I think homemade CAPTCHAs are currently
Thu Apr 01, 2021 12:24pm

winning the arms race. I guarantee there are bots trying to solve Google's RECAPTCHA in numerous different ways.

The CAPTCHA on UCL is simply generate a random number and make the user enter it. I think every BASIC programming book I looked at had a "guess the random number" program.

Still, though, literacy one CAPTCHA at a time. YouTube definitely should do that! (Especially today!)

    • Re: Puck's comment - Erik_, Mon Mar 29 2021 2:42am
      Thanks for trying it out and signing it! The math question idea came from UCL's contact us page that (I think) you set up and said it worked well enough to stop spammers. I was going to do the whole randomized post code thing we have on the message board but figured it was overkill for a demo g... more
      • I think homemade CAPTCHAs are currently- Puckdropper, Thu Apr 01 2021 12:24pm
        • pages don't seem to get hit. *knock on wood* An example (from my reply to Retna's post) was the subscription page that originally didn't have one and got hit but after adding one, it's no longer hit. I'm guessing this small site isn't worth the resources and it's like having an alarm system sign... more
        • Building your own thing has it's benefits... - Retna, Fri Apr 02 2021 12:10pm
          I'm sure lots of bots are programmed to look for WordPress boilerplate and HTML structure. But how many surf the web looking for a form that has an field name "answer" and somehow know to fill out that field using the math question nearby? And to do that on a small website like this where there's ... more
          • Trying out generic WordPress, PHP vulnerabilities and HTML form/query string combinations. (Using A=whatever in the query string is a very common one for some reason.) I did end up using regular reCaptcha 2 on the create account, forgot password and subscription pages though. I originally didn... more
            • I wonder if banning form/query strings that don't return - Puckdropper, Sat Apr 03 2021 2:27am
              anything you want (like A=whatever) would be a good start. I remember seeing a technique published years ago where a form element was hidden (and thus the user would never see it) and its presence or absence was looked for when the form submitted. That only worked so long, though, as bots learned ... more
              • With the message board I'm using SpringMVC which... - Erik_, Tue Apr 06 2021 2:42pm
                I have to specify which query params I want to accept (if any) in the method's parameters. So, if a user enters "?howdy=yall" and I'm not set up to look for a query param named "howdy", it gets completely ignored which is nice. Example for the RSS controller's mapping to get the RSS feed of a m... more
  • Click here to receive daily updates
    "Forces act when not restrained" - Puckdropper