19

Security is about balancing costs and risks, nothing is impossible to beat, specially not typical CAPTCHA implementations, but they do add something no other system seems to offer.

I've been reading around about these CAPTCHAs for a while and possible alternatives... (so please don't refer me to other sites/answers unless they truly answer the following question).

I have no experience whatsoever, so for me it is hard to estimate the costs and risks associated with this decision: should I employ CAPTCHAs (I'm thinking of JCaptcha or reCaptcha), or are a combination of other techniques enough?

I have a registration form to be filled, but I don't want my user table to be filled with trash. Honeypot field is easy to implement, but oh so easy to circumvent, simple security check (what color is the sky?) works well against automated attack, but any 15 year old can build a simple targeted attack that wrecks my user table...javascript to check time taken to fill the form is insecure and with a simple post to my server broken. Basically, I haven't found anything that works vs a slightly smart targeted attack except a typical CAPTCHA so I don't get trolled... So the real question is, am I at a significant risk of getting trolled with a targeted attack so I'd rather lose 10% of my users to these CAPTCHAs or is there an alternative that doesn't tax so much the user?

EDIT: Thank you so much for your answers, it certainly has helped me clarify ideas, specially the link to OWASP about avoiding brute-force attacks (got my +1, but I did not accept it since it didn't feel like a solution, but it does help find one. If you think I should accept it because I find it the best answer so far, please comment saying so since I may be misinterpreting the workings of the site).

On the other hand Asirra is quite fun and easy, and a lot better than traditional CAPTCHAs, I certainly would recommend it over other services. The puzzle is a lot more fun, and even if you fail, you would only fail once... pity:

Asirra is still in beta-testing; the service and its API may both be unstable.

Final Edit: Just in case it is found useful, here are the steps I've taken to ensure users are not bothered by CAPTCHAs but I feel safe from bots.

  • honeypot field (so easy to implement it cost me nothing though I don't feel very secure with it.)
  • e-mail verification link (or OAuth access) since it was always on my plans to add it. only validated users are migrated to my user table, the rest stay as registered.
  • time check: server time-stamp with signature loaded through ajax, user needs to take at least 5 seconds to fill the form before sending (the password) or it is discarded.
  • confirmation page (with server signed token to ensure the request has passed through the server first) after registration that warns the user that confirmation e-mail is required and has a button to send the confirmation e-mail. (In which case the data is also registered on the DB)

This will not stop a very dedicated attacker but I hope they will not want to spend hour and hours tuning his attack to gain nothing, just bothering me.

Daren
  • 300
  • 1
  • 2
  • 8
  • You may add this steps: ° Checking description with anti-spam tool. ° Greylisting level based on *suspect* words (greylisted accounts have to be reviewed by operator) – F. Hauri - Give Up GitHub Feb 01 '13 at 17:31
  • There's always Crapcha (http://crapcha.com/). Sorry, couldn't resists –  Jun 11 '13 at 13:08

12 Answers12

17

Thinking outside the box...

In most cases this applies: The business purpose for CAPTCHAs is to identify that the person accessing a page is a human being. The underlying reason for needing to know it it's a human is to prevent automated form submission, and the main reason for preventing that is to prevent brute force attacks.

So the ultimate purpose of a CAPTCHA in most cases is as a tool to prevent brute-force attacks.

If this is your underlying reason for wanting to use a Captcha, read on. Note that there are other reasons for using CAPTCHAs, and these suggestions may or may not be applicable.

That said, there are alternatives to CAPTCHA for preventing brute-force attacks. The OWASP web site lists a few with pros and cons of each approach:

1. Locking Accounts

The most obvious way to block brute-force attacks is to simply lock out accounts after a defined number of incorrect password attempts. Account lockouts can last a specific duration, such as one hour, or the accounts could remain locked until manually unlocked by an administrator. However, account lockout is not always the best solution, because someone could easily abuse the security measure and lock out hundreds of user accounts. In fact, some Web sites experience so many attacks that they are unable to enforce a lockout policy because they would constantly be unlocking customer accounts.

The problems with account lockouts are:

  • An attacker can cause a denial of service (DoS) by locking out large numbers of accounts.
  • Because you cannot lock out an account that does not exist, only valid account names will lock. An attacker could use this fact to harvest usernames from the site, depending on the error responses.
  • An attacker can cause a diversion by locking out many accounts and flooding the help desk with support calls.
  • An attacker can continuously lock out the same account, even seconds after an administrator unlocks it, effectively disabling the account.
  • Account lockout is ineffective against slow attacks that try only a few passwords every hour.
  • Account lockout is ineffective against attacks that try one password against a large list of usernames.
  • Account lockout is ineffective if the attacker is using a username/password combo list and guesses correctly on the first couple of attempts.
  • Powerful accounts such as administrator accounts often bypass lockout policy, but these are the most desirable accounts to attack. Some systems lock out administrator accounts only on network-based logins.
  • Even once you lock out an account, the attack may continue, consuming valuable human and computer resources.

2. Inject random pauses when checking a password.

Adding even a few seconds' pause can greatly slow a brute-force attack but will not bother most legitimate users as they log in to their accounts.

3. Lock out an IP address with multiple failed logins

4. Design your Web site not to use predictable behavior for failed passwords.

As for this:

I have a registration form to be filled, but I don't want my user table to be filled with trash.

In your particular case, I'd go with the a two-tier approach:

First, I'd use the "Inserting random pause" option just to limit how many bogus submissions could be entered in the first place.

To deal with potentially bogus registration attempts, use a verification mechanism. Register them but not as active, send them an email with an "Activation" link. For those that activate - at least you know you have a valid email address of someone who actually wants to register. Then implement a scheduled task that automatically deletes un-activated accounts after X hours or X days.

David Stratton
  • 2,646
  • 2
  • 20
  • 36
  • 1
    +1 CAPTCHA is more often than not intended for rate-limiting and there are other approaches that can serve the same purpose - however making them really effective and watertight is not necessarily straightforward. With the pausing approach you typically have to also limit the number of connections by IP, or have a steadily increasing delay per connection, in order to prevent bulk attacks reducing the effectiveness of the pause by doing hundreds of connections in parallel. – bobince Jan 23 '13 at 15:57
  • 1
    I am intrigued by your suggestion for a pause... I mean a sleeping thread in the server is tying up useful resources for legitimate users... I'm deciding that the verification e-mail is my best defence... – Daren Jan 23 '13 at 16:12
  • 2
    About the pause - I'm not married to the idea. There are pros and cons to it, as described on the OWASP page I linked to. It's typically not a long pause, and definitely it's something to weigh against performance especially if you expect high demand. But that's more of a design decision than a security one. I like the email verification as well. Or better yet, a two-Factor authentication using a cell phone if you can pull it off - like gmail, Windows Live, and others offer. http://www.codinghorror.com/blog/2012/04/make-your-email-hacker-proof.html - **IF** you can justify the work/cost. – David Stratton Jan 23 '13 at 16:27
  • I cannot afford the phone verification... yet. Though I will keep it in mind. I've found a way to enforce the pause: first site fills the form, second site confirms you are not a bot with a session token and an additional check (confirm you are not a bot and a send button), in between the pause is added and is inescapable. However this still taxes the user so I will only implement it if I detect an attack. – Daren Jan 24 '13 at 09:50
  • "is to identify that the person accessing a page is a human being"! And who else is using internet? We are already conquered by ET or machines? [It is impossible to solve the problem before and without](http://security.stackexchange.com/a/29679/5656) its formulating first – Gennady Vanin Геннадий Ванин Jan 25 '13 at 05:53
  • @GennadyVanin--ГеннадийВанин a human assisted by a bot to simulate a legion of humans, and we are conquered by machine, already more processors than humans in the world. :) – Daren Jan 25 '13 at 13:13
  • 1
    Another way is to store all the important account data in the activation link. Eg, user signs up - nothing is written to user table. After this, a activation link is sent, that is "signed" by a MAC, which contains all the information user entered. This link is what does the "real" sign-up. – sebastian nielsen Mar 14 '15 at 15:27
10

Google has come up with a new technique called reCaptcha that is simpler and reportedly more reliable than existing solutions.

It consists of a single checkbox, that when clicked, sends metadata to Google's servers, which in turn uses some proprietary AI to determine if the click originated from within a script, or a human.

enter image description here

See this venture beat article for additional information.

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • at long last... :) – Daren Jan 05 '15 at 09:11
  • reCaptcha is broken and does not work against brute force attacks! The issues is that one can send as many captcha requests as wanted to solve the captcha before submitting the form. Google does not restrict it. It takes usually 3mins to get a successfull response. If you have a botnet you can easily do the spamming you need to. I just witnessed such an attack. – mahatmanich Feb 24 '16 at 16:46
  • http://scraping.pro/recaptcha-solved-imacros/ check here for more details – mahatmanich Feb 24 '16 at 16:52
8

One alternative to a classic captcha is Microsoft Asirra (which I consider quite interesting). Instead of reading scrambled text, you have to select the cats from pictures containing either cats or dogs. They have over 3 million photos, so you should be safe against the more determined attackers. It is not very probable that someone will index all these images just to fill your database with junk, and moreover, the chance of not being able to select the cats from the first try is low.

UPDATE: Google can solve Cat Captchas.

Dinu
  • 3,166
  • 14
  • 25
  • That is a ***really*** cool idea. It's simple enough that my Mom could do it, and a heck of a lot friendlier than traditional Captchas. – David Stratton Jan 23 '13 at 18:46
  • Similar-ish to this are the "Select the X" and there are a few different images, of which you select what is given. Like "Select the paintbrush" and there is a picture of a paintbrush, house, and dog. – Rob Jan 23 '13 at 18:58
  • 7
    The Asirra project does not make any consideration for accessibility. (There are not options for visually-impaired users, etc.) If you need 508 compliance, Asirra is not ready for it. – mawcsco Jan 23 '13 at 19:44
  • Great motivation(1) to develop neural net software that can distinguish between cats'n'dogs! 1) To the very people you don't want cracking it. But their efforts should help out the folks who are 'different-accessibility enabled' as referred to by @mawcsco. – Andrew Thompson Jan 24 '13 at 05:45
8

Captcha is not a solution at all!

There is an overall captcha killer who could pass every captchas existing and even not already invented !

It's based on social engineering:

Simple and easy, a 15 year old spammer student could build this:

  1. Build a trivial free puzzle captcha game site, looking harmless:
    1. Little funny game, playing with many captcha for accessing further game level
    2. ... leave users playing with captchas ...
  2. By a simple server script, when a captcha is asked for, the server go to the target site for getting the target's captcha, than forward them to the players of the captcha game site.
    1. The players will try to answer captchas as quick as possible for reaching second game level.
    2. Server has simply to forward captcha checking and answers between target site (the real victim) and the gammers (unwanted complicity: collateral victim)
  3. Whith each captcha successfully passed, the server could create one spammer account to target...

A network human assistance... for bots.

Where robots could use people's help for doing his (bad) work.

Acknowledgements:

A big thank to @GennadyVanin--ГеннадийВанин for the idea of attractive free puzzle game captcha! The first idea was to create a barely legal porn or monney maker site and use captchas for validating new accounts.

This idea of captcha game puzzle add

  • trivial site (not barely legal)
  • more than one captha will be resolved by one user.

Alternatives

There are several ways to prevent spams, from bayesian tools to mail confirmation based on PGP.

Just one sample: you could use bogofilter with progressive policies:

  1. At begining, every post on your blog will be submited to your bogofilter environment...

  2. In first time, all post have to be manualy validated (grey list), while teaching bogofilter.

  3. Once enough spam and ham reviewed, your bogofilter become able to

    1. validate automatically a lot of post
    2. reject automatically and efficiently a lot of post
    3. then grey list some new post not well classified... Which will be manually validated, teaching bogofilter again... and again...(see my comment;)

Of course, this will require active monitoring, not perfect at all, sometime some tuning operating and post retrieving could be usefull...

Conclusion

In fine,

  • captcha consume a lot of time,
  • will alway become hackable,
  • may be confuse and
  • don't add gain to prettiness of a welcome page!
F. Hauri - Give Up GitHub
  • 4,597
  • 2
  • 19
  • 32
  • ... or use Amazon Mechanical Turk: https://www.mturk.com/ – Shadok Jan 24 '13 at 10:52
  • 1
    ...or create attractive free puzzle game captcha and collect personal data from registrations to spam users - the site is protected and its users personal data being sold. Besides, such sites are not barely pseudo legal, they are serious legal, everywhere and it is backbone of free internet in exchange of controlling your tastes and even internet searches – Gennady Vanin Геннадий Ванин Jan 25 '13 at 05:23
  • Regarding this, I'm thinking to *Jack Cucchiaio*: *Spam* is like *The Horribly Slow Murderer with the Extremely Inefficient Weapon*: **tiresome!** – F. Hauri - Give Up GitHub Aug 22 '16 at 22:42
2

an alternative to images are human interpretable questions; but this could incur some development cost, strategies I've seen:

  1. user identifiable images: trialled by a Uk bank; they asked users to upload photos of people they knew and did a multi-choice with other random photos, "Who's your aunt?". Worked well until it was totally abused. :-) please note this is really just an "alternative password" strategy and thus has the same problems.
  2. arithmetic questions: "what is 10 divided by 2?" with some entropy on the format and mechanisms used to formulate the sentence, e.g. "what is ten divided by 2?"
  3. puzzle. multiple choice questions that describe a photo. e.g. a blue house on a green field.

Please be aware that NONE of these will pass disability legislation. Where I live (UK) the RNIB and their consultancy arm Foviance will threaten large companies for using non-DDA compliant mechanisms. The big problem I've always faced is that the security is only as strong as the weaker of the two strategies (if you also provide a DDA compliant mechanism).

Callum Wilson
  • 2,533
  • 10
  • 15
  • I'm guessing the arithmetic question is in image form? otherwise a text reader for blind people would help them and therefore would be disability compliant, no? – Daren Jan 23 '13 at 16:07
  • if the arithmetic was in plain text then a reader would indeed help. However, if an arithmetical challenge would be a lot easier to interpret. It really depends what the risk appetite is and what the end goal of the CAPTCHA is. – Callum Wilson Jan 23 '13 at 16:57
1

Spam bots are already smart enough to do Google searches, so something like asking the color of the sky is pretty ineffective. Generally things like simple math word problems or pictures with math problems can be reasonably effective. nuCaptcha is an animated captcha which is much easier to read though I'm not sure if it has been broken yet or not. IP black lists are pretty effective at recognizing common spammers and blocking them. There are also domain blacklists that look for any links to known spam sites by users as well as known spam e-mail accounts. Requiring a user to click a link sent to them in e-mail is also helpful as it forces the e-mail address used to be legit.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
1

I'm pretty sure Microsoft's Assira project is dead, or at least no longer actively supported. There's another, similar, approach called Confident CAPTCHA that is pretty much the same thing -- user's are asked to click on a couple of pictures to prove they're human. It also has an audio option for the visually impaired, which Assira does not.

Leo
  • 51
  • 1
1

Huh, I failed even to find any question.

The CAPTCHA is not synonym to antispam protection and there are NO spam-bots without human spammers behind. Spam is created by humans, sometimes bot assisted, and paid-requested by humans.
There are no spam created by bots themselves and ordered-paid by machines. Those is called viruses.

In the root, spam protection is protection against spammers, i.e. humans. And CAPTCHA, by definition, is neither protection nor from humans, it is Completely Automated Public Turing Test to tell Computers and Humans Apart. It can be used as prevention against bot-assisted posting.

Also, bot-assisted posting is not synonym of spam. Most social networking is based on bot-assisted sharing of articles, news, re-posting and retweeting by schedule.

There will be no solution to never formulated but only hinted question with never formulated terms (what is spam, spammer, etc.).

And it is quite naive to seek universal silver bullet once, for everything and forever against creative human spammers.

Gennady Vanin Геннадий Ванин
  • 920
  • 5
  • 11
  • 2
    Try not to use bold so much. It hurts my eyes, and makes the answer look unprofessional. – Polynomial Jan 25 '13 at 11:04
  • "So the real question is, am I at a significant risk of getting trolled with a targeted attack so I'd rather lose 10% of my users to these CAPTCHAs or is there an alternative that doesn't tax so much the user?" – Daren Jan 25 '13 at 13:10
  • CAPTCHA will not protect you from trolls. Trolls are humans. It is senseless question. It might hinder unprofessional vandals, holigans, et al using SEO automatization tools but will not stop professionals. As a matter of fact, you will not even detect when dialogues are maintained by professional bots used by qualified specialists – Gennady Vanin Геннадий Ванин Jan 25 '13 at 17:20
  • 2
    @GennadyVanin--ГеннадийВанин Of course it won't save me from professionals, I just want protection from amateurs who might find funny to screw with my server for fun's sake. Security is all about balancing costs and risks. – Daren Jan 29 '13 at 13:31
1

Maybe client puzzles are a solution. The idea is to let the client perform a computationally intensive operation that is easy to verify by the server. The idea is to gradually increase the complexity of the operation.

A one way hash is such an operation that can be used. On the first submission of a form you can have the client to find a word where the md5 checksum ends with a specific character. This can be found reasonably quick and is even faster for the server to verify. If somebody tries to brute force your service you require more matching characters of the checksum making the puzzle harder for the client.

check http://en.wikipedia.org/wiki/Client_Puzzle_Protocol and http://www.isoc.org/isoc/conferences/ndss/99/proceedings/papers/juels.pdf

JoG
  • 151
  • 5
1

I think that CAPTCHAs day is over. It cannot be secure when there are websites offering to solve 1000 for 3 dollars all over google if you do a search. It is widely know that a lot of spamming these days is by humans in countries with emerging economies as opposed to machines. I personally hate CAPTCHA and I use software called RUMOLA to read and fill them in for me and, although i just use this software to make blogging less frustrating, it just prooves that for a little money you can get past all CAPTCHAs... Ps. If you feel the same way as me about CAPTCHA you can try RUMOLA at skipinput.com

ally
  • 11
  • 1
0

I have a suggestion that giving picture to user similar like captcha image. But that image will contains a simple mathematical expression like 55+12. The user want to enter the answer of that expression that 67 in this case.Captch

To improve security you can dynamically create image or you can use a set of predefined image set.

sujeesh
  • 464
  • 2
  • 4
  • 10
  • 2
    The problem is that you've now restricted your CAPTCHA content to a small set of characters, so OCR could be used to break it. – Polynomial Jan 25 '13 at 11:06
  • @Polynomial that's a good answer. But if i used different fonts and different color per letter? and if i used some background graphics? will it be helpful to prevent OCR reading? – sujeesh Jan 25 '13 at 11:23
  • Nope. If you change the colour, a saturation filter will remove it. If you add colour *and* a background, the foreground colours can be isolated and used to perform a notch filter. If you use different fonts that might make it a little more difficult, but a decent OCR engine could compensate by doing pattern matching against known fonts and looking for >95% correlations. You need to actively warp the text and provide noise that significantly distorts both the background and text. It's a difficult thing to get right without destroying readability. – Polynomial Jan 25 '13 at 11:36
0

You might want to check out "are you a human." It reminds me of what Asirra is trying to do.

http://areyouahuman.com/

JackWink
  • 486
  • 3
  • 5