RE: Thoughts on CAPTCHA

[<Monrad.DC () forces gc ca>]

A recent podcast from Wired Science has an update source for the images.
The intent is to take the CAPTCHA words from digitally scanned books that were not able to be processed by OCR.  Used 
enough, it would automate the OCR proof reading.

Ref: http://www.iptv.org/video/detail.cfm/1364/wirs_20071220_luis_von_ahn_human_computation

-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]On Behalf Of Chris Barber
Sent: Tuesday, April 15, 2008 6:05 PM
To: security-basics () securityfocus com
Subject: Thoughts on CAPTCHA


I was just reading on the SANS NewsBites an article about how some
implementations of CAPTCHA seem to have been out smarted by software.
I have seen other articles and have not paid a lot of attention to
them (simply because I have been too busy).  But this got my gears
turning.

I do not know how other people feel about CAPTCHA in its current
state, but I think it needs to be upgraded.  You need some form of
interaction that requires the user (human) to make choices that a
computer would not be able to make.  Something that changes with every
mouse click or keystroke.  Now, my sons play an online video game
where you have to key in your passcode via a web-base keypad.  The
keypad is displayed with all keys in some random order, each time a
key is pressed the numbers change positions, like musical chairs.

Here is an example:

Passcode is 564

When the key pad is first displayed it may look like:
9160
583
742

After the 5 is clicked

0258
349
167

After 6 is clicked

9468
 351
207

Once you click on the 4 you have access to your account

This is pretty unique and I thought is was vary ingenious, you could
not determine the passcode by capturing the positions of the mouse
clicks because everytime you enter your passcode the keys are in
different places.

Now, to increase the security of this we use the same sort of random
"word" generators that are currently in place and if you want display
them in a similar manner with the deformed type and all.  But add the
layer of security where you must enter the CAPTCHA "word" with a ever
changing keyboard/pad.  Using 16 keys instead of 10 would give enough
choices but not take that long to find the keys needed to enter the
CAPTCHA "word".

Just some food for thought.  This is just a brain storm (or drizzle)
and thought I would put it out here and see what others thought of the
idea.

Chris.