Progress Update On Gaptcha
Update: The source is now live!
I've received some positive feedback on my thoughts on my new captcha control. While I've been given many suggestions, for now I think I'll just go with the simplest implementation possible, just so that I can get something live - while I want to, of course, have something well written, the important thing right now is stopping the spam :)
I've decided to give it a new name too. Gaptcha, after Geoff Appleby's CAPTCHA. I'll stick with that name until someone can show me that while I think I've thought of something new and original, I've actually copied someone else (which I'm sure I haven't, although I am basing this loosely on the authentication scheme needed for my netbank service).
So anyway, since I wrote about my thoughts last time, I've made some pretty good progress - in fact, it would probably be live by now except for the weekend getting in the road. Fro some reason, now that I'm only home for the weekends, I'm using the computer a lot less and spending time with my family instead. Not sure if that's a good thing or not yet - I'll ask them when my stint in Melbourne is over :)
I've actually had the control working at one stage last Thursday night, but it only worked to prove the point. Since then I started tidying up the code and refactoring out the hacks to make it presentable, and so it's broken again (of course) until I'm finished.
But it's pretty much sorted out in my head now. I'm going to show a 9x9 grid of images, and require three of them to be selected. The pictures are chosen at random from the database from a set of as many as I feel like putting in - currently I've registered 12.
So here's a little preview of how it looks. It won't change much visibly from what you see here to what I put live, but the code behind the scenes will become much nicer.
As you can see, I need to take a few photos of myself. When all the pictures are the same, it's a bit hard to match the descriptions above with the right grid co-ordinate. But code cleanup and selecting actual images is all I've got left. The first draft has been written and proven to work. w00t!
I had a few discussions with a friend of mine over the weekend about this. While this control is only on CrankyGoblin, the chances of a spam-bot taking the time to figure out how to bypass the security is pretty slim. But once I've made it available, and if more people than just me use it, is it worth them trying to crack it then? And if so, what can I do to make it as secure as possible without making it user-unfriendly? So far our thinking follows thusly:
- Make the textual descriptions of the images graphics themselves. Maybe print out the text using ransom-letter type graphics - so long as the image names of each letter is not named stupidly (like a.gif, b.gif, etc) then it might make things harder (but still easy to read by a human).
- Share descriptions over multiple images. If there were two photos of me say, drinking some sort of drink, then it would be harder to work out using automated methods which image matches which description. The trick here is to make sure that when any given description is used, it only matches 1 of the 9 shown in the grid.
- I need to investigate at what point the number of combinations is high enough to be a pain to crack while still consuming very little time from a legit comment poster. By this I mean, what's the best numbers? 3 out of 9? 2 out of 5? 3 out of 30 (I think not, but you get my point). And how many images all up should be available to be selected into the initial 9? Just 9? 15? 255? I honestly have no idea.
So that's where things stand at the moment. Through the course of this week I hope to get it completed enough to make it live, and not long after I'll release the code for it so that anyone else who wants to can use it too :)