Improving yii's captcha strength

[yii-bot]

This issue has originally been reported by @xwz at https://github.com/yiisoft/yii2/issues/1100. Moved here by @samdark.

---

CAPTCHA Strengths and Weaknesses

Based on the paper "Text-based CAPTCHA Strengths and Weaknesses" http://ly.tl/p22 yii's internal captcha generator is weak.

Measuring attack effectiveness.

Coverage is the fraction of captchas that the solver attempts to answer. Precision is the fraction of captchas answered correctly. A captcha scheme is broken when the attacker is able to reach a precision of at least 1% (1 in 100 attempts).

Design principles

The following principles apply to the design of the captcha core features:

1. Randomize the captcha length: Don’t use a fixed length, it gives too much information to the attacker.
2. Randomize the character size: Make sure the attacker can’t make educated guesses by using several font sizes / several fonts. Using several fonts reduces the classifier accuracy and the scheme’s learnability.
3. Wave the captcha: Waving the captcha increases the difficulty of finding cut points in case of collapsing and helps mitigate the risk of the attacker finding the added line based on its slope when using lines.

   Anti-recognition

4. Use anti-recognition techniques as a means of strengthening captcha security.
5. Don’t use a complex charset.

   Anti-Segmentation

6. Use collapsing or lines.
7. Be careful while implementing.
8. Create alternative schemes.

[machour]

Currently, it seems that the following have already been implemented:

• Randomize the captcha length: in VerifyCodeGeneratorTrait, the length is randomized.
• Randomize the character size: Both GD and Imagick drivers use random sizes for each char. We're still using just one font file for now though.
• Wave the captcha: chars are slightly rotated, but still written on the same line (same Y). we may want to move them a bit.