3

I have just came across an ASCII art captcha, something that I have never seen before. It seems to be really easy to implement server side!

Are ASCII art captchas secure enough?

ASCII Art captcha

Renato Gama
  • 171
  • 1
  • 6
  • 2
    Secure enough for what? Please see our FAQ: http://security.stackexchange.com/help/on-topic. As it states, "Security is a very contextual topic: threats that are deemed important in your environment may be inconsequential in somebody else's, and vice versa. To get the most helpful answers you should tell us: what assets you are trying to protect; who uses the asset you're trying to protect, and who you think might want to abuse it (and why); what steps you've already taken to protect that asset; what risks you think you still need to mitigate." Please edit your question accordingly. – D.W. May 04 '15 at 17:33
  • 1
    I have a simple honeypot system in place which has worked out so far so the real question is "How motivated are attackers?" – MonkeyZeus May 04 '15 at 21:02

2 Answers2

13

All text-based CAPTCHAs are trivial to break if the adversary is motivated enough. There are been relatively serious claims from different teams of being able to break common text-based CAPTCHAs (although no public code that I'm aware of), including Google and Vicarious.

This is simply because computer vision tasks such as determining the regions of a 2D image or reconstructing partially missing borders of an object are now relatively advanced. So, even though a new CAPTCHA system might not be immediately broken, it would not take advanced attackers substantially more time to break it than it took to develop it.

In conclusion, don't use CAPTCHAs as a single line of defence against spammers and perform more clever forms of risk analysis. More importantly, don't harass legitimate users with CAPTCHAs that your attackers will solve more efficiently than them!

Steve Dodier-Lazaro
  • 6,848
  • 30
  • 45
  • 7
    +1 for the "don't harass legitimate users". For the sake of safety some captchas seem to really go down the wrong road... – WhiteWinterWolf May 04 '15 at 13:41
  • It can depend a lot on how big the threat is from spam bots. If it is unlikely that someone would bother to put any effort in at all you can get away with even a non-image based "captcha" I hesitate to call it a captcha even because it's not really... for example, I've run across sites where they just have in plain text a simple addition/subtraction question. something like 3+1= This is trivial for anyone with any minimal level of coding experience to bypass, but it works for them because the kinds of bots they were getting were not specifically targeting them, so it was good enough. – Rod MacPherson May 04 '15 at 15:25
  • @RodMacPherson I do implement basic spam check questions on some sites, but I usually avoid math stuff. Not nice for dyslexic people for instance. I try to make use of the site's context. For instance, we have a study website running for University College London students, where we ask in the contact form the city in which UCL is located, and we propose a list of radio buttons with different cities so we're sure legitimate users aren't rejected because of typos / framing issues (e.g. answering w/ the county, council or neighbourhood name rather than city name). – Steve Dodier-Lazaro May 04 '15 at 15:57
  • @RodMacPherson: Increasing the cost of spamming a message board by $0.01 may in many cases be sufficient to make it uneconomical, which is generally all that's required. To be sure, it might be better if there were a mechanism to drop unsalvageable and otherwise-worthless pianos on the heads of people who are willing to waste many thousands of hours of other people's time for each dollar of expected profit, but for most purposes even an tiny increase in spammers' cost will be sufficient to keep them at bay. – supercat May 04 '15 at 16:48
  • 2
    @WhiteWinterWolf: Because computers suck at advanced math and the average human being is great... at... wait, what? – Mason Wheeler May 04 '15 at 18:30
  • @WhiteWinterWolf. Answer is 0. And it is weirdly trying to use human intelligence to spot that it resolves easily. Got to be a joke though? – Neil Slater May 04 '15 at 19:05
  • @WhiteWinterWolf Did that image come from Art of Problem Solving, or similar math training website? It would actually make some sense in that context. – tlng05 May 04 '15 at 19:24
  • @WhiteWinterWolf I compute that in 10 seconds in my head. I think the idea is to require a certain amount of education from commenters. – geometrian May 04 '15 at 21:20
3

A captcha should be an image with enough variations that a computer can't reliably recognize it, and whether the image is composed of actual pixels or just ASCII characters is irrelevant.

This captcha in particular looks really weak; the letters seem to always be the same shape, without rotation, distortion nor noise.

However, a captcha with the glyphs randomly rotated, distorted and with a bunch of noise can be secure enough *, even if it's then converted into ASCII art. The only issue is that given the size of ASCII characters, you'll need a lot more screen space to display the same content you'd be able to display using an image.

*a captcha will never be bulletproof because of services like these.