I'm new to learning PHP so maybe there is a reason why Captcha's always
contain letters? I can't remember where I saw it...but I remember using
a website that only used numbers for the Captcha and it was so nice
because I just used one hand and quickly typed the numbers in and it
isn't nearly as easy to get confused one what character they want you to
type. At least for me this seemed faster and easier. I get confused with
some captcha's because I can't tell if a letter is an l or i or o and 0.

Just a thought on speed and usability. Is there a security reason why
using only numbers shouldn't be used?

Message-ID: <yJSdnaQP0qfo6avbnZ2dnUVZ_uOmnZ2d [at] wavecable.com> from zach
contained the following:

>Just a thought on speed and usability. Is there a security reason why
>using only numbers shouldn't be used?

Consider the number of possible combinations if using just numbers
compared with using numbers and letters.
--
Geoff Berrow 0110001001101100010000000110
001101101011011001000110111101100111001011
100110001101101111001011100111010101101011

On Mon, 30 Apr 2007 15:57:54 -0700, zach <wackzingo [at] gmail.com> wrote:

>type. At least for me this seemed faster and easier. I get confused with
>some captcha's because I can't tell if a letter is an l or i or o and 0.

Indeed, in many image based schemes it's hard for sighted, let alone
partially sighted, people to see the difference between a zero and an
"oh".

>Just a thought on speed and usability. Is there a security reason why
>using only numbers shouldn't be used?

In terms of usability, image-only schemes should never be used (in the
UK at least), as they discriminate in violation of the DDA 1995 unless
adequate, alternative, provision is made.

IME the number of sites using these techniques who bother to implement
such alternatives are close to zero :-(

I agree with you Stuart. I've got perfect eyesight but often can't work out
what the letters/numbers are supposed to be. All fuzzy or disjointed or
with lines and smudges through them.

I know some sort of human interface is needed to cut down on spam etc but
often I just give up.




"Stuart Millington" <news [at] dsv1.co.uk> wrote in message
news:cluc33h38f3efb0bjbdh381saa0h199adq [at] 4ax.com...
> On Mon, 30 Apr 2007 15:57:54 -0700, zach <wackzingo [at] gmail.com> wrote:
>
>>type. At least for me this seemed faster and easier. I get confused with
>>some captcha's because I can't tell if a letter is an l or i or o and 0.
>
> Indeed, in many image based schemes it's hard for sighted, let alone
> partially sighted, people to see the difference between a zero and an
> "oh".
>
>>Just a thought on speed and usability. Is there a security reason why
>>using only numbers shouldn't be used?
>
> In terms of usability, image-only schemes should never be used (in the
> UK at least), as they discriminate in violation of the DDA 1995 unless
> adequate, alternative, provision is made.
>
> IME the number of sites using these techniques who bother to implement
> such alternatives are close to zero :-(

On May 1, 12:29 am, Stuart Millington <n... [at] dsv1.co.uk> wrote:
> On Mon, 30 Apr 2007 15:57:54 -0700, zach <wackzi... [at] gmail.com> wrote:
> >type. At least for me this seemed faster and easier. I get confused with
> >some captcha's because I can't tell if a letter is an l or i or o and 0.
>
> Indeed, in many image based schemes it's hard for sighted, let alone
> partially sighted, people to see the difference between a zero and an
> "oh".
>
> >Just a thought on speed and usability. Is there a security reason why
> >using only numbers shouldn't be used?
>
> In terms of usability, image-only schemes should never be used (in the
> UK at least), as they discriminate in violation of the DDA 1995 unless
> adequate, alternative, provision is made.
>
> IME the number of sites using these techniques who bother to implement
> such alternatives are close to zero :-(

i definately agree, captchas present significant difficulty to fully
sighted humans, let alone partially or unsighted people, or those with
difficulties recognising text patterns, to get round this you might
see reduced character spaces, or even the use of common words, such as
googles anti-script captchas.
add to this the fact that most popular captcha implementations are
very weak, and that OCR can defeat them, for various reasons, (lack of
randomness/variety in text/images/backgrounds/fonts, insufficient
rotation/distortion, use of words - which provide a context for each
character...)
http://sam.zoy.org/pwntcha/
and you have a dying inaccessible gimmick.
Using the reduced password space of "digits" does mean that the OCR
has an easier job of homing-in on the right character simply if it
could be an o,O or 0 but only digits are allowed, then the guess is
easier. While the OCR scripts still have to guess what the characters
are, but provided they are notified about the character set for that
implementation, it is much easier.
Of course the really simple way to solve captchas is by hijacking them
and using them on your high-traffic site, and getting a human to solve
it, sending the results back downstream to the originating site, so
they are in every sense, broken. They just keep your fruit on the next
branch up.

On Apr 30, 11:37 pm, shimmyshack <matt.fa... [at] gmail.com> wrote:

> i definately agree, captchas present significant difficulty to fully
> sighted humans, let alone partially or unsighted people, or those with
> difficulties recognising text patterns, to get round this you might
> see reduced character spaces, or even the use of common words, such as
> googles anti-script captchas.

Am I the only one in the world who gets captchas right nearly all of
the time? Seriously, maybe one in 20 gives me problems.

I agree its bot-killing ability is probably overstated, but is it
really that hard to get this stuff right?

On May 1, 2:15 pm, Evil Otto <zburn... [at] gmail.com> wrote:
> On Apr 30, 11:37 pm, shimmyshack <matt.fa... [at] gmail.com> wrote:
>
> > i definately agree, captchas present significant difficulty to fully
> > sighted humans, let alone partially or unsighted people, or those with
> > difficulties recognising text patterns, to get round this you might
> > see reduced character spaces, or even the use of common words, such as
> > googles anti-script captchas.
>
> Am I the only one in the world who gets captchas right nearly all of
> the time? Seriously, maybe one in 20 gives me problems.
>
> I agree its bot-killing ability is probably overstated, but is it
> really that hard to get this stuff right?

you are the exception that proves the rule
the only captchas which actually /have/ bot-killing ability are the
ones which are so ambiguous that humans get them wrong a good
percentage of the time! see the link provided. The other 19 I would
say are probably from applications like phpBB and the like, which are
at time of writing 100% PWN'd.
And then theres the 30% with some kind of substantive reading
impairment, or colour blindness etc...
Effective captchas are so few and far between but do so much to hamper
the average user that the trade off isn't good enough - its the same
reason anyone can just walk into a hostpital - that security operates
internally.
In the limit, captchas are illegal unless another method is provided
which is probably easy to use from a bot's perspective

shimmyshack <matt.farey [at] gmail.com> wrote in news:1178026139.897277.269800
[at] h2g2000hsg.googlegroups.com:

> Effective captchas are so few and far between but do so much to hamper
> the average user that the trade off isn't good enough - its the same
> reason anyone can just walk into a hostpital - that security operates
> internally.


addressing the legibility issue (while not addressing accessibility),
someone made a great captcha class last year that requires selecting a
picture of a kitten from an array of photos.

http://www.kittenauth.com/

If captcha's aren't that accessible and we are going to see more bots
getting around them are there other types of user interaction that we
can use now? I saw a site that had you answer a very easy simple
question and another one had you answer a simple math problem all
without the hard to read captcha's.

On May 1, 4:12 pm, zach <wackzi... [at] gmail.com> wrote:
> If captcha's aren't that accessible and we are going to see more bots
> getting around them are there other types of user interaction that we
> can use now? I saw a site that had you answer a very easy simple
> question and another one had you answer a simple math problem all
> without the hard to read captcha's.

yeah thats the kind of thing, these are actually quite good, but they
are suseptible to reflecting
its a great challenge, something to think about when youre in the sun
with your eyes closed.

On Tue, 01 May 2007 08:12:17 -0700, zach <wackzingo [at] gmail.com> wrote:

>If captcha's aren't that accessible and we are going to see more bots
>getting around them are there other types of user interaction that we
>can use now? I saw a site that had you answer a very easy simple
>question and another one had you answer a simple math problem all
>without the hard to read captcha's.

The problem with them is the "comprehensive education" kids these days
get from their Comprehensive education [1] ;-)

[1] Stolen from Yes Prime Minister.