CAPTCHA Best Practices

By Paladion

May 24, 2007

Which of these is not a recommended best practice for implementing CAPTCHAs?

  1. Have a fixed set of images with dynamic filenames
  2. Send the CAPTCHA to the client with a random token
  3. Invalidate the token after one use
  4. None of the above

For a background on CAPTCHAs you can read the article Defeating Bots with CAPTCHAs. The correct answer to this question is option 1. This is in fact one of the common mistakes in CAPTCHA implementation. Although having dynamic filenames for the images may seem better than having a static set of image files, this is vulnerable to brute-forcing attacks. Attackers can keep trying till the correct word is submitted.
The best practices for implementing CAPTCHAs are –

  1. Dynamically generate an image
  2. Send it to client with random token
  3. Accept user input along with token
  4. Compare user input with correct word for token
  5. Invalidate the token after one use

The server should dynamically generate an image and send it the client along with a random token. So the server remembers the actual word in the image and the token sent. The user input is received along with the token and then compared with the correct word for the token. Another important thing to remember is to invalidate the token after one use, so a replay attack cannot be carried out.  

Tags: Quiz