Captcha 2.0

[yendi]

The hell with trying to identify mangled letters and numbers.

Prove that you know the difference between a cat and a dog to pass as human!

Comments

[emilytheslayer.livejournal.com]

I like being told I'm a human! It's cute and kind of fun and every captch comes with it's own kitten chaser! I approve.

Cute idea, though

[allah-sulu.livejournal.com]

Since there are twelve images, and each only has two states (cat or not cat), there is a one in 4096 chance of guessing the correct answer...

And since there are so few combinations (compared to, say, a sequence of six letters, of which there are 308,915,776 possible combinations) this method would be easier for brute-force bots to hack by guessing all possible answers.

Re: Cute idea, though

[wishiwasnt.livejournal.com]

Except that it picks new images and reshuffles each time you submit. You can't brute force it.

Re: Cute idea, though

[allah-sulu.livejournal.com]

But if you have a 1 in 4096 chance of guessing correctly each time, then you're still more likely to guess it over time than you are to guess when there's a 1 in 308,915,776 chance of success.

If you can't guess each combination until you hit the right one, then you keep guessing the same combination until that one just happens to be the correct one.

So you can still brute force it.

Re: Cute idea, though

[wishiwasnt.livejournal.com]

Ah, now I see what you're saying.

Re: Cute idea, though

[allah-sulu.livejournal.com]

According to the How secure is Asirra? (http://research.microsoft.com/asirra/security.aspx) page: "if we see more than 500 failed HIPs from a single IP address in a single day, we put that IP into a "penalty box," scoring all HIPs as wrong until several hours elapse."

If you make 500 random guesses, there is a 11.4927057% chance that one (or more) of those 500 guesses will be correct. From a security standpoint, that's an awfully high number. That's from a single 500-attempt brute force attack from a single IP. If the site trying to get in uses multiple IPs and/or waits for the "several hours [to] elapse" before resuming the attack, they are certain to get past the security in relatively short order.

For sites like LiveJournal, you only have to pass the test once in order to create an account. Once that account is created, you can get back in at any time. This is extremely common, as the typical user is not likely to put up with being forced to take this test every single time he wants to access a site. The dog/cat test might be cute once, or even twice, but every single access, all day long, day in and day out? Not likely.

4096 possible combinations are simply not enough for any serious security system. That's only twelve bits, at a time when HD-DVD has moved from forty to 128-bit encryption. (For all the good it's done them, heh.)

[yud.livejournal.com]

Having that "Adopt Me" link under ever photo seems like it defeats the purpose of the whole thing, since if you follow that link it brings up an info page with "Dog" or "Cat" right up at the top.

[terracinque.livejournal.com]

At last my days of failing Turing tests are behind me!

[mere-bystander.livejournal.com]

I like this much better than the mangled numbers and letters, but allah_sulu has a point.

[ewin.livejournal.com]

That's just COOL! I would totally look at pictures of cute cats and dogs to prove that I'm a human.

[phantom_wolfboy]

I now have positive proof of my humanity!