DigitalDan.uk
Are You Human?
Some "irreputable" companies use computers to collect email addresses and to use them for inappropriate purposes (e.g. SPAM junk mailing.) For this reason, web developers sometimes want you to proove that you are human. They try to ask a question which a human could answer but a machine would find difficult.
Unfortunately, some machines can solve the problems and many humans find them difficult. These tests are known as CAPTCHA (Completely Automated Public Turing Test To Tell Computers and Humans Apart.)
This page demonstrates some alternatives to Captcha images. They all have limitations but you are welcome to use or adapt these ideas. If you refresh or revisit this page, the Captchas will change.
Can you read the word in the picture?
How many Hearts can you see?
Please solve this sum ....
What date is marked on the calendar?
What time is is (according to the clock on the screen?)
Watch the traffic lights
1 - Wait until the the traffic lights change to green.
2 - Click on the green light before they change.
Set the clock to this time
four fifty-eight P.M.
Change this text into a number
Click on the hexagon
What number is represented by the roman numerals
What number is displayed in big letters?
What is the forth word in the following sentence?
Why will William walk westwards while wandering when Whelma will wed Walter?
What word is being spelt out?
What is the missing word?
______ February March April May June July August September October November December
On a British QWERTY keyboard
Which key is immediately below the number 5?
Ensure every relevant field has been competed, then validate every field
Ask user to click a specific location on the screen
Computers often complete forms faster than humans. Ignore any attempt to submit complex form within 2 seconds of page appearing.
Remove submit button when page taking unusually high number of hits - a "this page is currently being updated" message could be better than entire site being overloaded
Reject all content containing suspicious words (e.g. Viagra, www., free, cmd, exec, ...)
Replace any suspicious letters with HTML special character sequences or block any input containing dubious letters (e.g. < ` > \ ...)
If you site serves a small community ask a local knowledge question (What is the telephone dialling code for Milford Haven, What is the first word in our National Anthem, Whhat is the first name of our chairman...)
Count the number of bytes being downloaded by all users. Set a maximum count per minute or hour. Shut down your download facility (or entire site) the moment that data download limit is exceeded. (Reduce risk of hacker downloading everything on your server e.g. customer credit card details etc!)
Make sure all credentials can be verified and avoid known risks - (unrecognised MAC address, email address linked to high risk country, email address associated with disposable email provider, request made at time when most of your readers are asleep, IP address on a blacklist, anonymous browsers ...)
If employees have to access site from insecure locations, use a self-destructing password table. There are ways to read username/password combinations used with insecure computers
Before allowing access to sensitive data, ask for random words from a secret phrase. Change the requested words on each request. Never ask for the entire phrase.
Count the number of unsuccessful log in attempts and shut down the page if too many failed attempts occur within a fixed timescale.(reduces the risk of brute force attacks).
Automatically block all remote access to a sensitive page for 1 second after 1 unsuccessful login attempt. Double the time delay for each consecutive failed login.
Wait for one of the following actions to be detected before allowing a form to be submitted - key_pressed_on_keyboard, Mouse_movement, Button_Press, Screen_Swipe, Screen_Touched. Make sure the action could be performed by users of tablets, phones and computers.
Create some "never to be used" email addresses for your company. Include one of these email addresses in any email list sent out to your data processors. When an address starts to recieve Spam, simply close both the email address and your business links with the untrustworthy data centre
Type this word in the box provided
Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch
What letters and numbers are in the box?
What symbols are in the box?
What word is hidden in the box?
What word has been crossed out?
How many triangles are there?
What is the answer to this "simple" sum?
37 times 12355 divided by 1765
Find Rhoscrowther and click the appropriate place on this map
Enter this "Activation Code" in the box provided
Unfortunately, some machines can solve the problems and many humans find them difficult. These tests are known as CAPTCHA (Completely Automated Public Turing Test To Tell Computers and Humans Apart.)
This page demonstrates some alternatives to Captcha images. They all have limitations but you are welcome to use or adapt these ideas. If you refresh or revisit this page, the Captchas will change.
Can you read the word in the picture?
Find word hidden in image - word has to be obscured and can be impossible for humans to read. Vulnerable to Optical Character Recognition. Many shared servers do not allow sites to generate images because this increases CPU load.
How many Hearts can you see?
Count the shapes - computer can solve with brute-force attack because number must be very small. (Humans would not want to count lots of shapes.)
Please solve this sum ....
2 + 10 =
Solve the sum - computers are better at maths than many humans. Make sure all variations can be solved easily and avoid decimals.
What date is marked on the calendar?
February 2010
| ||||||
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
| 31 | 1 | 2 | 3 | 4 | 5 | 6 |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 1 | 2 | 3 | 4 | 5 | 6 |
Complicated to set up because you must ensure humans enter dates in a consistent format. Humans may not know what to do. Vulnerable to computer trying all possible dates. Watch out issues like Amercan mm/dd/yyyy and English dd/mm/yyyy.
What time is is (according to the clock on the screen?)
Complicated to set up because you need to draw the clock hands. Human may not know what is required. Computer could be taught to solve problem. Need to consider whether am or pm.
Watch the traffic lights
1 - Wait until the the traffic lights change to green.
2 - Click on the green light before they change.
Complicated to set up because you need to check timing and position of mouse-click. Relies on computer not knowing where or when to click. Human may have difficulty understanding instructions. Aninmation may not work on some browsers.
Set the clock to this time
four fifty-eight P.M.
Complicated to set up because you need to set up an adjustable clock. Human may not know what is required (e.g. Setting clock to current time in a local timezone.)
Change this text into a number
four hundred and fifty-five million twenty-three thousand one hundred and ninety-three
Text Conversion - Time comsuming for humans but fairly easy for computers.
Click on the hexagon
Identify an object. Clicking on postion - computers could solve by trial and error. Could cause humans problems. Variations include identifying animals, logos and faces
What number is represented by the roman numerals
MMMCDXLI
Roman Numerals - Computers can convert numbers but many humans struggle with roman numerals.
What number is displayed in big letters?
XXXXXXXX XXXXXXXXX X XXXXXXXXX XXXXXXXX X XX
XXXXXXXXX XXXXXXXXX XX XXXXXXXXX XXXXXXXXX XX XX
XX XX XX XX XX XX XX XX
XX XX XX XX XX XX XX XX
XX XX XX XX XX XX XX XX
XX XX XX XX XX XX XX XX
XXXXXXXXX XX XX XXXXXXXXX XXXXXXXXX XXXXXXXXX
XXXXXXXXX XX XX XXXXXXXXX XXXXXXXXX XXXXXXXXX
XX XX XX XX XX XX XX XX
XX XX XX XX XX XX XX XX
XX XX XX XX XX XX XX XX
XX XX XX XX XX XX XX XX
XXXXXXXXX XX XX XXXXXXXXX XXXXXXXXX XX
XXXXXXX XX X XXXXXXX XXXXXXXX XX
This is a variation of the read word in image system. The advantage is that it does not need images to be created on the web server. Text pattern recognition could be used in a computer attack.
What is the forth word in the following sentence?
Why will William walk westwards while wandering when Whelma will wed Walter?
Find the word - Has bad reputation with humans because some companies insert advertising into the search text. Can be difficult for human to decide which sentence or word is required. Computers can brute-force solve by trying every word on the page.
What word is being spelt out?
Animated words - Requires processing to spell out words, hence, answer would be unreadable to many of your readers. (Animation and animation scripts are often switched off.) Computer could solve by looking at animation code.
What is the missing word?
______ February March April May June July August September October November December
Missing word - Relies on sentences that woulld be recognised by most humans, however, different cultures use different phrases and spelling also changes. There is a finite number of suitable sentences hence computers could be taught to solve the problem
On a British QWERTY keyboard
Which key is immediately below the number 5?
Clue
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 0 |
| Q | W | E | R | T | Y | U | I | O | P |
| A | S | D | F | G | H | J | K | L | ; |
| Z | X | C | V | B | N | M | < | > | / |
Find target in grid - Human may not understand what is required. Computer can be taught to solve problem. Human needs to find answers quickly and this restricts security.
Other checks to reduce the number of automated attacks
Hide a textbox from user (or ask them to leave it blank) - computer may not read instructions and could put something in the box.Ensure every relevant field has been competed, then validate every field
Ask user to click a specific location on the screen
Computers often complete forms faster than humans. Ignore any attempt to submit complex form within 2 seconds of page appearing.
Remove submit button when page taking unusually high number of hits - a "this page is currently being updated" message could be better than entire site being overloaded
Reject all content containing suspicious words (e.g. Viagra, www., free, cmd, exec, ...)
Replace any suspicious letters with HTML special character sequences or block any input containing dubious letters (e.g. < ` > \ ...)
If you site serves a small community ask a local knowledge question (What is the telephone dialling code for Milford Haven, What is the first word in our National Anthem, Whhat is the first name of our chairman...)
Count the number of bytes being downloaded by all users. Set a maximum count per minute or hour. Shut down your download facility (or entire site) the moment that data download limit is exceeded. (Reduce risk of hacker downloading everything on your server e.g. customer credit card details etc!)
Make sure all credentials can be verified and avoid known risks - (unrecognised MAC address, email address linked to high risk country, email address associated with disposable email provider, request made at time when most of your readers are asleep, IP address on a blacklist, anonymous browsers ...)
If employees have to access site from insecure locations, use a self-destructing password table. There are ways to read username/password combinations used with insecure computers
Before allowing access to sensitive data, ask for random words from a secret phrase. Change the requested words on each request. Never ask for the entire phrase.
Count the number of unsuccessful log in attempts and shut down the page if too many failed attempts occur within a fixed timescale.(reduces the risk of brute force attacks).
Automatically block all remote access to a sensitive page for 1 second after 1 unsuccessful login attempt. Double the time delay for each consecutive failed login.
Wait for one of the following actions to be detected before allowing a form to be submitted - key_pressed_on_keyboard, Mouse_movement, Button_Press, Screen_Swipe, Screen_Touched. Make sure the action could be performed by users of tablets, phones and computers.
Create some "never to be used" email addresses for your company. Include one of these email addresses in any email list sent out to your data processors. When an address starts to recieve Spam, simply close both the email address and your business links with the untrustworthy data centre
Captcha Gone Wrong
Whilst these may be extreme examples, I hope they illustrate why you should think carefully when designing Captcha systems.Type this word in the box provided
Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch
What letters and numbers are in the box?
What symbols are in the box?
What word is hidden in the box?
What word has been crossed out?
How many triangles are there?
What is the answer to this "simple" sum?
37 times 12355 divided by 1765
Find Rhoscrowther and click the appropriate place on this map
Enter this "Activation Code" in the box provided
- wvn0O-5SlI1-Ge9gq-3E4AU-7T8BV-1ILli-WVMUN-$SE£€-@#{]%
DigitalDan.uk is part of the DigitalDan.co.uk group