Captcha

[shmokes]

Am I alone in thinking these things have gone out of control?  I would say that on average I have to refresh a captcha at least three times before finding one that's legible enough for me to even take a stab at it.  And pretty frequently I still get it wrong.  So stupid.

[SavannahLion]

@shmokes

Yeah, it's gotten pretty bad. There was a guy who came up with the idea of identifying a group of pictures that I've only seen on very few websites. That's pretty tolerable until you come across a moronic admin that decides to use pictures that are such low resolutions you can't make anything out anyways.

One coding site (forget which one now) was really ---smurfing--- people over by asking you to write a bit of code to solve for X and it had to be properly formatted. 

@PBJ

Really? I got to go find a captcha site and try it out.

Wasn't there a program somewhere where you register your website and use your website in lieu of a captcha? Is that still in use?

[newmanfamilyvlogs]

http://thepcspy.com/kittenauth/

Prove you're human by picking kittens out of a group of images.

[Well Fed Games]

Pretty sure I am a robot, or some sort of part robot cyborg, with the problem I have with these things. Always knew it would happen eventually.

[ChadTower]

They do seem to be getting harder and harder to read.  I've noticed it too.

[Mikezilla]

They do seem to be getting harder and harder to read.  I've noticed it too.

Not only that, but they dont even use real words anymore. I got one yesterday that said "klorgon". What the hell is that? Some sort of Klingon snack food? 

[Samstag]

They do seem to be getting harder and harder to read.  I've noticed it too.

Not only that, but they dont even use real words anymore. I got one yesterday that said "klorgon". What the hell is that? Some sort of Klingon snack food? 

Maybe you're lucky.  I rarely see a captcha that uses real words.  Those kind used to be easy.  Now I feel like I'd have an easier time writing a program to guess captchas than answer them myself.

Before long the only users of the internets will be captcha-guessing robots.

[SavannahLion]

http://thepcspy.com/kittenauth/

Prove you're human by picking kittens out of a group of images.

Holy crap, that's him. I remember spending alot of time on an old forum working up his idea.

[Vigo]

They do seem to be getting harder and harder to read.  I've noticed it too.

Not only that, but they dont even use real words anymore. I got one yesterday that said "klorgon". What the hell is that? Some sort of Klingon snack food? 

Haha! I know, to make it even worse, they are not random letters, but almost real words. You end up staring at it for 5 minutes thinking you just misread the word. I remember I got "slength". I Remember staring at it forever thinking "that's gotta be 'strength', is that a 'T' or an 'L'...or maybe it's an upper case 'I'? Is siength a word?"

[spoot]

Indeed, whoever came up with captcha needs to die a horrible death.  Or be locked in a room with driverman for six hours.  Not sure which would be worse......

[SavannahLion]

Indeed, whoever came up with captcha needs to die a horrible death.  Or be locked in a room with driverman for six hours.  Not sure which would be worse......

If one has any measure of intelligence, computer or otherwise, it would be Driver-man....

Of course you may be Driver masquerading again. o_O

[newmanfamilyvlogs]

Indeed, whoever came up with captcha needs to die a horrible death.  Or be locked in a room with driverman for six hours.  Not sure which would be worse......

If one has any measure of intelligence, computer or otherwise, it would be Driver-man....

Of course you may be Driver masquerading again. o_O

Has spoot ever posted an idea that was interesting but unreasonable? YES/NO
Does spoot support the death penalty? YES/NO

"Listen kid, I'm not gonna ---That which is odiferous and causeth plants to grow--- you, all right? I don't give a good ---fudgesicle--- what you know, or don't know, but I'm gonna torture you anyway, regardless. Not to get information. It's amusing, to me, to torture a cop. You can say anything you want cause I've heard it all before. All you can do is pray for a quick death, which you ain't gonna get. "

[spoot]

Indeed, whoever came up with captcha needs to die a horrible death.  Or be locked in a room with driverman for six hours.  Not sure which would be worse......

If one has any measure of intelligence, computer or otherwise, it would be Driver-man....

Of course you may be Driver masquerading again. o_O

Ouch.....damn.  I'm gunna go cry in a corner now.   

[hypernova]

I know I've gotten captchas wrong before at least once, but it still let me pass.

Not only are they using random letters, they're throwing in numbers.  They have officially become more complicated than most of my passwords.

[Dervacumen]

Indeed, whoever came up with captcha needs to die a horrible death.  Or be locked in a room with driverman for six hours.  Not sure which would be worse......

If one has any measure of intelligence, computer or otherwise, it would be Driver-man....

Of course you may be Driver masquerading again. o_O

Ouch.....damn.  I'm gunna go cry in a corner now.   

I have a 150 page document of the last rant gathered from sources around the web just in case this pops up again although I guess if I removed some of the links and garbage it might only be 100 pages or so.  Unfortunately I also have this horrendously long and complicated password for this site that I *HATE* typing every time I log in.
What is it with the Mame Devs anyway?  Seems to me that the flap on Joust isn't quite right. 

[vcoleiro1]

I thought I was the only one who hated Captcha.  Even its name is painfull, you cant even complain about it without looking at how its spelled.   I HATE IT.

Even worse is the questions some game sites ask like who is some game characters brother or side kick, if you havent played the game (and sometimes even if you have) you need to then search
the internet for the answer.  In the words of Catherine Tate (Nan)  "What a load of old sh.t"

[hypernova]

Even worse is the questions some game sites ask like who is some game characters brother or side kick, if you havent played the game (and sometimes even if you have) you need to then search
the internet for the answer.

IBM's Watson would be able to get most of those answers, I bet.

[Howard_Casto]

I always thought captcha was a stupid concept. 

Text recogniton software is still to crappy to read text off of an image unless the font is REALLY clear.   Instead of distorting the text or adding in lines and nonsense and coming up with gibberish words, why not just save the password as a bitmap image (randomly generated of course) in a cursive font?  Hardly anything can read cursive except people.  Heck most of your novelty fonts are unreadable by OCR software, so just pick one at random when generating the image... no distortion needed!

[Nephasth]

You only have to get the more legible word correct.  You can put gibberish for the other.  If you don't believe that, try it for yourself.

Tried it. Doesn't work.

[RayB]

Obviously OCR has gotten good enough at text recognition that they need to distort and add the crud in. You think they don't TEST this stuff out?

One guy has a brilliant idea to replace captchas: Have a slider that you have to click and slide from left to right. Could a bot do that? I'm not sure.

[newmanfamilyvlogs]

Obviously OCR has gotten good enough at text recognition that they need to distort and add the crud in. You think they don't TEST this stuff out?

One guy has a brilliant idea to replace captchas: Have a slider that you have to click and slide from left to right. Could a bot do that? I'm not sure.

Why couldn't it? In the end most bots are going to be directly submitting their POST/GET data directly anyway, there's no clicking or dragging involved. I doubt any of the spam bots that rely on cracking captchas even render the html anywhere.

[shmokes]

You only have to get the more legible word correct.  You can put gibberish for the other.  If you don't believe that, try it for yourself.

Tried it. Doesn't work.

Me too. Definitely doesn't work.

[shmokes]

There's almost always a clear word and a distorted one.  But I just got one wrong in which the clear word was crystal clear and I actually made a legitimate attempt to get the distorted one right.  I wasn't even trying to test your advice.  Definitely doesn't work.  Now that I think of it, it makes sense that it can't work that way.  If it did, people wouldn't be so frustrated with the system.

[Howard_Casto]

Obviously OCR has gotten good enough at text recognition that they need to distort and add the crud in. You think they don't TEST this stuff out?

I'm sure they do, with state of the art techniques that 90% of the hackers out there aren't going to have access to nor know how to use.  Captcha is 

The thing about security is it is an illusion.  It doesn't make your site/home/whatever anymore secure to people that actually want to get into it, only to those that just do it for fun.  What it does it make YOU rest easy at night by making you think you are secure.  So it's ok to have a little bit of security to make yourself feel more at east, but at some point you've got to wonder if you are locking yourself in rather than keeping others out. 

To me  using captcha on the average website is like putting steel bars on the windows and razor wire on the fence of your home.

[ChadTower]

Could a bot do that? I'm not sure.

Absolutely.  Any test automation suite could do it.  Different type of bot but test suites run through gui interfaces for regression and load testing without any issues.  If it can be done with a mouse it can be done with a 'bot'.

[shmokes]

That's intereesting, but definitely doesn't apply to the typical captchas people see where there are two words, one of which is gibberish.  Think about it, from what books are they getting these gibberish words?  They're not words.  Real books contain real words.  It makes no sense that when the distorted-almost-beyond-recognition word is "nraljeck" it is coming from a scan of a print book that Google is digitizing.  Cos no print books in the world contain the word "nraljeck".

[ChadTower]

That's intereesting, but definitely doesn't apply to the typical captchas people see where there are two words, one of which is gibberish.  Think about it, from what books are they getting these gibberish words?  They're not words.  Real books contain real words.  It makes no sense that when the distorted-almost-beyond-recognition word is "nraljeck" it is coming from a scan of a print book that Google is digitizing.  Cos no print books in the world contain the word "nraljeck".

You are assuming every captcha served would be coming from a book.  If you have millions being served every day it would work best if only a certain percentage were coming from books and the rest are gibberish.  That's better security and is still accomplishing the data entry goal.

[shmokes]

That's intereesting, but definitely doesn't apply to the typical captchas people see where there are two words, one of which is gibberish.  Think about it, from what books are they getting these gibberish words?  They're not words.  Real books contain real words.  It makes no sense that when the distorted-almost-beyond-recognition word is "nraljeck" it is coming from a scan of a print book that Google is digitizing.  Cos no print books in the world contain the word "nraljeck".

You are assuming every captcha served would be coming from a book.  If you have millions being served every day it would work best if only a certain percentage were coming from books and the rest are gibberish.  That's better security and is still accomplishing the data entry goal.

Maybe. But that still doesn't account for the fact that it didn't work. Both the easier and the more difficult words need to be entered correctly. Otherwise there wouldn't be so much frustration stemming from failing captchas.

And that comic is great. I sent a super long diatribe to the dean and the IT director of my university for their absurd password policy, explaining how ridiculous it was.  The response was more or less, "It is important that we keep up with industry standards."

As ridiculous as that comic paints the powers that be, it's not even taking into consideration the reality of account lockouts.  It's pretty damned hard to make 1000 guesses per second when three wrong guesses triggers a 12 or 24 (or even 1) hour lockout.  Essentially if a password for a system with account lockout isn't in the dictionary, it is effectively impervious to a brute force attack.  Full stop.

edit: spelling, grammar (typed on a touchscreen)

[ChadTower]

As ridiculous as that comic paints the powers that be, it's not even taking into consideration the reality of account lockouts.  It's pretty damned hard to make 1000 guesses per second when three wrong guesses triggers a 12 or 24 (or even 1) hour lockout.  Essentially if a password for a system with account lockout isn't in the dictionary, it is effectively impervious to a brute force attack.  Full stop.

That only accounts for user interface challenges.  Every enterprise system has a whole lot of other challenges that have no lockout on them.  Besides, the whole point is to probe for weaknesses, not to keep hammering away at a single entry point.  If one locks out, find, check another.  There are only about 1000 entry points into the average small commercial LAN.

[shmokes]

Sure, but progressively requiring more and more and more and more complex passwords targets the one entry point we're talking about.  Of course you have to worry about someone going to the website and using a buffer overflow or something to force their way in, but forcing at least 8 characters with at least one capital letter that's not the first character, plus at least one symbol, plus at least one number, and then requiring the user to choose a new such password every three months, seems to be almost exclusively aimed at brute force attacks.

[ChadTower]

Meh.  It seems that way but the math in that comic was indisputable.  I have never met a security admin or network architect worth a damn who doesn't get that.  I have no idea why we're still seeing standards like we do.

[newmanfamilyvlogs]

Because they don't get to truly be in charge. They just follow what the higher ups say.

[shmokes]

Meh.  It seems that way but the math in that comic was indisputable.  I have never met a security admin or network architect worth a damn who doesn't get that.  I have no idea why we're still seeing standards like we do.

Oh, I get and agree with the comic. I'm just saying that the comic doesn't go far enough because the comic doesn't take lockout into account.  If the bot can only try 3 passwords per day (as opposed to 1000 passwords per second) the time it takes to guess a password is slightly increased.  And since account lockout is pretty much ubiquitous (and anyway just as easy easier to implement than ever-changing password complexity requirements), that is the world we are dealing with, not the actually far more dangerous world depicted in the comic.  In short, the situation is even so much more absurd than the comic illustrates.

[Vigo]

No matter what IT just doesn't really care, they just put on a show for the execs. If the CEO thinks everything is more secure by forcing everyone to write jibberish for their passwords, IT will accomidate.

Generally, IT doesn't give a crap as long as it doesn't make work for themselves. They are too busy helping the idiots all day. I got a new computer at work this week, and they accidently left the administrator account loged in. I went in and elevated my account to administrator level. IT noticed when they when back to install some applications. The IT guy said "Huh, you are not suppose to have admin privileges." I replied, "Nope, I'm not".

The conversation ended there. I still have an admin account, and probably simply because the guy knows I'm not some idiot who manages to break their computer every week.

[Vigo]

I made myself an admin, and the IT guy noticed because he could install programs on my account and then noticed I could access the admin user folder. Unfortunately, I'm still not experienced enough with windows 7 and the UAC rules. I didn't realize that I would have to grant access to my account to give privileges to disabled control panels and certain parts of the registry.

I think i will be bringing in a bootdisc, I don't even have privileges to uninstall stuff that I installed.

[shmokes]

I . . . have no words. Can someone here help me with this?

[Mysterioii]

ReCaptchas have this built-in functionality where they feel that they're helping to digitize books or some such, so they always show two words... a known one and some random text snippet.  The thing is, they don't even know what the snippet says.  All they use to verify what you type is the "known" half of the puzzle.  You can literally type whatever the heck you want for the first or second word (whichever is the random snippet... you can usually tell by the font now that you know what they're doing).

Of course, by typing in junk you're not really helping their project... but when they show you math symbols and images and crap they really can't blame you.

Now, the thing about recaptchas is that it's hard to read the other part too....  looks like you got some r's there, and maybe an n or an m smooshed in there too...    I generally fail more recaptchas than I get right, and that's knowing that only one of the words has to be right...  The other one you got there is lambda sub t of P, but it doesn't matter, type a single letter or whatever bit of profanity you like...  

Edit:  I shoulda read the first page, where PBJ said exactly what I just said.  Also interesting that you guys said it didn't work.  I've done it lots of times.  Of course like I said, sometimes the one they're really trying to test you on is so illegible and run together that you can't tell what it really is.  There are several forms of captcha though, and I believe this only applies to recaptcha.  They're the ones working on that project.  As far as why it sometimes gets completely random crap, I assume that's just a byproduct of the code they use to parse things out.  I'm sure they're just plugging scans into software and it's supposed to parse it automatically for them.  When there's math symbols and images their algorithm likely fails.

Here, you can try them direct from the source as many times as you like.  I just tried a few... typed complete garbage for the words that were more clearly scans.  Told me I was correct every time.

https://www.google.com/recaptcha/learnmore

Ah, just saw that PBJ said you only have to type "the more legible word" correctly.  That's not quite correct.  You have to type the wavy/distorted one correctly.  Sometimes the "decoy" portion is very legible.  There will be one weird wavy distorted word and one word that looks like a scanned word (or symbol, or image, or random garbage).  You type the distorted one correctly....  if you can make it out.

[Blanka]

The most annoying thing about captcha's is no the Captcha, but all other fields. If you miss out one item that the form does not like, you have to solve another captcha puzzle. Please change your forms: if you do one captcha right, remove it from the form!
The other stupidest thing in forms is 2 FRIGGIN EMAIL FIELDS. WHY DO I HAVE TO WRITE IT DOWN TWICE!!! IT IS NOT A PASSWORD THAT I CANT SEE DMMT. Even worse: forms with 2 email field that have some FRGGN JAVASCRIPT TO PREVENT COPY PASTE. THEY SHOULD KILL THOSE PROGRAMMERS in a back alley. IT IS 2012 version of FAIL RETRY ABORT, or the other STUPIDEST THING EVER IN COMPUTER LAND: THE CANCEL BUTTON ON PASSWORD ENTRY DIALOGS!!!!! CANCEL DOES NEVER WORK!!!! It gives the exact same result as submitting the wrong password, where it should do one thing: CANCEL the FCKN password routine!!!!!!
I'm running away with myself with this dumb nonsense. Sorry for that.

[hypernova]

U mad, bro?

[Blanka]

Yes, life sucks with 200+ password accounts, all with different password rules.