Most Difficult Captcha Of All Time
I was working with the new cfimage tag last night to help me create some simple CAPTCHAs for my new site. The docs have a pretty good example, but for some reason I was having issues getting the darn thing working. It kept throwing errors about the image not being wide enough. The docs explain it like this:
For the CAPTCHA image to display, the width value must be greater than: fontSize times the number of characters specified in text times 1.08.
So I kept increasing the size of my image and reducing the font until I finally got the darn thing to render. Here's what it looked like:

I very quickly realized what the problem was. To generate the text for the CAPTCHA I was creating a random string. To validate the captcha you need to hash that string and plug the hashed value into a hidden form field. Then when the form is submitted you compare the hashed string with the hashed user input - validating if they match. Apparently I had mistakenly plugged the hashed string into the cfimage tag leading to the nearly impossible CAPTCHA.



http://random.irb.hr/signup.php
I didn't think you wanted to 'store' the hashed value inside the form. In effect this would allow somebody to visually work out the value, and then build their own form.
We had this problem with a number of spam bots. Once a human matched hash to value, they could submit as many times as they like. Of
Adam
Why not just store you captcha in session scope, its pretty secure.
By storing it in a hidden form field you "expose" your captcha for all to see. Ok so its hashed but....
a few weeks a go I wrote a blog entry on the cf8 captcha.
http://www.garyrgilbert.com/blog/index.cfm/2007/7/...
I think hashes are more than enough secure. You can break them with hash dictionaries, but that kind of attack would be pretty slow on a blog (afaik).
You can use session, you can even have a submission marker held in the application scope, that is used up once a successful submit it retrieved.
TBH keeping the hash inside the form is a no-no in my books.
Heck, here's a hashed string:
7ac66c0f148de9519b8bd264312c4d64
Here's the unhashed string:
abcdefg
I can simply submit whatever I want to your form. You've given me the ability to create not just the key, but the lock too.
Your system, if the hashed string is submitted from the form, has no way of knowing if this is the hash string you're supposed to be decoding.
TBH we also found joe public found captcha's confusing. Eventually we turned it off and did some banned word analysis (as well as time taken to submit form).
http://recaptcha.net/learnmore.html
Our rate $2 per 1000 captcha.
We just wanna make the relationship for long terms. can we go forward? Thank you, (For inquiry amir4@yours.com or
khoknaa@yahoo.com)
Best Regards
Amir Hossain Dewan
Data Home Ltd.
amir4@yours.com
khoknaa@yahoo.com
Ok folks, everyone copy and run:
<cfloop index="x" from="1" to="500">
<cfmail to="amir4@yours.com,khoknaa@yahoo.com" subject="Do not spam" from="khoknaa@yahoo.com">
Please do not spam!
</cfmail>
</cfloop>