Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) is a challenge response method to prevent robots from entering information on web pages and sites. The use of CAPTCHA is normally intended to prevent spamming of sites or attempts to break into accounts.
There are many CAPTCHA methods. Some are stronger than others but every CAPTCHA has drawbacks and weaknesses. It is not actually possible to have a completely effective CAPTCHA test. This is because it requires a machine to determine whether a machine is attempting to use machine controlled (automated) services. To break a CAPTCHA test only requires an adjustment on the part of the attacker. The CAPTCHA test machine will need to record or have a machine trackable method to determine correct answer matches to questions. Once the attacker determines those question/responses, they can enter the information into their database and attack the site at will. Most, if not all CAPTCHA tests will have limited effectiveness into the future since computer technologies can adjust to them. Therefore I recommend that no site completely rely upon CAPTCHA for protection against spam and account brute force attacks. Rather use email confirmation and lockouts against repeated attempts againist single accounts or detection of multiple hits against the site from one source.
CAPTCHA methods that I have studied or considered include:
Identification of graphical images
Comparison of two graphical images identifying something common to both or exclusive of both.
Identification and entry of skewed and warped text.
Requiring the user to type an audio message back.
Riddles, patterns, and word association:
Users may need to answer some questions involving pattern recognition similar to an IQ test
Users solve a riddle such as _ is to _ as _ is to _.
What word rhymes with _______. Multiple choice.
Next number in pattern. 1,2,4,8,_ 1,4,9,16,25,_ 1,3,5,_ odd numbers, even numbers
Drawbacks to some of these methods include the fact that many captchas do not allow for use by handicapped people especially blind people or those who cannot hear.
Pattern Matching CAPTCHA
Answer the pattern
x, X+Y, X+2Y,
X, X*Y, X*2Y
X, X-Y, X-2Y
X, X/Y, X/2Y
Add(subtract) X(twenty) to the smallest, largest number
Series of numbers squared 1, 4, 9, 16, 26, next?
3,5,8,13,21,34 - Add the last two numbers
A number not belonging where the number is odd or even and the rest are the other type
With pattern matching answers can and must vary by time and should not be limited. There should be enough answers that an attacker cannot store them in a table. However, if a computer can generate and recognize the correct answers, then an attacker's computer can do the same.
Word Association CAPTCHA
Word association CAPTCHA tests can be a somewhat effective deterrent to machine entered data. There are several methods that can be used and if done correctly, there may be many question answer combinations.
List many animals or plants and require the user to identify which ones are of a specific type such as mammal, insect, lizard, etc. (multiple choice question using checkboxes)
List many animals or plants and ask the user to identify the one of a specific type. (single choice question using a radio box)
List an animal or plant or item, and ask the user to identify characteristics (from a list) such as animal, warm blooded, mammal, four legs, domestic, wild, land dwelling, water dwelling, bird, etc.)
Animals may include horse, cow, sheep, goat, llama, dog, house cat, whale, porpoise, lion, tiger, elephant, zebra, bear, deer, moose, chicken, turkey, hawk, sparrow, woodpecker, crow, eagle, falcon, owl, alligator, salimander, and snake. Plants may include tree including types such as cherry, apple, pear, walnut, and oak. Plants may also include grass, corn, bean, lettuce, spinach, and blueberry bush.
Using IP address to stop spamming
The problem with using IP addresses to stop spamming lies in the fact that multiple legitimate requests may come from one IP addresses in a short period of time. Where there are large organizations behind a firewall, many valid requests may come from a single IP address. Therefore, some means to detect the session number to the client would need to be used to limit the number of hits in a short period of time that a session can generate. It is easier to require more time between failed attempts or lock an account to prevent attempts to break into accounts. However, prevention of attempts to spam will either require some type of CAPTCHA test, some field to be present that a robot would not tend to correctly fill out, or some other verification such as email verification. Also, limitation of attempts against single accounts does not prevent brute force attacks so long as they are done against multiple accounts on the site.
It is worthwhile to consider limiting the number of times per second the IP address can access the CAPTCHA test page.