[BETA] Mathematical CAPTCHA (v0.0.2)

A place for MOD Authors to post and receive feedback on MODs still in development. No MODs within this forum should be used within a live environment!
Suggested Hosts
Locked
User avatar
MaidenFan
Registered User
Posts: 43
Joined: Mon Dec 12, 2005 3:33 pm
Location: Aberystwyth, Wales, UK
Contact:

[BETA] Mathematical CAPTCHA (v0.0.2)

Post by MaidenFan »

After being pestered by spam-bots and frustrated at phpBB's lack of a decent CAPTCHA (and image-based CAPTCHAs in general) I have decided to integrate someone else's (fully credited) mathematical CAPTCHA code into a phpBB MOD.

MOD Overview
MOD Name: Mathematical Captcha
MOD Version: 0.0.1
Author: MaidenFan
MOD Description: Includes a mathematical CAPTCHA-like text field within the registration page. The "answer" to the question is hashed using the SHA1 algorithm and stored in a cookie on the user-side.
phpBB Version: 3.0.4
Language: English (translations welcome)
License: GNU General Public License v2
Files Edited: 3
Files Uploaded: 0

Demo
WWRY-London.co.uk | UKThrash.co.uk

MOD Download
Zip | Tar.Gz

Planned Changes/Improvements/Actions
  • Submitting to MODs database
Change Log
0.0.2 - Changed to MODX format
0.0.1 - First release
Last edited by MaidenFan on Mon Mar 09, 2009 9:29 am, edited 1 time in total.
Personal Site & Blog | Last.fm
erno @ Bash.org wrote:I've lost a machine.. literally _lost_. it responds to ping, it works completely, I just can't figure out where in my apartment it is.
User avatar
MaidenFan
Registered User
Posts: 43
Joined: Mon Dec 12, 2005 3:33 pm
Location: Aberystwyth, Wales, UK
Contact:

Re: [BETA] Mathematical CAPTCHA (v0.0.2)

Post by MaidenFan »

Just updated the format of the MOD to MODX and packaged it up in both .zip and .tar.gz files. If people can provide some feedback on this it would be appreciated.

I have had one spammer sign up to UKThrash after applying the MOD, however this was probably a human spammer as there is no conceivable way that the MOD can be compromised other than cracking the SHA1 hash of the answer.
Personal Site & Blog | Last.fm
erno @ Bash.org wrote:I've lost a machine.. literally _lost_. it responds to ping, it works completely, I just can't figure out where in my apartment it is.
User avatar
IPB_Refugee
Registered User
Posts: 1290
Joined: Fri Jul 07, 2006 2:25 pm
Location: Austria
Name: Wolfgang Weber

Re: [BETA] Mathematical CAPTCHA (v0.0.2)

Post by IPB_Refugee »

Hello MaidenFan,

I don't like graphical captchas either.

But I fear your captcha might be a bit weak. Here are some ideas for you:

http://i28.tinypic.com/23vny2c.jpg
http://www.freetagger.com/wp-content/up ... 965hz7.png

Hope you like them :)
Wolfgang
User avatar
MaidenFan
Registered User
Posts: 43
Joined: Mon Dec 12, 2005 3:33 pm
Location: Aberystwyth, Wales, UK
Contact:

Re: [BETA] Mathematical CAPTCHA (v0.0.2)

Post by MaidenFan »

IPB_Refugee wrote:Hello MaidenFan,

I don't like graphical captchas either.

But I fear your captcha might be a bit weak. Here are some ideas for you:

http://i28.tinypic.com/23vny2c.jpg
http://www.freetagger.com/wp-content/up ... 965hz7.png

Hope you like them :)
Wolfgang
Hi Wolfgang,
Thanks for the comments!

I agree that the original captcha code (which I didn't write) is fairly simplistic, although it does do the job. I didn't want to put users off by having a sophisticated captcha sum for them to do before they even register.

A good thing about the code I've integrated is that it varies the output between words and digits, for example you can be asked the question "What is five + 2" which makes it very difficult for bots to parse.

Also on my side of the coding, I've added SHA1 hashing, so that even though the answer is stored in a browser-side cookie, it cannot be decoded by the bot.

If you can explain why my captcha (or the code I've used) is weak, then please feel free :) - all I can say is that from testing on my two demo forums, I have had one or two human spammers but no bots at all.

Craig
Personal Site & Blog | Last.fm
erno @ Bash.org wrote:I've lost a machine.. literally _lost_. it responds to ping, it works completely, I just can't figure out where in my apartment it is.
User avatar
IPB_Refugee
Registered User
Posts: 1290
Joined: Fri Jul 07, 2006 2:25 pm
Location: Austria
Name: Wolfgang Weber

Re: [BETA] Mathematical CAPTCHA (v0.0.2)

Post by IPB_Refugee »

Just wanted to make your day by adding two really funny pics. :P

But there is indeed a problem arising for all non-graphical captchas:

http://www.google.com/search?hl=de&safe ... uche&meta=

If the new search engine will work well, spammers will certainly use it and then we will have to develop different ideas... (maybe writing the question with Javascript code could help for a while)

Have a nice weekend!
Wolfgang
User avatar
MaidenFan
Registered User
Posts: 43
Joined: Mon Dec 12, 2005 3:33 pm
Location: Aberystwyth, Wales, UK
Contact:

Re: [BETA] Mathematical CAPTCHA (v0.0.2)

Post by MaidenFan »

Hi Wolfgang,
I honestly think that the mathematical element of this captcha, along with hashing the output really does make it as secure (I'm not going as far as saying infallible - in reality nothing is!) as possible.

Together with making the text dynamic between words and digits, it makes it very difficult for bots to predict. A possible addition is making it into an image instead of text, however even this may not be needed due to the hashing on the server and client-side.

MF
Personal Site & Blog | Last.fm
erno @ Bash.org wrote:I've lost a machine.. literally _lost_. it responds to ping, it works completely, I just can't figure out where in my apartment it is.
User avatar
IPB_Refugee
Registered User
Posts: 1290
Joined: Fri Jul 07, 2006 2:25 pm
Location: Austria
Name: Wolfgang Weber

Re: [BETA] Mathematical CAPTCHA (v0.0.2)

Post by IPB_Refugee »

MaidenFan wrote:A possible addition is making it into an image instead of text,
That would kill the enhanced accessibility which is, in my opinion, the most important advantage of text based captchas over graphical ones.

Regards
Wolfgang
geoffreak
Registered User
Posts: 591
Joined: Sat Feb 12, 2005 8:39 am
Contact:

Re: [BETA] Mathematical CAPTCHA (v0.0.2)

Post by geoffreak »

Just to let you know, I know next to nothing about cracking captchas, but I can tell you that I can easily break this one. Make sure you change around the wording order each load so that this won't happen.

Here are some examples:
When you take four and six and add them together, what do you get?
If there is a number that is one more than five and it is added to four, what is the result?
Four added to six results in what number?
Anime Revolution - Your new #1 source for All things anime and manga!
READ MY BLOG ALREADY!
User avatar
IPB_Refugee
Registered User
Posts: 1290
Joined: Fri Jul 07, 2006 2:25 pm
Location: Austria
Name: Wolfgang Weber

Re: [BETA] Mathematical CAPTCHA (v0.0.2)

Post by IPB_Refugee »

Welcome back, geoffreak! :)

And now imagine Wolfram Alpha will be working well. This will be the way the spammers go:

1. Get the question from the registration page (e.g. what is ten + 88 or what is the capital of Australia)
2. Ask Wolfram Alpha
3. Evaluate the response
4. Register
5. Post spam

Greetings
Wolfgang
User avatar
Highway of Life
Former Team Member
Posts: 6048
Joined: Wed Feb 02, 2005 5:41 pm
Location: Seattle, WA
Name: David Lewis
Contact:

Re: [BETA] Mathematical CAPTCHA (v0.0.2)

Post by Highway of Life »

I have had one spammer sign up to UKThrash after applying the MOD, however this was probably a human spammer as there is no conceivable way that the MOD can be compromised other than cracking the SHA1 hash of the answer.)
It is highly likely it was just a bot, as long as the software were built to recognise mathematical CAPTCHA's, it would have just done that on your site.
The Default (phpBB3 supplied) CAPTCHA is actually quite complex to crack, however, there is no CAPTCHA that is impossible to crack. The default CAPTCHA took quite a while to be cracked by applications that cost $400+ USD -- over 2 years. This kind of Mathematical CAPTCHA is actually far easier to crack, any script kiddie with 40 minutes or less of time to spare could easily create a quick script capable of cracking this CAPTCHA.
Why? just ask Google.

Once phpBB comes out with a new CAPTCHA, it will again be months before that CAPTCHA is broken. But if phpBB were to implement a CAPTCHA such as this, it would be broken the very same day. In reality, this type of CAPTCHA (Mathematical based CAPTCHA’s) are rather weak, and are among the weakest CAPTCHA's that exist.

That said, any unique method - something that not everybody is using, something unique to your own site - you can use to deter bots is a good method.
The phpBB Weekly Podcast - Discussing the developments of phpBB4 and beyond.

New to phpBB3? Want to learn about programing?
Visit phpBB Academy at StarTrekGuide to learn how.
User avatar
lanesharon
Registered User
Posts: 400
Joined: Fri Dec 05, 2003 9:33 pm
Location: º• Confused! •º
Contact:

Re: [BETA] Mathematical CAPTCHA (v0.0.2)

Post by lanesharon »

I want a contact form on my website. Would like a question/answer routine like this for that form. Hopefully, with a database storage of multiple questions that can be rotated. When I was using the mod for phpbb2 that had that, I had a lot less problems with spammers. Keeping the questions creative is important to success.
Locked

Return to “[3.0.x] MODs in Development”