incredible… it’s awesome idea

Thanks for post. It’s great
Good luck to you !

With this “captcha” a comment both has a 20% (1 in 5) chance of success… How is this “medium” security? How is “security” at all?

Yeah, this seems like it would be very easy to work around if you were a comment bot seeing as you have a one in 5 chance of getting it right.

I agree with kyriakos, this looks like it would be very easy to crack. Captcha pretty much has to be done with a server-side script like PHP in order to be secure.

Like I said above, the fact that it’s entirely produced with JavaScript negates the whole problem of crackability because the bot won’t even see the form.

The form is unnecessary because the JavaScript requirement in itself will stop pretty much any bot. This is just an exercise in superfluity, to be honest.

Oh. I assumed there’d be something in the back-end that’d actually check for the passed variable, but obviously I’m overestimating the complexity of this script.

Seems to be a complete waste of time on every level, really.

I love this tools. This can easily differentiate comments from a human being and spams. Less time is needed for comments moderation then. Save our time and we can focus on something else.

I tried the script, but see a weird behavior. I get the images in the array.. though the image that should be dragged does not appear. Instead the default image of item-none(the book) appears. Can you please help?The script is surely impressive and a visual treat.

nobody is giving solution. everybody is busy in saying nice scrpit , good idea …etc..

Rakshit,

Yes, I found a bug in the captcha.php file and I’ve solved it. You can now replace the content of the captcha.php to this:

That’s works for me! I hope this helps!

Laszlo Dobos

Heres another fancy one, its not that fancy but also draggable :
http://tympanus.net/codrops/2009/09/08/jquery-fancy-draggable-captcha/

Can’t wait to use it in one of our projects. Thanks

Just for more info and for comments on whether what I ahve done makes it more secure, what i tried to do to make FACTCHA work as:

1. Client registers to download script. Is issued with an application key and a secret key. They put this in config.php in the downloaded files as configuration.

2. Client’s user loads form, which has not submit button or location of submit processing PHP file for the form. The FACTCHA calls a local server script captcha/captha.php which in turn does a file_get_contents(”http://someserver.com/captcha.php?site_key=”) where is the one in the config file.

3. someserver.com/captcha.php uses to check into its DB if this is a registered site, if not it returns an error code. If registered, then it calls the Millenium Development Goals database, formulates a and a , encrypts them using the site’s retrieved from database authentication and also generates an and sends it back to client server.

5. client server receives info, decrypts using its from config and sets the appropriate sessions using the access_token passed from server.

6. user drags and drops the correct icon, the data is saved into a hidden element whose names is earlier generated by server. this is to ensure all these elements are unique. The submit button is displayed and the submit processing form is attached to action_tag of the . Also, the fact obtained from database earlier is displayed.

7. On submission, the client captcha/captcha.php checks against the sessions set earlier and only if correct forwards the form for processing.

I was hoping:

1. By making sure the hidden input is randomly named, then it would be harder to have a bot look for it.

2. Even if it does look for it, the names of the sessions storing the data to be compared against are random.

3. Even if the form was submitted by the bot bypassing all the fancy stuff, the sessions which are named randomly have to be checked correctly for the form to be processed.

4. The encryption bit using secret keys for data passing between ajax client and client captcha/captcha.php and between server’s captcha.php and client’s captcha/captcha.php will not allow anyone to read the data directly by just calling up those scripts on the browser.

5. The database could as well have been on the client, but for ease of maintenance i put it on its own centralized server… hence all FACTCHA’s everywhere will have to connect to this server. Maybe statistics could be obtained from it?

I may have missed the boat completely but comments are welcome for improvement.

This is a great captcha, but I have still two questions.
1. I’m controling my fields in javascript, before starting another phpscript to save my fields. But how do I check if the image is dropped?
2. When there’s a error occured on one of the fields, the submit will be canceled. How do I reset the captcha with a new random set of images and no image dropped?

Just for more info and for comments on whether what I ahve done makes it more secure, what i tried to do to make FACTCHA work as:

1. Client registers to download script. Is issued with an application key and a secret key. They put this in config.php in the downloaded files as configuration.

The wCaptcha by wozia is better, but not by much. At least the source code is obfuscated, but on the other hand, you can simply do it once manually to observe what it is going to do, and then you can write a simple jQuery hack to foil it.

var key = $(’.wozia-captcha strong:first’).text().toLowerCase();
var data = {draggable: ‘.wc-’ + key};
$(’.wozia-where2go’).droppable(’option’).drop(null, data);

If the keys were randomized for each icon, and stored with the jquery data() method rather than as an attribute, it’d make it a bit tougher, but there’d still be a 20% chance to get it right with automated randomized guessing.

Athman’s solution has the same issue as the other drag-n-drop capcha: it’s not testing to see if the correct item was dropped, it just assumes that it was. So the same simple foil works:

$(’.ui-droppable’).droppable(’option’, ‘drop’)()