Captcha identify

[Ian Kelly]

On Wed, Aug 13, 2014 at 1:43 PM, Chris Angelico <rosuav at gmail.com> wrote:
> There are alternatives that are both easier for legit people and
> harder for spambots. Some rely on the fact that humans read things two
> dimensionally, and scripts look at the underlying structure; so, for
> instance, random field names and cunning CSS to match them up with
> their labels can result in a form that's completely messed up in the
> source, but looks perfect to a user. Or you can put extra fields down
> that you can't see if the form's laid out properly.

Chances are that if these tricks mess up a spambot, they will also
mess up a screen reader.

> Or you can combine
> those sorts of tricks with a very simple challenge-response, like
> "What is one plus one?" that requires some specific value to be in a
> specific field - and if that value occurs in the wrong field, you
> throw the form back to the user.

If I ask my phone "What is one plus one", a very nice sounding voice
will tell me that one plus one is two. It takes some cleverness to
come up with a question that is likely to stump a machine but not
deter a human, so the pool of such questions will necessarily be
limited. Meanwhile, all the spambot has to do is flag the question for
a human to answer and store the answer somewhere, and the question is
now useless.

> For some reason, everyone's jumped on the "show some mangled
> text/numbers and ask the user to enter them" bandwagon, in the same
> way that everyone has gone for passwords that require
> lower/upper/digit/symbol and (in the most annoying cases) are actually
> length-limited to something stupid like 12 characters. Yes, maximum,
> not minimum. Grumble.

I've seen some captcha systems that I couldn't solve after a dozen
attempts, and I have no serious vision problems. It's a problem with
no easy solution, and as computers get more powerful the intersection
of {problems machines can't solve} and {problems humans can reliably
solve} grows ever smaller.