Improving yii's captcha strength

[xwz]

CAPTCHA Strengths and Weaknesses

Based on the paper "Text-based CAPTCHA Strengths and Weaknesses" http://ly.tl/p22 yii's internal captcha generator is weak.

Measuring attack effectiveness.

Coverage is the fraction of captchas that the solver attempts to answer. Precision is the fraction of captchas answered correctly. A captcha scheme is broken when the attacker is able to reach a precision of at least 1% (1 in 100 attempts).

Design principles

The following principles apply to the design of the captcha core features:

1. Randomize the captcha length: Don’t use a fixed length, it gives too much information to the attacker.
2. Randomize the character size: Make sure the attacker can’t make educated guesses by using several font sizes / several fonts. Using several fonts reduces the classifier accuracy and the scheme’s learnability.
3. Wave the captcha: Waving the captcha increases the difficulty of finding cut points in case of collapsing and helps mitigate the risk of the attacker finding the added line based on its slope when using lines.

   Anti-recognition

4. Use anti-recognition techniques as a means of strengthening captcha security.
5. Don’t use a complex charset.

   Anti-Segmentation

6. Use collapsing or lines.
7. Be careful while implementing.
8. Create alternative schemes.

[samdark]

@xwz are you going to work on implementation or it's a suggestion?

[samdark]

Captcha length is now random from 6 to 7 characters by default. Overall changes aren't affecting API so could be implemented closer to release.

[xwz]

We can also add improvements incrementally. E.g. start with adding lines.

[dynasource]

to what extent is the current captcha safe enough? If this is too low, we should give this higher priority, otherwise this is a nice to have and not an issue.

[samdark]

It's not really defending you if someone is using OCR.

[dynasource]

is OCR dependant on images over HTTP?

[samdark]

OCR can work with any image. There aren't many images which are hard for OCR and easy for humans nowadays so most CAPTCHAs aren't totally safe.

[dynasource]

In the past Ive made a captcha based on CSS. There are a lot of variations thinkable, using different techniques to create numbers based on random HTML, JS & CSS combinations. But you could argue that this is already getting out of the yii scope. Should we abandon support for this?

[samdark]

The interface for CAPTCHA Yii has is a very nice one. It allows to customize generation and calculations. Defaults aren't too strong and that could be adjusted based on what @xwz proposed.

[cronfy]

On last week I tried to protect a form with yii2's builtin captcha. Results were sad: there were absolutely no difference whether captcha was enabled or not. Logging showed that bots were correctly solving it without a single mistake.

Then I installed himiklab/yii2-recaptcha-widget, and it solved the problem.

Keeping in mind these two points:

• This functionality can be easily provided by extensions.
• It is hard (imho) to develop and support strong captcha, especially if it is opensourced.

I am just curious: why captcha is required to be in core at all?

[cebe]

I am just curious: why captcha is required to be in core at all?

it is not required, we can move it to an extension in 2.1.

[dynasource]

agree, this is complex enough to move away from core.

About these bots, chances are that they are actually real people in Asia ;) solving captcha all day.

[samdark]

Agree about captcha. Worth moving out of the core.

[samdark]

https://www.reddit.com/r/PHP/comments/6fl2uo/yii_2012_is_released/dikr7hd/

[yii-bot]

Issue moved to https://github.com/yiisoft/yii2-captcha/issues/2