Re: Antw: Re: Example of accessible CAPTCHAS that work well from Ramón Corominas on 2011-11-18 (w3c-wai-ig@w3.org from October to December 2011)

From: Ramón Corominas <listas@ramoncorominas.com>
Date: Fri, 18 Nov 2011 10:44:14 +0100
To: Srinivasu Chakravarthula <srinivu@yahoo-inc.com>
Cc: "w3c-wai-ig@w3.org" <w3c-wai-ig@w3.org>
Message-Id: <9963D1D5-83D3-4274-974E-9B6FCECB53DA@ramoncorominas.com>
For high-loaded websites such as Facebook, etc. any CAPTCHA that includes the answer in the question itself is useless as a security control. The spambot can simply try a "bruteforce" attack with every word or number in the question, so at least one of each 3 or 6 times it will succeed.

Regards,
Ramón.


Srinivasu Chakravarthula wrote:

> Hi all,
> 
> One of the nice CAPTCHAs I have seen are text based simple logical questions used on Web Accessibility Guidelines portal of Government of India – See http://web.guidelines.gov.in/registration.php Here they ask simple question where answer is available in thequestion itself and very little thinking is required. Questions like “In the following list, which appears first: 29, 127, 234” Also, this should work for refreshable Braille display users too.
> 
> While writing this post, I see Government of India Portal Feedback page and they are providing audio captcha that needs to be downloaded. Although the sound quality is good, not sure, if this could be a recomended method. Please comment. 
> 
> Thx,
> 
> -Vasu
> 
> srinivasu
> chakravarthula
>  
> senior manager, inclusive design
>  
> Let's create an inclusive world!
> Yahoo! Accessibility Blog | Yahoo! Accessibility Code Library
>  
> e-mail: srinivu@yahoo-inc.com im: vasugroupmails twitter: @vasutweets
> direct 918030774332    mobile 919900810881
> Yahoo! Accessibility on Twitter | Me on Twitter | Me on LinkedIn | My virtual home
> <image001.gif>
>  
> 
> From: Mario Batusic [mailto:Mario.Batusic@jku.at] 
> Sent: Friday, November 18, 2011 2:52 AM
> To: Karl Groves; Phill Jenkins
> Cc: Denis Boudreau; Patrick H. Lauke; w3c-wai-ig@w3.org
> Subject: Antw: Re: Example of accessible CAPTCHAS that work well
>  
> 
> Hi!
> Short time ago I found a CMS Drupal module with a very nice captcha implementation. This one lets the users unbothered. The idea is simple: in the form there is an additional field for this fake captcha. The field is hidden from the user in the CSS. The normal bots ignore CSS and fill all fields with some garbage. If the submitted form check finds the hidden field filled with data, the form is discarded.
>  
> Ciao     Mario
> 
> >>> Karl Groves <karl@karlgroves.com> schrieb am 17.11.11 um 21:52 in Nachricht <CABScKPAcc26E5rsdZ+FpTLyLrMX4Z-9FkwUVPhYg5wPvTMrbrg@mail.gmail.com>:
> The Smashing Magazine article cited by Phil and Jennifer is a good one
> and one which should be shared among those who advocate for CAPTCHA.
> I question whether many of the so-called alternatives are truly
> alternative in security.  I think the article is honest regarding each
> method's strength and weaknesses.
> 
> As a developer myself, fighting spam and abuse is an ongoing battle
> that most people (even most web designers) really know little about.
> I've worked with clients whose sites get 10,000 pageviews per second.
> Companies like that are under constant barrage from people trying to
> gain illegitimate access to their resources.  We need to keep this in
> mind when discussing potential alternatives to CAPTCHA.
> 
> I'm by no means an advocate for CAPTCHA. I don't use it and never
> have.  But we need to keep in mind that some so-called "alternatives"
> really are not alternative in terms of security, and any proposed
> alternative should offer an equivalent level of security while also
> being accessible.
> 
> Karl
> 
> 
> On Thu, Nov 17, 2011 at 2:24 PM, Phill Jenkins <pjenkins@us.ibm.com> wrote:
> > This March 2011 article is worth reading
> > http://coding.smashingmagazine.com/2011/03/04/in-search-of-the-perfect-captcha/
> >
> > several alternatives to CAPTCHAS discussed.
> >
> > Regards,
> > Phill Jenkins,
> >
> >
> >
> >
> >
> > From:        Denis Boudreau <dboudreau@accessibiliteweb.com>
> > To:        "Patrick H. Lauke" <redux@splintered.co.uk>
> > Cc:        w3c-wai-ig@w3.org
> > Date:        11/17/2011 12:39 PM
> > Subject:        Re: Example of accessible CAPTCHAS that work well
> > ________________________________
> >
> >
> > Hello all,
> >
> > On 2011-11-17, at 12:24 PM, Patrick H. Lauke wrote:
> >
> >> On 17/11/2011 16:12, Ginger Claassen wrote:
> >>> Regarding accessible CAPTCHAS I found a very few so far where one has to
> >>> solve a very simple mathmatical question e.g. How much is 3 + 4?
> >>> In my opinion that is quite accessible or do I oversee something here?
> >>
> >> Could it pose problems for users with cognitive disabilities? And
> >> generally just weird out users ("why is this website asking me this?") and
> >> require lengthy explanation? My mum would be left wondering, anyway...
> >
> > Not only that, but the easier those equations are, the easier bots can crack
> > them too. So we're rapidly back to square one.
> >
> > /Denis
> >
> >
> >
> >
> 
>
Received on Friday, 18 November 2011 09:44:59 UTC