PHPBB3 Captcha difficulty
Is phpBB3 more secure than phpBB2? Here is a default phpBB3 sample.
This is a lot stronger than a phpBB2 captcha. We can’t separate a letter based purely on its colour anymore. Notice how there is a line running underneath the B that is the same colour as the B. The background colour is annoying as anything but only from a person’s point of view. Our PC doesn’t really mind.
One of its issues/weaknesses is that there are no lines that cut across the squares, they all go underneath them. That means there is no breaks in the squares we have to detect. The only other weakness I can see is that the lines go directly across without intersecting at any point. That means that there are no objects that look like the squares of the letters that are just noise.
So here’s my algorithm which I think would solve it. Admittedly I haven’t tested this but I don’t see why it wouldn’t work. All the letters are made up of squares. We need to test, if starting at one pixel we can get back to the start by following the same colour pixels. That obviously would make a square 
, or something close like a distorted rectangle. It’s almost like dot to dot puzzles. If we can get back to the start keep the line and colour it in using previous post’s fill function (or php GD’s one 
). If we can’t get back to the start or the line keeps travelling too far then we remove it and find another coloured pixel, that doesn’t match the background colour.
The main issues we would have to overcome are lines which are thicker than 1 pixel and small blocks of colour found at the side of some of the letters. The other issue would be making sure we don’t recheck the part we just shaded in (Maybe use a unique colour for it?).
March 21st, 2008 at 6:14 pm
You don’t need to use a unique color, you could just save the information in an array or somewhere else.
I think the most secure captchas are the ones which are bending the letters (like some google captchas). Another good method to prevent cracking are in my opinion, the usage of fonts that include whitespace on unusual places (like outlined text).
Captchas like the one above are not easy to solve, but as you wrote it’s doable if you put in some time. Especially if they use one of the easy-to-crack-captchas in common software like the PHPBB3 it’s worth the work of cracking it.
Good work and nice ideas!
March 22nd, 2008 at 6:24 am
Nice article. Captchas are always a mystery. Some very annoying cases are when the user types in the right code, but still an error comes.
March 22nd, 2008 at 12:43 pm
@anty:
I had a reason for not using arrays. The problem is knowing how big the letter is going to be for declaring your array. I guess you could just open up a new picture and copy to it.
@Baby Names:
Are you manually spamming my site by hand? Because I hear that’s slow and boring. They keyword stuffed name, hmmm… Get yourself a context sensitive wordpress spammer that rips out parts of the text and agrees etc. Even if it still looks spammy at least it won’t take you ages.
On the other hand if you already have one then it’s pretty damned good and I’d like to know how it works.
March 22nd, 2008 at 9:58 pm
Sometimes slow and boring is the best way. Honestly, I like going through dofollow blogs because sometimes you’ll find a gem of a blog in the rough, such as this one.
I’m posting this while watching my 3-year old play battlefield 2. He’s having a good time shooting at the sky.
March 25th, 2008 at 1:10 pm
I am sure if the people above had checked, they would have seen that this blog is a no fallow blog. any way love your blog, its good seeing whats behind spamming tools.
March 25th, 2008 at 1:40 pm
Yeah. I had a dofollow blog here once, but it didn’t go how I planned so I shredded it up and started again. I find it strange that people looking for dofollow blogs don’t have the nofollow checker firefox plugin installed.
On a sidenote, writing an automated dofollow blog checker is a pain because of the massive number of templates available. You can’t just check all the links for nofollow. You have to locate the comments box and find someone’s name and comment. You might be able to look for things like dates and paragraph size though. hmmm… sketchy
March 25th, 2008 at 1:43 pm
In an ideal internet world, there would be no Spammers, so obviously, there would be no need for captcha verifications.
Anyway, I think your algo will work for sure.
March 26th, 2008 at 1:43 am
wow, you certainly have a good eye, to be able to interpret the capcha well!
very insightful. Thanks!
March 26th, 2008 at 6:18 am
Man, that is just soo hard to read. It’s so nice of you have better ideas.
March 26th, 2008 at 12:36 pm
Its not so hard to read its very big but they should not make the image size smaller then this.
March 26th, 2008 at 1:51 pm
You’re right. If they made it smaller it might be harder to crack
, there might not be a centre to the squares.
March 26th, 2008 at 9:24 pm
Interesting post. What do you think of vBulletin’s captcha system when compared to phpBB then?
March 27th, 2008 at 11:48 am
Well I can’t be bothered to install another forum in a new directory just to get the captcha but if the captcha still looks like this http://sam.zoy.org/pwntcha/vbulletin00.jpeg then I think they have problems. The lines across the image are a great idea, if they aren’t always in exactly the same place. You’d just combine it with a pre-made picture containing only those lines. The dots around the image can probably be removed with a pixel density filter. And then the font is far too simple and constant.
June 13th, 2008 at 5:39 pm
you have a very nice community ,
thank you for the valuable information.
June 30th, 2008 at 6:16 am
As everyone in the world knows by now, most websites and forums use “captchas” to try and stop computer programmes from posting fake comments containing adverts. “Captcha” stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”. And as everyone in the world ought to have realized by now, they don’t work. There exist a number of ways around them, the most cunning and most effective, although the most difficult to set up, is to build a pornographic website and get real humans to solve the captchas for you in exchange for naked pictures.
July 1st, 2008 at 7:18 am
Hi, I am agreed by comment above.