in reply to Re: If CAPTCHA isn't the answer. What is?
in thread If CAPTCHA isn't the answer. What is?

Given the small number of guesses required to guess correctly on average — 42 when choosing 3 from 9, 2184 when choosing 5 from 16 — KittenAuth is useless without a properly configured firewall. Without monitoring, it's an invation to hammer the server.
  • Comment on Re^2: If CAPTCHA isn't the answer. What is?

Replies are listed 'Best First'.
Re^3: If CAPTCHA isn't the answer. What is?
by samtregar (Abbot) on Aug 02, 2006 at 03:46 UTC
    It's been a while since I read the article, but I would assume that you are presented with a new set of pictures after an incorrect guess. With a large enough DB to avoid repeats I think your averages are way, way off.

    But yes, of course hammering is to be avoided. There are other tools for that, like my module CGI::Application::Plugin::RateLimiter for example.

    -sam

[reply]

      The size of the database doesn't matter. With a small database size, you could actually do much better than the odds I gave as time goes on by remembering which images are known cats. I was talking straight brute force.

      For example, you could always select the top three squares. It doesn't matter how many gazillion of images are in the database, your chances of the three cats being in the top three squares are 1 in 84 (assuming the selection of the squares is random). Selecting three random squares instead of the top three squares does not change the math.

[reply]

        Than can be easily prevented by requiring that the user selects not "The three cats among these 9 images" but "All cats among these images" (there can be more or less, even none!) or maybe "The second brown cat and the last dog".

        --
        David Serrano

[reply]

In Section Meditations