995 unless
> adequate, alternative, provision is made.
>
> IME the number of sites using these techniques who bother to implement
> such alternatives are close to zero :-(
i definately agree, captchas present significant difficulty to fully
sighted humans, let alone partially or unsighted people, or those with
difficulties recognising text patterns, to get round this you might
see reduced character spaces, or even the use of common words, such as
googles anti-script captchas.
add to this the fact that most popular captcha implementations are
very weak, and that OCR can defeat them, for various reasons, (lack of
randomness/variety in text/images/backgrounds/fonts, insufficient
rotation/distortion, use of words - which provide a context for each
character...)
http://sam.zoy.org/pwntcha/
and you have a dying inaccessible gimmick.
Using the reduced password space of "digits" does mean that the OCR
has an easier job of homing-in on the right character simply if it
could be an o,O or 0 but only digits are allowed, then the guess is
easier. While the OCR scripts still have to guess what the characters
are, but provided they are notified about the character set for that
implementation, it is much easier.
Of course the really simple way to solve captchas is by hijacking them
and using them on your high-traffic site, and getting a human to solve
it, sending the results back downstream to the originating site, so
they are in every sense, broken. They just keep your fruit on the next
branch up.
[Back to original message]
|