How NOT to do CAPTCHA Security

By Daniel Miessler on January 28th, 2008: Tagged as Information Security | Security

 

captcha 

First of all, just as a bit of trivia, CAPTCHA is based on a test for intelligence — a Turing Test. It stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”.

And here’s how not to do it…

Don’t make the text you want them to type into the field SELECTABLE WITH A MOUSE. For the love of God. A guy just told me he saw a developer show off his new rock solid CAPTCHA implementation. He demo’d it by highlighting the CAPTCHA text, copying it, and pasting it into the field.

Voila!

Devs don’t need security training, they need to get out more. How about reading some technology news? How about paying attention to the IT world as a whole? Making CAPTCHA text selectable? In. Sane.

  • Digg
  • Reddit
  • HackerNews
  • StumbleUpon
  • DZone
  • Google Bookmarks
  • Twitter
  • Facebook
  • del.icio.us
  • FriendFeed
  • Posterous
  • RSS
  • email
  

Comments

  • Man, Daniel, I wish you were joking but the sad part is that I know you're not.

  • @Bahamut


    Jesus help us if you weren't joking.


    If you weren't you basically heard about someone being stupid, watched me make fun of them for being stupid, then proceeded to not even grasp why it was stupid, and then follow up with assuming I was the one who missed something.


    You must be a developer, which means your comment is getting added to the coveted "most ironic comment" list. Nothing against you personally, but you just served as the example for the post. I couldn't have made something up any better.

  • Matt

    Bahamut, his point was that it is not a Turing test. Even if you could not figure out how to the extract the text from the image, you can write a script to select the text and paste it into the box.

  • Bahamut

    Do you know how it was set up? If someone found a way to dump out the test in text-format but also not have it available in the source somewhere, it should work. If it's rock-solid and works, why is it bad? And before you claim it can never work, real people also know that they shouldn't be using absolutes for anything.


    How about not talking about something you never seen based on someone's observation of something he probably didn't know how it worked? How about not over generalizing people who develop and assuming that all developers are idiots? Researching before you blog about something? In. Sane.

blog comments powered by Disqus

 

twitter_icon

Sample Original Content


Information Security

Tutorials and Primers

Culture & Society

Technology & Science

Politics

Philosophy & Religion

Miscellaneous

Tools & Projects


Blog Archives