# What about of brute force defeating?

Subject: What about of brute force defeating? What about of brute force defeating? 5 Sergei Kruglov 2007-07-10 12:18:09 2007-07-11 09:28:59

Sergei Kruglov - 2007-07-10 12:18:09
> Only one picture is the right answers.
> The user has to pick the right picture to pass the validation.
What about of brute force defeating? Probability of random correct answer is 1 / n, where n is quantity of variants. Very high probability.

Er. Rochak Chauhan - 2007-07-10 14:02:57 - In reply to message 1 from Sergei Kruglov
Good question...
In my option there are couple of ways to make it a tough target for brute force attack:

1) The placement of the correct answer is random.
2) Each time you choose incorrect option, you get a different question.
3) Instead of 6 options, you can show more options to decrease the probability of a fluke.

Having said that, even the conventional captcha is not 100% hacker safe, as you can read fair amount of characters via OCR too.

Idea is not to make it 100% fool proof, in stead make it a nice and haste free user experience

Regards,
Rochak Chauhan

Sergei Kruglov - 2007-07-10 18:12:13 - In reply to message 2 from Er. Rochak Chauhan
You can give to user more then one question.
For instance, three.
So probability of brute force becomes 1/6 * 1/6 * 1/6 = 1/216 - better (by not comparable with 1/million probability of traditional CAPTCHA with distorted symbols).

p.s. You can check my CAPTCHA solution at http://www.phpclasses.org/browse/package/3193.html - especially highly protected from OCR.

Sergei Kruglov - 2007-07-10 21:19:31 - In reply to message 2 from Er. Rochak Chauhan
>1) The placement of the correct answer is random.
>2) Each time you choose incorrect option, you get a different question.

Mathematics says what it does not help.
Probability still 1/6. Even if you change question and answer. 1/6.

Er. Rochak Chauhan - 2007-07-11 09:28:59 - In reply to message 3 from Sergei Kruglov
Dear Sergei

I totally agree with you. This is reason I uploaded the class here to discuss if we can actually implement it in a web application.
What I was thinking to implement in the production version on iCaptcha was:

1) User needs to answer a series of very simple visual question with 3x3 ie 9 options (Probability of each: 1/9)

2) They can be on the same page or can update automatically (using AJAX) in the same place.

3) Say if the total questions are 5, the probability is (1/9)*(1/9)*(1/9)*(1/9)*(1/9) = 1/59049

Now the question needs to be asked is:

a) From the user's point of view, is it less haste in reading and typing a destorted text in a textbox
OR
Making few clicks to answer few simple questions.

If majority of then say A, the purpose of iCaptcha is defeated ...end of story.

but if the answer is B, then we can pitch in few ideas to make it difficult to hack in.

Let me know what do you think.

Regards,
Rochak Chauhan.