captchas: The Good, the Bad and the Ugly

Some months ago, I commented about a weak implementation in a fancy captcha. Today I would like to comment about other bad implementations, but in other ways.

The good

A captcha should have big Shannon entropy, finite, but big. The session ID and the challenge must not be reused. The images must be resistant to OCR but should be understandable by a human.

The bad

Here is the first example:


Believe it or not.. This is a real case. So incredible eh?

The ugly

The victim, in this case, is this one:
This is an implementation of captchanumbers, by Hadar Porat. This captcha and many others generated by captchanumbers are weak and can be read with this script.

The idea is simple. As the numbers are nearly in the same place, they can be cut. Those parts can compared independently, reducing the entropy. May be the script and this image would be more enlightening than my limited English:


The 10,000 possibilities was reduced to 159. No OCR, 100% deterministic.

Second moral: Understand the fundamentals first, write code later.

1 thought on “captchas: The Good, the Bad and the Ugly”

Comments are closed.