NYCPHP Meetup

[Hans Zaunere]

> > I've seen (or seen theorized) captchas that require a user to
> > enter a keyword based on three or more different pictures -- for
> > example, show the user a Frosted Flakes box cover, that famous
> > Nike-branded golfer, and a Cincinatti Bengals logo, and most
> > users (depending on the target audience) could get in by typing
> > "tiger".

Something here is that it's cultural - therefore, someone in Canada,
might not recognize the Bengals logo, a?

> The problem with this approach is that humans can still guess it, so
the
> adult site attack (that thing needs a name) will still work. Thus,

I think we could call it genius :)

> strengthening this further doesn't really help - it's already easier
to
> use the adult site attack than it is to leverage the captcha breaking
> research results that have been produced.
> 
> This is a key point regarding security in general - it's unwise to
focus
> all of your attention in any one area, thereby assuming that this is
the
> one opening that a potential attacker will use. It's similar to how
people
> have a false sense of security when something is encrypted - often
> decryption isn't necessary for a successful attack (presentation of
the
> original encrypted data may be all that's required).

Absolutely true.  With the "genius" attack on captchas, they basically
go out the window.  Someone who is determined will defeat any captcha,
and if they don't do it with computerized recognition, they'll do it
with human recognition, which obviously defeats the entire purpose.

That said, I can't see that captchas are really a security mechanism - a
login is still required, thus being the primary "security" method
(however effective of course depends).  Captchas are to thwart
automation, and in many cases, works.

So how does one defeat automation all of the time?  Maybe someone with
that answer can also tell us how to be secure all of the time :)


---
Hans Zaunere
President, Founder
New York PHP
http://www.nyphp.org