in reply to If CAPTCHA isn't the answer. What is?

It won't help with the accessibility problem, but KittenAuth is probably proof against OCR for now:

http://arstechnica.com/news.ars/post/20060407-6554.html

I bet it'd be pretty hard to produce a bot that could pass that test, given a large enough DB of cudly animals. Of course an attacker can still trick people into doing the work in exchange for porn.

-sam

  • Comment on Re: If CAPTCHA isn't the answer. What is?

Replies are listed 'Best First'.
Re^2: If CAPTCHA isn't the answer. What is?
by ikegami (Patriarch) on Aug 01, 2006 at 22:57 UTC
    Given the small number of guesses required to guess correctly on average — 42 when choosing 3 from 9, 2184 when choosing 5 from 16 — KittenAuth is useless without a properly configured firewall. Without monitoring, it's an invation to hammer the server.
[reply]
      It's been a while since I read the article, but I would assume that you are presented with a new set of pictures after an incorrect guess. With a large enough DB to avoid repeats I think your averages are way, way off.

      But yes, of course hammering is to be avoided. There are other tools for that, like my module CGI::Application::Plugin::RateLimiter for example.

      -sam

[reply]

        The size of the database doesn't matter. With a small database size, you could actually do much better than the odds I gave as time goes on by remembering which images are known cats. I was talking straight brute force.

        For example, you could always select the top three squares. It doesn't matter how many gazillion of images are in the database, your chances of the three cats being in the top three squares are 1 in 84 (assuming the selection of the squares is random). Selecting three random squares instead of the top three squares does not change the math.

[reply]

In Section Meditations