验证码替代方案,安全性如何?
我为当地图书馆制作网页,我认为基于书籍封面的“自定义”验证码可能会很有吸引力。因此,提供几十本书的封面之一,并让顾客填写表格并键入书名以证明他们是人类。假设我从图像和文件名中删除了标题/作者信息,这就足够了吗?事实上,它是一个相当小的网站上的独特系统,这一事实足以使其有效吗?如今的垃圾邮件机器人到底有多狡猾? 将图像名称设为 ISBN # 会不会太明显了?
以下是示例封面:
(来源:mfrl.org)
I do the web page for my local library, and I was thinking it might be kind of appealing to have a "custom" captcha based on book covers. So serve up one of several dozen book covers, and have the patron filling out the form type the book title to prove they're human. Assuming I stripped the title/author info from the image and filename, would that be enough? Would the fact that it was a unique system on a fairly small website be enough to make it effective? Just how tricky are the spam bots these days?
Would having the image name be the ISBN # be too obvious?
Here is a sample cover:
(source: mfrl.org)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您需要让 OCR 系统难以读取文本。否则,垃圾邮件机器人将轻松通过您的验证码,而无需人类垃圾邮件发送者进行任何定制。
这就是为什么现在你会在大多数验证码上看到有趣的异或、噪音和失真。
从原则上讲,不将图像名称基于可查找的内容是有意义的,尽管在本地图书馆的情况下,任何垃圾邮件发送者编写自定义脚本来击败您的验证码的可能性很小......
You need to make it difficult for an OCR system to read the text. Otherwise the spam bot will easily get through your captcha, without any customisation from a human spammer.
That's why you see funny XORing, noise and distortion on most captchas these days.
As a matter of principle, it makes sense to NOT base the image name on something that can be looked up, although in the case of a local library, chances are low that any spammers will be writing custom scripts to defeat your captcha...
尝试一下,jQuery 和 html 版本:
实用的非基于图像的验证码方法?
Try, jQuery and html version from this:
Practical non-image based CAPTCHA approaches?