Menu
▾
▴
[Phpwebsite-developers] Re: Captchas
|
From: Matthew M. <ma...@tu...> - 2005-12-14 13:49:40
|
This is my response to a letter Shaun Murray sent me. I thought it may interest the devs list so please comment. Thanks to Shaun for bringing it up. ----------------------------------------------------------------------- On Wed, 2005-12-14 at 10:27 +0000, Shaun Murray wrote: > A while back you were playing around with captcha code to stop spammers. > > Well, This guy reckons he can get past those... > > http://sam.zoy.org/pwntcha/ > > You can upload test images to see if he can decode them. > Well crap. I have been using PEAR's implementation for Fallout. I haven't really played with backgrounds or font alteration/deformation. I went back and read the W3C recommendations. I think there are two main reasons CAPTCHA is used: 1) To prevent brute force password guessing 2) To prevent comment spam Perhaps we should address the problem directly. 1) Set a password limit. Go over that limit and the account is locked and the ip logged. 2) Set a comment limit per user. This would require: 1) Administrative attention for those who simply forgot their password. To try and prevent this, a notice could appear: "You have one more chance to enter your password. If you fail, your account will be disabled. We suggest you use the 'Forgot my Password' link." I suppose it could also just email the user a link to unlock their account. 2) Again possible admin attention. A good site user can easily go over your "reasonable" limit. So, their limit would need to be raised administratively. Alternately, the system would need some sort of logic to approve them automatically. Nothing comes to mind that couldn't be overcome with spam logic. Now we _could_ stick with the CAPTCHA method and try to make it as crazy as possible. Unfortunately, its inaccessibility bothers me. I would like to have something in place before we ship instead of having a wait and see attitude. This is assuming that 1.0 will be popular enough for us to have to worry about it :) Matt -- Matthew McNaney Electronic Student Services Appalachian State University http://phpwebsite.appstate.edu |
