6 comments

[ 3.0 ms ] story [ 28.7 ms ] thread
That is a retarded captcha. You have a 1 in 6 chance of randomly guessing the first picture right, and then a 1 in 6 chance of getting the second picture right.

So my automated script needs to perform an average of 36 attempts in order to break through the captcha. Whoever built that system doesn't understand captchas.

Your concern is somewhat valid although if someone is making 30 plus attempts to submit a form can we not assume it is a bot? We have made a configuration interface to allow users to increase the number of possible response photos if they are security paranoid.
I'd probably use just use Tor or similar to make all requests come from different IPs. You don't need to increase the number of pictures by a couple, you need to increase the number of possibilities by several orders of magnitude.

A traditional captcha with 6 letters/numbers has 2,176,782,336 possible combinations. Not 36. The whole point of a captcha is that there is a large enough set of possibilities such that you can't just get it right by guessing randomly a few times.

You are missing the way people break captchas... it is not because they have super cool software that can read the captcha, have a huge database of hashed portions of a particular captcha softwares library or make blind random attempts that would set off any simple limits ( although some have 1 and 2 ) it is because they build technology that sends the webpage to an outsourcing house that performs the actions remotely. I know of one with 200 FT employees each shift ( 24 / 7 ) that solve on average 4 per minute per employee.
If someone is making 30+ requests from distinct ip addresses in their botnet, you won't even suspect they're related.
reCAPTCHA is bar none the way to go. Not only is is robust, but it also serves a useful purpose---it uses user answers to the reCAPTCHA to digitize books by having users recognize text from scanned books where OCR would perform poorly.

http://www.google.com/recaptcha

If your captcha doesn't serve a useful purpose besides being a captcha, it's going to be hard to beat reCAPTCHA.