Lagom.nl > Linux > HKCaptcha

HKCaptcha - yet another PHP Captcha implementation

With clutter
Random letters

Distortion only
Random letters

Try the Demo page

Yet another captcha implementation in PHP. This one is written with the current state of captcha-defeating research (as of 2007) in mind. Apart from a mathematical letter distortion algorithm that is more than just rotating the letters (just like on the big websites such as Google and Yahoo), the clutter is designed to make segmentation of the image into separate letter glyphs hard to do automatically. Finally, the images contain the name of the originating website to discourage re-using them on porn sites.

If you think this is paranoid, then check out the following references:

Microsoft research papers by Kumar Chellapilla: Computer programs are better than humans at identifying extremely distorted letters.
OCR Research team's gallery of weak captchas
aiCaptcha, a step-by-step description of how to defeat a distorted-letter captcha.
Breaking a visual CAPTCHA: The old captcha at Yahoo defeated.

For more general information, see Wikipedia.

Why?

I host a forum that is run by somewhat obscure forum software (PunBB, run by about 700 sites in the world). Everything was fine for a few months until I got flooded by forum spam in May 2006. Each post originated from a different IP address, which made IP blacklisting unfeasible. After I introduced this captcha, I could see in my log files that it blocked 158 attempts to spam the forum during the first two weeks, so I consider it quite effective..

Requirements

PHP GD and truetype library (these are normally installed by webhosting providers. Otherwise look for the package php-gd) You will need to know some PHP in order to adapt your forum or guestbook software.

Usage

The PHP script 'captcha-image.php' will generate a PNG with a distorted five-letter code. The code is stored into the PHP session variable $_SESSION['captcha_string']; see the examples example.html and verify.php.

You may want to change the settings at the beginning of 'captcha-image.php'.

The distortion algorithm is computationally intensive and PHP is not exactly suited for that job. It may take a second or so of CPU time to generate an image. This should not be a problem on small sites.

You can have a look at the php source code. After all, CAPTCHA stands for "Completely Automated Public Turing test to tell Computers and Humans Apart", i.e. the effectiveness does not depend on the source code being secret. :-)

License

The PHP script is copyright Han-Kwang Nienhuys, but may be distributed freely, including inclusion in other free or commercial PHP software packages, provided that the license information in the PHP script is preserved. I included a free truetype font, that may be distributed under the restrictions outlined on gnome.org

Download

hkcaptcha-20081112.tar.gz (40 kB)

Changelog

20060611 - first public version
20061228 - with distorted circles instead of lines. Script not published.
20070620 - new distortion algorith, smoother character shapes.
20080226 - Fixed caching issue with back button in Firefox. The image is now reloaded even if the page is revisited with the Back button.
20081112 - Rewrote license text because of confusion.

[Email]