so well said, better than all i have read,,,, thanks!

That makes me think - currently the addon has this option:

$symbAmount=6;

And then, in the script, it is like:

.. maxlength="{$symbAmount}"..

Maybe it's better that the maxlength value doesn't set the maximum value (or sets it to something bigger than $symbAmount) because spam robots may assume by default that they should check {$symbAmount} symbols. Why give them this important hint ; ).

Well... hackers usually collect information about "breakable" sites and put it in some kind of database/scripting collection, which is later re-sold to the "end spammers". There, all the information about the breaking method/alogirthm is kept. One of the accomplished ways to break Captchas is to read the image which is passed to the form, and some way de-cypher it. Per each image type there need to be a unique algorithm. I'm sure it's easy to build such an algorithm for default miniBB's Captcha options, by default it has easy-to-guess fonts. Symbols amount doesn't make lots of sense here. It may be not even taken into attention, when the Captcha is "de-cyphered". It's more for users comfort - I know my own cases, when I've typed a "spare" letter, at the time I already was done, so... by this time, I'll keep it.

The idea about miniBB Captcha, is that it is customizable. You can set such fonts which can't be broken with the default algorithm. Also, there is a way to set up a unique secret phrase/symbols amount each hour or even each minute. So it would be impossible to build a database of pre-defined values for such a secret phrase, like it could be done in theory.

So, by this time the two most important ways to get safe, is to provide an image which could be hard-to-OCR, and provide the set of references, which can't be brute-forced, and miniBB Captcha at least has a tension to keep both. So far I just can't imagine a better way :)

Hi Guys
Sorry for just adding on to the previous posts but I cannot find how to start a new topic so I hope I'm doing the right thing.
I just wish to ask... could someone please explain the significance of the Turing Password in the Captcha options. ($secretTuringPass variable)
If I create a custom password as the readme file suggests... when am I likely to need to use it and do I need to configure some other file to match match the password?
I'm lost, I don't see the need of a "password" as such, that you don't have to recall and use elsewhere.
Many thanks.
SteveB

You *should* change this phrase, it should be unique for you - it's a security measure. Knowing the standard key phrase, it's easy to break up the protection, there becomes no protection actually.

I suppose, 95% of users buying this module, do not change the phrase and then claim that the module doesn't help...

No, just this one place.

For being even more customized & protected, you may
- change the characters amount (increase up to 6-7 chars)
- change fonts (try to install "florid" type of fonts)
- set the grid.

Many thanks Paul for clarity and quick response.
I congratulate you on a great product and service!
Steve

Thank you, but... please, clarify: did it work for you, finally?.. Flood registration stopped some way?

Hi Paul
YES we have managed to stop the flood registrations.
Thanks again.

Captcha improvement.

I suppose, in some cases spammers may "decode" the Captcha's back-reference codes (those coming to the image generator via GET method), just building the static database of those codes. If the $secretTuringPass is not changed for a long time, in a week or so, they could completely generate all possible variations of the 5-characters or even less phrase and then use it to automate spam, even if the forum is protected by Captcha.

The basic workaround here is to use $secretTuringPass more often and set $symbAmount to a larger number. However not each forum admin / module owner is up to this... Below I have provided instructions on how to boost the security of the Captcha module. Similar codes were used for our customer's forum and by now they appear to work for months.

The tricky side of it, is that each new day the script will add a specific character to the end or the beginning of the secret phrase, so each day it will be new. Also, on odd dates, the Captcha will consist of 6 chars, on even dates it will consist of 7 chars.

This may be changed or improved on your end with customized values; mandatory change is about $secretTuringPass value - the one we have here, is just for example and it should be changed to something more tricky and unknown!

Let's go:

1. Under addon_captcha_options.php, instead of just the plain value of the $secretTuringPass, set this code:

You may change if($whereToPaste==1) to if($whereToPaste==0) to make it less obvious, you could also swap d / m for $chr1, $chr2 defs.

2. Instead of the plain value of $symbAmount, set this:

You may change 6 and/or 7 to another values, or swap them.

3. Just let's not forget that as more characters you have to appear, as more width the Captcha image should have, so set this with a reserve:

***

I've currently set up the similar codes here on miniBB forum, let's see if they will help.

Feel free to report your issues on this.

That's a good idea! Did I immediately installed. Thank you Paul!

Did it too... i'll let you know. We've been flooded by chinese spam recently !

Hi, Paul and fellow miniBBers.

Firstly, I'd like to thank Paul for his continued effort and commitment to improving miniBB and its many add-ons.

Now, moving on to a few questions ...

1) To set the $secretTuringPass value, can one include any symbol/special character besides numbers 0 to 9 and letters a to z/A to Z? I see Paul's example contains an underscore.

2) If I set the $secretTuringPass value to something complex and lengthy (e.g., 20+ characters), how often should I change it? What is Paul's recommendation?

3) What is the difference between $secretTuringPass and $t_symbols? Earlier, I inadvertently changed the latter when I'd meant to change the former. Thankfully, there was no harm done, as I was able to un-do the mistake.

With thanks and best wishes -
marsbar

marsbar
With the variable $secretTuringPass, of course, you put your personal password and NOT take on the cited example of Paul.

Example:
$secretTuringPass='I_Am-a-VERY_secret_password-with_Numbers0-9_and-characters_!!';

I have it defined once and have never changed.

$t_symbols ... As the characters come in to be displayed later. Some characters can be confused, for example, 1 and I or g and 9.That's why I let these characters in the variable away.

It's my common recommendation to anything :) if you just use alphanumeric, then avoid more problems in the future.

$t_symbols are displayed to the end user. You could limit this to number-only or letters-only. Or some other special chars only. $secretTuringPass is length and difficulty of the pass phrase. It could be long and difficult.

Hopefully I'm still in the building, and the forum is not over :)

Yes, thank you for the reminder, Jaime: I shall treat Paul's example as just that--an example. :)

Thank you, Paul, for taking the time to respond.

So, if I understand correctly, to have pureply numerical Captcha ouput, $t_symbols needs to be set to "2345678" (omitting 0, 1 and 9 to save confusion with letters o, O, l, and g), correct? And $symbAmount sets the length of the output.

Sorry, I still do not quite follow this bit. :-(
I have imagined the Captcha codes end users see are permutations of the $secretTuringPass that have undergone some kind of hashing process ... ! This is why the $secretTuringPass value needs to be as complicated and lengthy as possible--to achieve a higher number of permuations.
As I have clearly misunderstood the purpose of $secretTuringPass and the logic behind miniBB captcha add-on, I would be most grateful if Paul would put me on the right track and out of my misery.

With thanks -
marsbar