Different characters when entered than what it displays in the image allows to login

[Zaheer Ahmed]

Hi,

 Application in my firm uses reCAPTCHA during login. when i use different characters than what is displayed in the image, application allows to login. different characters i meant was

ex.

Image displays  -  "duckout his"  

I enter value as  -  "düćköüt hïś"

This allows me to bypass and login. Not sure if this is right. Please enlighten me on this.

Thanks

[Darragh McCurragh]

Hi Ahmed,

reCaptcha uses strings from Google's book scanning that the ORC software could not identify exactly. By serving these strings to several individuals Google hopes to learn which is the right interpretation (and thus improve Google Books). Since it cannot (always) know in advance which could be the true rendering of the string in question, it has to allow various different interpretations as entries.

I suspect it serves the same ambiguous string several times and settles for the interpretation that a majority of users entered.

You compare reCaptcha to a "password" mechanism. This it is not. It is just there to make breaking it so awkward that the average non-human captcha breaker will not be able to solve it. Having said that, it seems reCaptcha must have a fuzzy-logic-based mechanism to decide how far you can deviate from the possible (!) meaning of a string before it actually denies you access. In your example, if instead of

"düćköüt hïś"

you would enter, say

"swan-in her"

it should fail you, while "düćküt hïś" or "düćköt hïś" might still just work.

Kind regards

Darragh

ratheryes.com