Network Security: Detailed info on Re: Defeating CAPTCHA

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Web-App-Sec

[Top] [All Lists]

Re: Defeating CAPTCHA

from [Michal Zalewski] Network Security

[Permanent Link]

Subject:	Re: Defeating CAPTCHA
Date:	Fri, 26 Aug 2005 16:12:07 +0200 (CEST)

On Fri, 26 Aug 2005, Subs wrote:

For instance a picture of our planet, with text overlaid something like
"3rd Rock From the Sun", "Home" or "Planet" with a question like What
Would You Call This?


Probably a so-so idea, for a couple of reasons:

  1) Answers limited to dictionary words or trivial phrases; susceptible
     to brute force attacks with a chance of succeeding (you would
     realistically have what, 500-5000 options).

  2) The attacker who gets a hold of your image database and associated
     terms can attack all installations rather easily - whereas random
     character, random modification captchas are harder.

  3) Computers can and do succeed at recognizing simple objects on
     photographs or images, so even without the image database (but with a
     thesaurus), this can be attacked.

In the short run, sure, it sounds more impressive; in the long run, it may
be even more useless than text captchas.

Cheers,
/mz
http://lcamtuf.coredump.cx/silence/

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
RE: [WEB SECURITY] Defeating CAPTCHA, (continued) RE: [WEB SECURITY] Defeating CAPTCHA, focus RE: [WEB SECURITY] Defeating CAPTCHA, Michal Zalewski Re: Defeating CAPTCHA, Jayson Anderson Re: Defeating CAPTCHA, Mark Burnett Re: Defeating CAPTCHA, Chris Shiflett Re: Defeating CAPTCHA, Jayson Anderson Re: Defeating CAPTCHA, Andrew van der Stock Re: Defeating CAPTCHA, Stephen de Vries RE: Defeating CAPTCHA, Glenn Euloth Re: Defeating CAPTCHA, Subs Re: Defeating CAPTCHA, Michal Zalewski <= Re: Defeating CAPTCHA, Paul M. Re: Defeating CAPTCHA, victor RE: [WEB SECURITY] Re: Defeating CAPTCHA, Marian Ion RE: Defeating CAPTCHA, Derick Anderson Re: Defeating CAPTCHA, Devdas Bhagat RE: Defeating CAPTCHA, Derick Anderson RE: Defeating CAPTCHA, wilsonc

Previous by Date:	Re: looking for stats, Andrew van der Stock
Next by Date:	RE: Defeating CAPTCHA, Derick Anderson
Previous by Thread:	Re: Defeating CAPTCHA, Subs
Next by Thread:	Re: Defeating CAPTCHA, Paul M.
Indexes:	[Date] [Thread] [Top] [All Lists]