As far as I read from here, the fact that captchas are not 100% secure.what can be used instead of captcha? As a programmer what do you think? how to solve this issue?
从这里我读到,验证码并不是100%安全的。什么可以代替验证码?作为一个程序员,你认为呢?如何解决这个问题?
Edit: thanks for all answers.
编辑:谢谢大家的回答。
10 个解决方案
#1
7
This is an unsolved problem, and will become more unsolved as time passes. The better the OCR tools get, the smaller the gap between humans and computers, and the harder it will be to tell them apart. Eventually, computers will be indistinguishable from humans, and then the game will be up.
这是一个尚未解决的问题,随着时间的推移,这个问题将会变得更加难以解决。OCR工具越好,人类和计算机之间的差距就越小,把它们区分开来就越困难。最终,电脑将与人类无法区分,然后游戏就会结束。
If your server wants to make sure that a human is at the other end of a TCP pipe, there isn't a turing-test in existence that won't eventually be defeated (and there probably never will be one). CAPTCHA is doomed, it's just a matter of how soon.
如果您的服务器想要确保一个人在TCP管道的另一端,那么就不会有一个不存在的测试,它最终不会被打败(而且可能永远不会被打败)。验证码注定要失败,这只是时间问题。
Of course, that doesn't mean it's all over as far as human authentication is concerned. It just means that automated turing tests, as convenient as they are, won't be an effective way to achieve this for very much longer.
当然,这并不意味着就人类身份验证而言,一切都结束了。这仅仅意味着自动化的图灵测试,尽管很方便,但在很长一段时间内都不是实现这一点的有效方法。
#2
6
- Captcha involving human reflexion (like calculation, really simple question, and the like).
- 包含人类反射的验证码(比如计算,非常简单的问题,等等)。
- Session tokens
- 会话令牌
- randomly generated hidden input which requires to be null, on the server side generate a random identifier, keep it in a session for a while. If the input is filled and not null, then it might have been filled by a robot, do your users will fill an hidden input ?
- 随机生成的隐藏输入需要为null,在服务器端生成一个随机标识符,将其保存在会话中一段时间。如果输入是被填充的,并且不是空的,那么它可能是由机器人填充的,那么您的用户会填充隐藏的输入吗?
I think it really depends on what you are trying to control over the use of captcha.
我认为这取决于你试图控制captcha的使用。
#3
5
Further explanation of a suggestion made by Boris:
鲍里斯建议的进一步解释:
randomly generated hidden input which requires to be null
随机生成的隐藏输入,要求为null
The idea is that your form contains several invisible inputs, their type should probably not be set to hidden, but they should be invisible to a human (e.g. set width or height to 0). The initial content of these fields should be empty. If a human fills out the form, the field will be empty, because the human cannot see the field in order to enter anything into it, but if a bot fills out the form the field will (possibly) not be empty, because bots usually just blindly enter something into every field.
其思想是,表单包含几个不可见的输入,它们的类型不应该设置为隐藏,但应该对人类不可见(例如,将宽度或高度设置为0)。如果人类填写表单,该领域将是空的,因为人类无法看到现场为了进入任何东西,但如果机器人填写表单字段(可能)不会是空的,因为机器人通常只是盲目地进入到各个领域。
Thus, you can distinguish between a bot and a human based on whether the content of this field is empty.
因此,您可以根据这个字段的内容是否为空来区分机器人和人类。
#4
1
Although captchas can be broken, Capthca's only add to security reCapthca is very good, and a trained OCR like Tesseract is going to have very limited success in breaking it. However, there are outfits that use Human Computation to break them for pennies. But this makes attacks against your system more expensive, and thats the best you can hope for. Cryptography can be broken with brute-force. All password hashes are breakable, but we still use them because it makes it harder for the attacker.
虽然验证码是可以被破坏的,但是Capthca只增加了安全性,而且像Tesseract这样训练有素的OCR在破坏它方面的成功是非常有限的。然而,也有一些机构利用人工计算来节省开支。但这会让攻击你的系统变得更贵,这是你所能期望的最好结果。密码术可以用暴力破解。所有的密码散列都是易碎的,但是我们仍然使用它们,因为这样会使攻击者更加困难。
Most of the "solutions" on this thread are "Security Though Obscurity" and you should be wary of these quick fixes to a very complex problem.
这个线程上的大多数“解决方案”都是“安全性但不为人知”,您应该警惕这些针对非常复杂的问题的快速修复。
#5
0
Captcha's are used to determine that an actual human being is doing the request, not a machine. Captcha's and captcha-like systems will upgrade, and so will the technology to break them.
Captcha用于确定实际的人是在执行请求,而不是机器。Captcha和Captcha类似的系统将会升级,而破解它们的技术也会升级。
So how do you proof that you're talking to a human and not a computer? You could for instance require users to engage in a chat session and have small conversation. There's no AI nowadays that pass the turing test.
那么,你如何证明你是在跟人说话,而不是跟电脑说话呢?例如,您可以要求用户参与聊天会话并进行小型对话。现在没有人工智能通过图灵测试。
So the answer is, no system is perfect. Don't try to solve this issue, but try to find a way to reduce the impact of this.
所以答案是,没有一个系统是完美的。不要试图解决这个问题,但要设法减少它的影响。
#6
0
In the long run government could run openid servers as digital passports for their citizens. It would be a clean way to identify human beings and prevent sockpuppeting.
从长远来看,*可以将openid服务器作为公民的数字护照。这将是一种清晰的识别人类的方法,并防止布袋戏。
#7
0
At the moment on my website I opted for simple questions. Some questions I've used in the past:
在我的网站上,我选择了简单的问题。一些我过去用过的问题:
- What is two to the power of one?
- 2的1次方等于多少?
- What is 2+2? (this one was hacked though so don't use it)
- 2 + 2是什么?(这个被黑客攻击了,所以不要使用它)
- What is the name of this website domain?
- 这个网站域名是什么?
- What is the sum of two and two?
- 2和2的和是多少?
Some other nice ones could be
还有一些更好的
- type in 'stuff' to this box as a spam check
- 在此框中输入“stuff”作为垃圾邮件检查
- What does 1337 look like? (using only letters)
- 1337是什么样子?(只使用字母)
- the current year is?
- 今年是什么?
#8
0
The best way I can think of is using something unconventional, like a special hidden field that should be null (or another specific value) that robots will mess with.
我能想到的最好的方法是使用一些非常规的东西,比如一个特殊的隐藏字段,这个字段应该是空的(或者另一个特定的值),机器人会把它搞乱。
If some robot maker adjusts his robot for your site, you'll have to quickly change the captcha to something different. It will (hopefully) take a good while before another robot maker adjusts his robot for your site.
如果某个机器人制造商为您的站点调整了他的机器人,您将不得不快速地将验证码更改为其他内容。在另一个机器人制造商为你的站点调整他的机器人之前(希望如此)需要一段时间。
Basically, it's a security through obscurity that has to constantly change to remain obscure.
基本上,它是一种通过隐藏而实现的安全,它必须不断地变化才能保持不为人知。
This won't work very well if someone is specifically targeting your site.
如果有人专门针对你的网站,这将不会很有效。
#9
0
Its just an idea, id used that in my application and works well
这只是一个想法,我在我的应用程序中使用了它,并且运行良好
you can create a cookie on mouse movement with javascript or jquery and in server side check if cookie exist, because only humans have mouse, cookie can be created only by them the cookie can be a timestamp or a token that can be validate
你可以用javascript或jquery在鼠标移动上创建一个cookie,在服务器端检查cookie是否存在,因为只有人类有鼠标,cookie才能被他们创建,cookie可以是时间戳,也可以是可以验证的令牌。
#10
0
Gets the coordinates of the mouse, determine whether the coordinates have changed, you can determine whether it is a robot.
获取鼠标的坐标,确定坐标是否改变,您可以确定它是否是一个机器人。
Then encrypt the coordinate data.
然后加密坐标数据。
#1
7
This is an unsolved problem, and will become more unsolved as time passes. The better the OCR tools get, the smaller the gap between humans and computers, and the harder it will be to tell them apart. Eventually, computers will be indistinguishable from humans, and then the game will be up.
这是一个尚未解决的问题,随着时间的推移,这个问题将会变得更加难以解决。OCR工具越好,人类和计算机之间的差距就越小,把它们区分开来就越困难。最终,电脑将与人类无法区分,然后游戏就会结束。
If your server wants to make sure that a human is at the other end of a TCP pipe, there isn't a turing-test in existence that won't eventually be defeated (and there probably never will be one). CAPTCHA is doomed, it's just a matter of how soon.
如果您的服务器想要确保一个人在TCP管道的另一端,那么就不会有一个不存在的测试,它最终不会被打败(而且可能永远不会被打败)。验证码注定要失败,这只是时间问题。
Of course, that doesn't mean it's all over as far as human authentication is concerned. It just means that automated turing tests, as convenient as they are, won't be an effective way to achieve this for very much longer.
当然,这并不意味着就人类身份验证而言,一切都结束了。这仅仅意味着自动化的图灵测试,尽管很方便,但在很长一段时间内都不是实现这一点的有效方法。
#2
6
- Captcha involving human reflexion (like calculation, really simple question, and the like).
- 包含人类反射的验证码(比如计算,非常简单的问题,等等)。
- Session tokens
- 会话令牌
- randomly generated hidden input which requires to be null, on the server side generate a random identifier, keep it in a session for a while. If the input is filled and not null, then it might have been filled by a robot, do your users will fill an hidden input ?
- 随机生成的隐藏输入需要为null,在服务器端生成一个随机标识符,将其保存在会话中一段时间。如果输入是被填充的,并且不是空的,那么它可能是由机器人填充的,那么您的用户会填充隐藏的输入吗?
I think it really depends on what you are trying to control over the use of captcha.
我认为这取决于你试图控制captcha的使用。
#3
5
Further explanation of a suggestion made by Boris:
鲍里斯建议的进一步解释:
randomly generated hidden input which requires to be null
随机生成的隐藏输入,要求为null
The idea is that your form contains several invisible inputs, their type should probably not be set to hidden, but they should be invisible to a human (e.g. set width or height to 0). The initial content of these fields should be empty. If a human fills out the form, the field will be empty, because the human cannot see the field in order to enter anything into it, but if a bot fills out the form the field will (possibly) not be empty, because bots usually just blindly enter something into every field.
其思想是,表单包含几个不可见的输入,它们的类型不应该设置为隐藏,但应该对人类不可见(例如,将宽度或高度设置为0)。如果人类填写表单,该领域将是空的,因为人类无法看到现场为了进入任何东西,但如果机器人填写表单字段(可能)不会是空的,因为机器人通常只是盲目地进入到各个领域。
Thus, you can distinguish between a bot and a human based on whether the content of this field is empty.
因此,您可以根据这个字段的内容是否为空来区分机器人和人类。
#4
1
Although captchas can be broken, Capthca's only add to security reCapthca is very good, and a trained OCR like Tesseract is going to have very limited success in breaking it. However, there are outfits that use Human Computation to break them for pennies. But this makes attacks against your system more expensive, and thats the best you can hope for. Cryptography can be broken with brute-force. All password hashes are breakable, but we still use them because it makes it harder for the attacker.
虽然验证码是可以被破坏的,但是Capthca只增加了安全性,而且像Tesseract这样训练有素的OCR在破坏它方面的成功是非常有限的。然而,也有一些机构利用人工计算来节省开支。但这会让攻击你的系统变得更贵,这是你所能期望的最好结果。密码术可以用暴力破解。所有的密码散列都是易碎的,但是我们仍然使用它们,因为这样会使攻击者更加困难。
Most of the "solutions" on this thread are "Security Though Obscurity" and you should be wary of these quick fixes to a very complex problem.
这个线程上的大多数“解决方案”都是“安全性但不为人知”,您应该警惕这些针对非常复杂的问题的快速修复。
#5
0
Captcha's are used to determine that an actual human being is doing the request, not a machine. Captcha's and captcha-like systems will upgrade, and so will the technology to break them.
Captcha用于确定实际的人是在执行请求,而不是机器。Captcha和Captcha类似的系统将会升级,而破解它们的技术也会升级。
So how do you proof that you're talking to a human and not a computer? You could for instance require users to engage in a chat session and have small conversation. There's no AI nowadays that pass the turing test.
那么,你如何证明你是在跟人说话,而不是跟电脑说话呢?例如,您可以要求用户参与聊天会话并进行小型对话。现在没有人工智能通过图灵测试。
So the answer is, no system is perfect. Don't try to solve this issue, but try to find a way to reduce the impact of this.
所以答案是,没有一个系统是完美的。不要试图解决这个问题,但要设法减少它的影响。
#6
0
In the long run government could run openid servers as digital passports for their citizens. It would be a clean way to identify human beings and prevent sockpuppeting.
从长远来看,*可以将openid服务器作为公民的数字护照。这将是一种清晰的识别人类的方法,并防止布袋戏。
#7
0
At the moment on my website I opted for simple questions. Some questions I've used in the past:
在我的网站上,我选择了简单的问题。一些我过去用过的问题:
- What is two to the power of one?
- 2的1次方等于多少?
- What is 2+2? (this one was hacked though so don't use it)
- 2 + 2是什么?(这个被黑客攻击了,所以不要使用它)
- What is the name of this website domain?
- 这个网站域名是什么?
- What is the sum of two and two?
- 2和2的和是多少?
Some other nice ones could be
还有一些更好的
- type in 'stuff' to this box as a spam check
- 在此框中输入“stuff”作为垃圾邮件检查
- What does 1337 look like? (using only letters)
- 1337是什么样子?(只使用字母)
- the current year is?
- 今年是什么?
#8
0
The best way I can think of is using something unconventional, like a special hidden field that should be null (or another specific value) that robots will mess with.
我能想到的最好的方法是使用一些非常规的东西,比如一个特殊的隐藏字段,这个字段应该是空的(或者另一个特定的值),机器人会把它搞乱。
If some robot maker adjusts his robot for your site, you'll have to quickly change the captcha to something different. It will (hopefully) take a good while before another robot maker adjusts his robot for your site.
如果某个机器人制造商为您的站点调整了他的机器人,您将不得不快速地将验证码更改为其他内容。在另一个机器人制造商为你的站点调整他的机器人之前(希望如此)需要一段时间。
Basically, it's a security through obscurity that has to constantly change to remain obscure.
基本上,它是一种通过隐藏而实现的安全,它必须不断地变化才能保持不为人知。
This won't work very well if someone is specifically targeting your site.
如果有人专门针对你的网站,这将不会很有效。
#9
0
Its just an idea, id used that in my application and works well
这只是一个想法,我在我的应用程序中使用了它,并且运行良好
you can create a cookie on mouse movement with javascript or jquery and in server side check if cookie exist, because only humans have mouse, cookie can be created only by them the cookie can be a timestamp or a token that can be validate
你可以用javascript或jquery在鼠标移动上创建一个cookie,在服务器端检查cookie是否存在,因为只有人类有鼠标,cookie才能被他们创建,cookie可以是时间戳,也可以是可以验证的令牌。
#10
0
Gets the coordinates of the mouse, determine whether the coordinates have changed, you can determine whether it is a robot.
获取鼠标的坐标,确定坐标是否改变,您可以确定它是否是一个机器人。
Then encrypt the coordinate data.
然后加密坐标数据。