http://qs321.pair.com?node_id=604282


in reply to howto: Perl CGI, image with random scewed text for account creations

I spent quite a long time looking at the various CAPTCHA schemes that are out there in the wild, and what I didn't like about them was that they discriminated against the blind and particularly those who are both blind and hearing impaired. I'm neither, and none of my clients are, either, but I'm just that kind of a guy. So I developed my own, one that plugs a randomly generated non-word string into a sentence and asks the user to find it and enter it into a text input. So far, in about eight months of using it on my low-volume site, it has worked quite well and no one has complained.

Screen readers, in general, will spell out the garbage strings, making it easy enough for the blind to find them and comply. Those who are both blind and deaf can find the garbage string via their Braille terminals... or so goes the theory, since so far no one who's both blind and deaf has contacted me. This was true even before my CAPTCHA went online, though.

It's an easy enough thing to do. From a predefined list of sentences (which could come out of the fortune program), select a sentence at random and a random point within that sentence in which to plug a garbage string. Generate the garbage string, test that it doesn't exist in a dictionary, and plant it in that random spot. Explain to the user that he's supposed to find that non-word and type it into the text input. Use caching similar to that of Authen::Captcha to keep track of what's been recently served and to whom. Bingo bango bongo, an accessible CAPTCHA.

Nuthin' to it but to do it.

Replies are listed 'Best First'.
Re^2: howto: Perl CGI, image with random scewed text for account creations
by Sixtease (Friar) on Mar 12, 2007 at 08:36 UTC
    Would this not be too easy a pick to bypass? With the use of Aspell or any spellchecker, I could quite reliably find the typo automatically. If you added a word that would be a good English word but clearly didn't fit in the sentence, that would be another matter, but that would be also very hard to do randomly with certainty that it will be clear what the inserted word is.

      'Tis the nature of arms races. My grandchildren will be playing this game long after I'm buried in a box.

      I think the next step for any CAPTCHA is to add some additional noise into the equation along with some dynamic firewalling, and that's my plan for my own implementation. The policy will be simply "bounce off of the defense x times in y seconds and you're firewalled away for z seconds". That'll work for a while, then it'll be time for a radical rethink. Again.

Re^2: howto: Perl CGI, image with random scewed text for account creations
by davidnicol (Acolyte) on Mar 12, 2007 at 23:43 UTC
    over at akismet they use simple math problems. Simple multiple choice problems would also work. Keeping the data in plain text, so all the sensorilly deprived but still plain text capable people can handle it -- brilliant.