a secure CAPTCHA-free login design
Posted | archive
I just found out a pretty neat trick from Google Account login page
Which immediately inspired me an idea: CAPTCHA-free login
The idea is simple:
CAPTCHAs sould be longer
CAPTCHAs should not be random characters, but a sentense of instructions
the instruction is like:
- switch your 3rd and 8th character in your password
- add an extra 3 after your 2nd character in your password
- append the result of 23+17 at the end of your password
- wrap your password with [] bracket
- separate every single character of your password with a dot
- move the last character in your password to the beginning
Bots have a slow time correctly recognizing CAPTCHAs, needless to say doing NLP well and carry out the correct actions.
You can cleverly design the CAPTCHA image distortion to trap the OCR AI program to make predictable mistakes, a honey pot that collect evidence and patterns and actively ban bad clients.
In a secret underground forum, you can compile these instructions into a code, like i3a9
means insert a 3 after te 9th character
, outsiders can not enter even with the correct password.
This method also protect the user's password from eavesdropping and mass-target MITM attacks.
Comments