177 comments

[ 3.9 ms ] story [ 285 ms ] thread
THIS is the captcha I've been looking for all these years!
Cool! Music is a bit too much, but it's great that it can be turned off.

Link to repo: https://github.com/vivirenremoto/doomcaptcha

I enjoy the music, but when you click to start, if there were two buttons it would be nice: click to start (silent) and start (with audio)
Websites with auto-play.

Always a joy at 0:16am when everyone's already asleep.

Amazing! This opens so many possibilities for captchas.
It's good. Now if only I can get a version of this where the user has to punch the monkey to solve the CAPTCHA... ;)
which hamsters are ACTUALLY dancing?
Close all the pop-up windows to proceed.
We had this type of CAPTCHAs before we knew they are called CAPTCHAs.
As long as I don't have to click a damn bus or find the traffic lights again I'm all for it.
If you are on desktop, when clicking the "I am human" checkbox, hold your mouse down for a few seconds, and move it around just a touch for good measure, before letting go. This is usually enough to convince the system you are human and it skips the image hunt.
This is great. Do you have any more tips about how to be more human?
Be lazy when clicking the images. Mailboxes are parking meters.
Look if the site has an option to use the noscript recaptcha (you might be able to force it to appear by blocking scripts). That one's much easier: as long as you get it right it lets you through, and you always have to select three squares (none of that "keep clicking until there's no more matching" garbage).
Unfortunately this is becoming fairly rare, I haven't encountered one in ages.
The first set is all you really need. Answering the second set (if presented) with completely wrong answers will usually cause you to pass. Wild guess -- perhaps ReCAPTCHA is checking for mouse movement and other behavioural heuristics after the initial test.
Have you encountered the CAPTCHA from this monstrosity of a company called Arkose Labs? I don't get angry but I was trying to redeem gift cards for an elderly relative and I was shouting and gave up.

Not sure if I am allowed to paste links but search for "arkose labs reddit" or just the name of this company on Twitter. Or search "arkose labs san francisco" on Google and just read the reviews.

Easily the worst captcha there is, it makes you do the captcha 10 times (it says 10 to go after you do the first one) and if you get one wrong it doesn't tell you until the end after you've done them all, in which case you have to repeat it.
Seems like they are afraid of robots.
^This.

That CAPTCHA on Epic Games Store is hell. Worst part being you have to do it all over again if you fail even once and that one is enough for me to not login.

You can click whatever you want. Every captcha I’ve done in the last year says I missed something, then lets me pass. If I just click on trees and rocks, same thing, it lets me past. I think all they are doing is deeply fingerprinting you and the image matches are a red herring
Hitboxes are off, headshots don't count :(

Also, I was hoping for a full 3D FPS version with canvas etc.

Do you remember the Quake 3 hitbox (it was only one for all models), especially after a jump pad? Quake Live fixed most of these issues but back than things were pretty bad. Still way ahead of everyone else but yeah... it wasn't perfect
I remember the original Unreal Tournament had very large head hitboxes. It would trick you into thinking you had a great aim.
Headshots in doom 1, the game that had auto aiming and no ability to look up originally? Also, fully 3d might make it slower to load in case somebody actually wanted to use this for real. I played a webgl doom clone once that lagged like crazy
If the aiming in this was only on the x axis, then what you said makes sense. Otherwise, I agree with OP, hitboxes are off.
Yes.

Doom/II/Heretic/Hexen were 2.5D. That makes it easier to run on a 386 with fixed-point math, BSPs, and efficient z-buffers without busting out single-precision quaternions and 4x4 transformation matrixes. :)

Interestingly, Rise of the Triad, based on a modified Wolfenstein engine, is semi-3D with elevation changing.

Auto-aiming in the vertical axis only, IIRC it shot randomly all over the enemy. Enemies only had so many angle sprites IIRC and weren't really 3D.

https://doomwiki.org/wiki/Doom_rendering_engine

There's a much better treatment of the Doom engine in Michael Abrash's writings, esp. Graphics Programming Black Book Special Edition. Trivia: his assistant once mailed me a replacement CD-R of the CD I lost from the paperback edition. I lose everything. Hehe.

PS: one of my favorite profs teaching a graphics course: http://www.infocobuild.com/education/audio-video-courses/com...

This guy is hilarious and awesome for having a Monty Python question on a final exam: https://cs.ucdavis.edu/directory/matthew-farrens

Ran into Sean all the time at Ace Hardware. Also, he got busted for living in his VW in a parking garage. I love that guy. https://cs.ucdavis.edu/directory/sean-davis

Have to brag about awesome profs/lecturers.

> headshots don't count :(

And if count then they shall provide admin access I think.

Just took a break from playing Doom Eternal to find this, it's so cute! The simple embed is a great idea too, I hope as the internet starts to decentralize we'll see more fun things like this floating around.
People think they can't figure out which images have stop lights, crosswalks, or bicycles in them now, wait until they introduce the Marauder Captcha.
The Cthulhu Captcha tests whether the user becomes insane upon viewing it.
The music is terrible - (gives me 90's website MIDI audio PTSD :P) - but it's a cute idea.

Would this actually be an effective CAPTCHA? E.G. Security-wise?

Also, speaking of 90's-internet PTSD, I actually almost mistook this for a spam banner ad knowing already what I went into. Wayyy too many of those 'punch the monkey' or 'shoot the duck' animated banner ads that didn't even care where you shot. :P

Generally something that can be deterministically scripted to work around won't work well as a captcha:

https://imgur.com/a/mbLnTH7

Here I'm just clicking the entire row of pixels four times.

Even if you fixed that (perhaps misses could trigger a failure), then you still need to create a problem that's hard for a computer to solve .. finding the monster seems pretty straightforward.

That's just the original DOOM music (first level, E1M1) on a Sound Blaster AWE32 or something similar, so it's completely accurate.
MIDI FTW.

GUS Extreme, MT32, and SB16 Pro (or AWE64 Gold) with a Wave Blaster I or II, and you're set for the basic flavors of MIDI. Maybe an Ad Lib for extra vintageness and a Turtle Beach Multisound Pinnacle too.

Guys, I didn't mean the music itself was terrible, I meant the fact that music was included to be auto-on to start in web content produced post-2002...

I would have personally put the audio as off by default, with the little icon to set it to on. :)

I am fully aware what the DOOM soundtrack sounds like an my complaint is that there is audio at all - especially on by default - and that it reminds me of those awful websites from the 90's that did this.

Are there any browsers which prevent auto-starting of music/sounds or extensions that do such?
I get your point - it was way too loud initially and would quickly get annoying after the second or third time if it was being used as an actual captcha.

That said, the music is what really sold it for me. How better to perfectly highlight the absurdity of proving your humanity by going on a virtual demon-slaying spree than dropping you right in the middle of a retro 90s metal cacophony!

While this is too simple (even the website admits that a bot could be written in virtually no time to break it), it does make me wonder if you could have a WarioWare CAPCHA. A minigame with extremely vague description that you have to react to quickly to pass.

Thinking about it some more it fails the primary criteria for a CAPCHA: it needs to be harder to write the bot that cracks it than each test case, by at least a couple orders of magnitude. Otherwise bot makers will just create custom bots for each contingency. They have more time and funding than you do.

Perhaps you could generate the games/descriptions from parametric components.
This is a great patent esque idea. I thank you good sir, now to see if I can steal it as my own.

It also reminds me of only Konami able to have mini games in loading screens.

I believe that was Namco (as evidenced by the Ridge Racer PS1 loading screen).
Things that require quick reflexes are probably easier for a computer.
WarioWare games aren't twich reflex games. They'll do something like show a bomb with a lit fuse on the screen and flash a single word like "blow" and you have to quickly maneuver the mouth of the character next to the fuse and press the button before it explodes. It's about comprehending the situation quickly, the actual action is extremely simple and low fidelity.
Have the CAPCHA require properly constructing a nonlinear programming problem to solve an optimization problem, where the requirements are not expressed in terms of the NLP and the human has to design it.

Which would have the side effect of putting the bot makers to work on useful and hard problems to solve.

Good idea! To prove you are a human, mine three Bitcoin.
Spam and DoS prevention were actually the original purpose of Proof of Work. Hashcash, the first (I think) anti-spam PoW algorithm, was what Bitcoin's PoW algorithm was inspired by.
Why not something computationally expensive? Bcrypt this value 10000 times to continue
Ideally you'd have something that's hard for the client but easy for the server to verify, though. so maybe prime factoring?
Or, the server provides a random string of bits with length n and requires a string of bits with length n+m that starts with the provided n bits and whose SHA-1 hash begins with 20 zero bits.
Spammers use botnets, so they have plenty of computation available
And if every site does this, they have plenty less. Imagine if you can only attempt your spam 20 times per second instead of 20000
Imagine when a miner is used as Captcha and would only pass when a certain amount has been mined..
The trouble with anything designed to prevent computers from understanding something, while allowing humans to understand it, is accessibility.
That's easy. Just partner with the CAPTCHA crackers and share revenue from your accessible users.
The DOOM Captcha is just using html/css/js so it's easy for bots to crack with simple DOM querying/manipulation in an automated browser. But what if canvas was used instead?

> A minigame with extremely vague description that you have to react to quickly to pass.

I dont know how advanced current bots are at breaking captchas these days but if you're using a canvas then they would have to use some kind of image/video processing and recognition and then also know the rules of the game. Just curious if using canvas would make things harder for bots. Maybe it's already been done, I have no idea

Yeah, I was really surprised to see it was basic DOM. Canvas version wouldn't even be that hard to do. And yes, it would definitely be breakable, but at least not with a javascript onliner.
I believe a simple JS browser extension or automation script could easily ask about every pixel in the canvas. For this case I suspect it would be very easy to iterate over each row of pixels looking for a few consecutive pixels that uniquely match the monster and then trigger a click on those coordinates.
For traditional text captchas, bots are better than humans. Flow usally goes, pay humans to solve 50000 ($500) then train an ML model. For things like recaptcha things get harder because it is not easy to proxy the captcha puzzles to have humans solve them (which is nessary to collect training data).
Why do you need to proxy anything? If you're just collecting training data, seems easy to record the interaction with a browser extension?
Because I want to pay people in the 3rd world to solve them for me. There are a bunch of services that take crypto or PayPal and solve captchas with humans. Using those systems requires you download the image, send to service, get response (proxy is not 100% accurate)
> The DOOM Captcha is just using html/css/js so it's easy for bots to crack with simple DOM querying/manipulation in an automated browser.

I mean, if you're looking at it at that level, it's just giving a "didn't pass" callback. A bad actor could just ignore that, and not care about it.

Without some sort of server side verification of the result, it doesn't really matter how difficult it is to script through the game itself. Even some crazy hard game in canvas isn't any more difficult for a bot to script around, if the server doesn't have any way of knowing anyone actually jumped through the hoop.

Probably by grabbing a pixel of a monster and "clicking" on it. Pixel bots are as old as time. Learned about then playing runescape as a kid but never wanted to be banned. My friend made a few for fishing and woodcutting
>just using html/css/js

I think a problem is if it's all client side it would be quite easy for hackers to much about with. Now maybe if it sent the mouse movements and target positions to the server it would be possible to tell human movements apart in a way that was quite hard to crack?

It mostly depends on what you are trying to protect with your CAPTCHA.

When I managed a small phpbb forum, all I had to do was to change a few lines in the register page to make it non-standard and it stopped all bots. Better than the built-in CAPTCHA. Simply, no one cared enough about our forum to write a specialized tool, no matter how easy it was.

If it is all you have to protect, go ahead with your clever ideas, it can add a bit of flair to your website and stop bots effectively. For accessibility, you can always deal with special requests manually.

The problem is entirely different if you are Google. People will spend months trying to break your CAPTCHA for fun and profit. Hand crafted problems will be solved faster than they can be written so "bot vs bot" is essentially your only option.

I am on a forum with like 20 other posters and bots were stopped by the addition of a call/response field. Nobody who wanted to register would forget the classic response, but no bot was going to be able to answer it without some pretty specific google fu
How does that work if you want to grow your hobby or group?

And if it’s something between friends why not use a private whatsapp group or IRC

The one's I've seen are not difficult questions. I.e if it was a forum for some TV Series fandom, a question could be 'What is the main character's name?'
Speaking for myself, if was a little bigger than 20 members (around 100). The thing is that we wanted to keep the forum open to everyone, at least for the public parts. That's why I went with invisible tweaks (mostly just renaming fields) instead of a challenge.

But I could have came up with a challenge that anyone interested in our forum would have known. We were a rhythm games club, so a questions could have been "We organize a tournament for this game, in 3 letters". Anyone who heard of us would know it is DDR (it was our main event), and for those who didn't, all it took was a quick look at our website.

And even if it is just a hobby, you don't get the same thing from a forum compared to a WhatsApp or even a Facebook group. In fact, a few years after me and all the geeky admins left, they switched to Facebook, which completely killed the already dying online community.

Maybe nowadays we could use a Discord server, which does a bit more for a community than an WhatsApp group, and is more accessible than IRC, and saves history.

Another great thing about the forum is that I still have a backup from the time I still had admin rights, and I could bring it back to life on a private server with some friends, even though the club is now completely dead.

Memories are not lost, except for most of the external links (ImageShack...).

> Anyone who heard of us would know it is DDR

Heck, I've never heard of you lot but I immediately guessed DDR. Man I miss competing with randoms at the arcade in Brisbane city

My first thought would have been Osu or EBA (Elite Beat Agents), different type of rhythm game.
ITG is three letters as well though.
It's an offshoot forum of a video games guild subforum built from another larger forum. It's not going to grow (indeed, it is dying / dead at this point).

All things must pass and all that.

I can confirm that just a simple modification to the standard registration form keeps out all bot spammers. If your forum or bug tracker is small enough, that will eliminate all spam. The built-in spam countermeasures like CAPTCHA's seemed worthless from my experience.
Small enough being the operative word, since it only takes one person to write an OpenBullet config for that form.
When I managed a purely Danish forum, i simply added a textbox and asked the user to write ‘æ’ in it. Never saw any spam after that.
I feel like you could have just asked them to type 'a'. If the threat was automated bots, all generic ones are defeated by a simple "do X" request. Especially if the request was in text, where a lazy human attacker could just copy paste.
One of our public facing systems I put up a silly "what is the capital of x country?" While we waited on some other stuff. I think it's still in production.

And to my knowledge no bot has gotten past it or even bothered.

That filters out all Americans as well.
American here. I've never heard of country X!

/s

we ask similar questions in my EMS (Paramedic) job to patients to determine if they're alert & oriented. Most providers ask name, year, location, president or something similar and many patients are used to being asked routine questions. I like to see if they can answer stuff like "Name a large city in Florida."

Human captcha. :)

Springfield! Never can be wrong with that name.
And to keep out all the Swedes and Germans...
They couldn't copy-paste 'æ'?
Again, it blocks people who are not going to tweak their bot specifically for YOUR forum.
This is the best comment, by far. Of course we can have lots of brainstorming about other fun captcha-ish constructions, but the key question is whether they satisfy their purpose, which is to filter machines out and only those.

In low scale settings, if it's a place almost nobody knows, then this works, but many approaches work like just asking "What is 1+1?". Scale is low, no bot writer will bother to adjust.

In high scale, high visibility, none of this works. The incentive to break your captcha is so high that you'd need to basically construct a reverse turing test. You need to assume that the attacker is very powerful and very smart and will spend months custom tuning their solution to vreak your captcha. This is really hard and how to do it is the interesting discussion.

In summay, the setting matters. If it's the first one, we can debate toys all day long but they only have entertainment value. If it's the second then this is really hard and state of the art is to click pictures with traffic lights.

While I know this is a fun captcha, it does bring up a problem I'm having more and more with the web and mobile. There's no way my mom would ever be able to handle this captcha. Heck I didn't even get the 4 kills on the first one and I regularly play FPSes (I used a trackpad for this).
Minecraft is devilishly hard for reinforcement learning. You could have a captcha like "build a neat-looking fortress to prove you're human."
How do you validate whether the fortress was “neat-looking”?
You could train a classifier on all neat looking fortresses, then run outputs through the classifier. But you'd measure the cosine similarity to all previously-seen activations, and discard any that are too similar -- thus making sure that people need to come up with unique neat-looking fortresses.

Today's stupid ML idea has been brought to you by: Gabe Newell. Inspiring future ML devs since 1996. A word from our sponsor: https://www.youtube.com/watch?v=jpw2ebhTSKs&ab_channel=TheCh...

But then anyone else can do that and write a neat fortress generator trained to produce outputs that pass the neat fortress classifier.
Hello! I'm Miquel the author of Doom Captcha

Thanks jukkakoskknen for sharing it on HN and everyone here talking about it, I hope you enjoy it :)

It wasn't clear in the documentation, but should I take this too seriously?
This is awesome. Just wanted to say "Thank you"!
The only criticism I have, is that your timer is too fast.

I can listen to their demands and negotiate a peaceful, mutual benificial resolution. After that we can establish a framework to resolve hostilities. But when I want to talk about free trade and opening borders to exchange goods... the timer runs out.

I was expecting 2.5D and weapons switching. ); Lol, gj. :-)
Please show that P != NP to prove that you're human. (500 characters remaining)
if P = NP, it logically follows that NP = NNP, and NNP = NNNP, etc. this violates the law of conservation of energy, qed
Easier proof:

Assume N != 1.

yes although technically my proof also proves that X != 1*X, so it's more broadly applicable
(comment deleted)
Let the proof of P != NP be A, where A is a proof expressible as a finite bitfield. The proof requires induction over an infinite sequence of proofs. But there is no mechanical way to move from the nth to the "n+1"th proof. Plus, "Galois", Gödel, Reimann and other intimidating names. QED.
I‘d rather solve Super Turbo Turkey Puncher 3.
I failed this 3 times in a row as a human (I promise) on a touchpad.
Nice try, Mr Robot. :)
Am I the only one that has a problem with audio that defaults to maximum volume? Amazon does this too. But I keep my default to a volume that lets me crank up soft stuff enough to be audible. For pages like this, the sound just about makes my ears bleed before I can mute it.
Yeah it is awful, I should just turn down Firefox to low and watch all videos on VLC
You can use browser permissions to allow/deny sound privileges just like with JavaScript
My pet peeve of these is not the volume being too high (which they normally are), but the lack of volume control on web/desktop.

Unfortunately it would be more and more common as the mobile world take the dominance.

Firefox already displays a small speaker icon on each tab playing audio that can be used to mute it. A nice addon could display also a volume slider when hovering above it with the mouse, therefore allowing volume control.
Volume control there would require an additional audio buffer which adds unwanted latency to any conference or gaming applications.
No. This is a problem in a lot of places.

See: Every video game ever made with audio settings locked behind a 2 minute unskippable cutscene.

I don’t, the “volume” adjusters on websites are all ... fake?

There are several layers of volume control but the last one on the stem level is the only real one (ok maybe one more level on a physical speaker amp if you have it)

Application levels can only cut dynamic range by adjusting volume, i would expect the default level to be full, if i want something quieter i’ll turn down the system loudness

The nominal loudness of a sound is sometimes inconsistent but that is on the sound mastering level not the application level.

I get annoyed when sites don't have things at their maximum volume, and I keep all my applications at the max too, unless I need to mute one. The master volume is the only thing I touch regularly.
This but with video games. 90% of them default to every volume being set to 100%. They're always so damn loud, I usually use windows Volume Mixer to set them process to 50%, then go in and tweak individual stuff in game.
I'm not sure how I'd cope without a volume knob right there on my desk. Having to tab out and adjust the OS audio sliders would drive me mad pretty fast.

It's almost my prime reason for having an external DAC.

What this highlights is that CAPTCHAs/Security can be fun and not a never ending drag. Yes, this one is easy to break, even the author says so, but it's a fun concept. I hope this spurs a bunch of new thinking on what security can be. Miguel, GREAT JOB!
The music made this a hostile user experience for me. No thanks.
My hands went straight for the arrow and ctrl keys, assuming it was real DOOM controls. I was disappointed :)
This is fun but quite literally the opposite of what a captcha should be. I bet a bot will be able to solve this far easier than my grandma ever could.
I recommend reading the description in the link that mentions that concern is acknowledged.
I did read the description, but that doesn't make the criticism any less valid.
Makes it less valid because it was already answered.
Interesting. Fundamentally, I believe CAPTCHA, and attempting to distinguish humans from computers is pointless. I think it's better just accept it and design applications accordingly.
I don't understand. How would you propose protecting a website from DDoS attacks? What sort of design would address that?
A reputation system that grew from captcha and was eventually self referencing - so high rep IPS could vouch for other unknowns. Assumes most people's IPS remain static though.

I realise parent commenter was probably talking about identifying upfront.

Avoiding DDoSability of your app (removing bottlenecks, scaling up replicas, implementing rate-limiting, etc). There are probably some rare cases where captcha is useful, though. For example some account creations where you wish to have more human accounts created, especially if you need to later manually approve them by humans (verifying documents, etc) and don't want to deal with thousands of cat photos instead of passport scans.
It took me 15 tries to finally pass it with my touchpad. I almost broke out my mouse just to pass!
I know it's a bit of fun and kind of a joke.... but, makes me wonder:

What will happen some day when solvers and bots get so smart and human-like (and the CAPTCHAs evolving to keep up, with harder and harder tests) that the technology "have nots" human beings of our world will not even be able to prove they're human any more?

Will not happen. Machines are problem solvers not problem creators unlike humans.
exactly. Captchas should just ask the user to design... CAPTCHAS
Thats a lot of work just too look at funny cat videos.
Maybe the tests will move from requiring some precise correct answer to instead requiring randomness that machines can't yet generate. It would be similar to the captcha that asks you to click inside a box and analysis not the answer but how you do it.
> What will happen some day when solvers and bots get so smart and human-like (and the CAPTCHAs evolving to keep up, with harder and harder tests)

Mission accomplished https://xkcd.com/810/

the problem is when they learn to write constructive and helpful comments that are also propaganda
If you were walking through the desert and came across a tortoise on its back, would you help it? If so, what would it take for you to not help it?
"Please prepare yourself for the blood test."