A team of Russian hackers have found a way to read the CAPTCHA with 35% accuracy. Let there be no mistake: the CAPTCHA that Yahoo! deploys is believed one of the most difficult CAPTCHA's to crack. It utilizes bended alpha numeric characters and other features you might expect from a strong CAPTCHA, and still it's easy to solve by humans.
Impressive Russian hackers... Only failing roughly 2 out of 3 tries. The Russian hackers went on to say: The CAPTCHA has a vulnerability we'll discuss later. It's not necessary to achieve high degree of accuracy when designing automated recognition software. The accuracy of 15% is enough when attacker is able to run 100,000 tries per day, taking into the consideration the price of not automated recognition – one cent per one CAPTCHA.
Why can they get away with 100,000 tries per day?!?! That statement made me think that Yahoo's CAPTCHA sounds like a good candidate for the incremental delay anti-bruteforcing technique. In short, the incremental delay could decrease the number of successful attacks by delaying the response time from a failed automated attack. After the first failed login attempt, for example, the response would be delayed by one second. After the second failed attempt, the response would be delayed by two seconds, and so on. A one-, two-, or even six-second delay is probably not going to bother a human user too seriously. Certainly he will find it less irritating than having to wait 30 minutes for his account to reactivate because he accidentally left his caps lock key on. On the other hand, an incrementing delay can completely defeat an automated tool being used for a brute force attack. Assuming the tool could normally make ten requests per second, the time it would take to make one thousand requests would jump from two minutes to five days. This pretty much renders the brute force attack tool useless.
If only to prevent Russian spammers from creating less bogus Yahoo email accounts to SPAM from; do you think incremental delay would help Yahoo? |