On Wed, 24 Nov 2004, Kees Cook wrote:
On Wed, Nov 24, 2004 at 06:34:25AM -0600, Bob Jamison wrote:
> Maybe instead of text, do what some e-shopping
> sites do. Have a pass phrase displayed on an image,
> and let the person type that in. Then the pass cannot
> be harvested.
If it comes to that, yeah. The problem is that is hinders any visually
impaired contributors. craigslist.org
added "hear this word" links too.
That's more coding, etc, since it requires some added libraries, etc.
I should also note that the state-of-the-art as far as speech recognition
and OCR is pretty far along, for these purposes anyway, too.
To give you a sense of where CAPTCHA OCR stood a year ago:
Also, let's not forget the age-old tactic of hooking the back-end of the
spamming tool to a porn site that requests CAPTCHA solutions of its users:
free distributed human labor (and probably far more motivated than your
own users, too).
My point is that fancy verification mechanisms are an arms race we can't
really win, and the fancier or more difficult, the more legitimate users
we would hurt.
I think it's more important that our verifier be unique than that it be
particularly difficult. If spammers can't exploit economies of scale by
utilizing off-the-shelf software, it becomes much less economical for them
to spam us in particular.