How NOT to do CAPTCHA Security

By Daniel Miessler on January 28th, 2008: Tagged as Information Security | Security

captcha

First of all, just as a bit of trivia, CAPTCHA is based on a test for intelligence — a Turing Test. It stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”.

And here’s how not to do it…

Don’t make the text you want them to type into the field selectable with a mouse. For the love of God. A guy just told me he saw a developer show off his new rock solid CAPTCHA implementation. He demo’d it by highlighting the CAPTCHA text, copying it, and pasting it into the field.

Voila!

Devs don’t need security training, they need to get out more. How about reading some technology news? How about paying attention to the IT world as a whole? Making CAPTCHA text selectable? In. Sane.





--



4 Comments »

  1. Do you know how it was set up? If someone found a way to dump out the test in text-format but also not have it available in the source somewhere, it should work. If it’s rock-solid and works, why is it bad? And before you claim it can never work, real people also know that they shouldn’t be using absolutes for anything.

    How about not talking about something you never seen based on someone’s observation of something he probably didn’t know how it worked? How about not over generalizing people who develop and assuming that all developers are idiots? Researching before you blog about something? In. Sane.

    Comment by Bahamut — 1/28/2008 @ 8:12 pm

  2. Bahamut, his point was that it is not a Turing test. Even if you could not figure out how to the extract the text from the image, you can write a script to select the text and paste it into the box.

    Comment by Matt — 1/28/2008 @ 9:01 pm

  3. @Bahamut

    Jesus help us if you weren’t joking.

    If you weren’t you basically heard about someone being stupid, watched me make fun of them for being stupid, then proceeded to not even grasp why it was stupid, and then follow up with assuming I was the one who missed something.

    You must be a developer, which means your comment is getting added to the coveted “most ironic comment” list. Nothing against you personally, but you just served as the example for the post. I couldn’t have made something up any better.

    Comment by Daniel Miessler — 1/28/2008 @ 11:06 pm

  4. Man, Daniel, I wish you were joking but the sad part is that I know you’re not.

    Comment by Hot Carl — 1/29/2008 @ 7:57 am

RSS Feed For This Post...
This Post's TrackBack URI

Leave a Comment...