captcha.cc - captcha generator

Free captcha service

We're trying to run this for free, and pay for the hosting & bandwidth fees, etc. based on traffic to the home page and faq page (on which we will sell ppc ads), and also any custom orders or high-security level requests.

What do I paste in?

When you generate the code, you'll get some javascript, some input boxes, an image and a submit button. You need to paste ALL these form elements into your web form. You can put the image wherever you want. You can keep your old submit button and just put our onclick in it:.

Clean, Fast & Secure

Captcha.cc's service makes it extremely simple to place very hard captcha images in front of a form submission. These images are easy for humans to read, but very hard for computers to read. This cuts down on spam for blog comments, contact form submissions and much more.

SSL Secured Pages

If you plan on using our captcha on an SSL secured page, simply change your URL's to https://. This will fix most security warnings someone using the captcha might get.

Smart Options

Our system allows you to paste a "code-free" javascript-driven "faux captcha" on your site, or a "javascript-free" version, that uses a lightweight validator that can be dropped in to your CGI, Perl, ASP, PHP or (any other) code. Or you can use both, allowing the convenience of an AJAX validated captcha with the security of server authentication.

Reliable

We run multiple servers, each one takes over function when the other is down.

Simple Code

Our system uses a method of validation that doesn't require "callbacks" or any other cumbersome, slow methods that our competitors require. Captcha.cc is the easiest system to implement, while offering a high level of security.

Other Captcha's Are Too Easy

We offer a service to test whether a captcha is too easy. Tell us the URL of a captcha, and I'll develop a simple program for "cracking it". Many times the solution relies on insecure key generation or parameter passing - not just advanced OCR. Approximately 90% of the captchas we encounter are easily cracked. Want to know if yours is secure? Ask us to crack it!

Can't someone just be paid to crack yours?

Sure. It would be easy enough to hire soneone in a poor country for a penny a captcha. This would circumvent just about anything, and would be affordable for many spammers. That's why we do bot filtering and we can do a lot more if needed. If you're still getting spam, email us and I'll analyze it and develop a solution for free or as cheap as we can.

Do you have a logo I can link to you with?

Sure, try using white background , or for a black background. Basically it's just Franklin Gothic Heavy Italic with a 2-pixel outline. I used mkogo.com to make it, so you can pick any colors you need from there.

Simple Offline Validation

You can't build a captcha that's in any way secure without some server validation. Fortunately we've done just that. Simply hash the submitted text with your private keyphrase and compare it to the "cap_h" variable. You can do something like if (!$ok) die "Bad captcha", depending on your script. Remember, at this point, it's either a person who passed, or a bot - since the javascript will have already validated a real person. All the validation is done offline, so you don't have to worry about connecting to our service or writing complex API code.

Some snippets:

Perl: use Digest::MD5 qw(md5_hex); $ok = param('cap_h') eq md5_hex(param('cap_t').$password); die if !$ok;

PHP: $ok = !strcmp($_REQUEST['cap_h'],md5($_REQUEST['cap_t'].$password)); $ok or exit();

ASP:

Perl:	`use Digest::MD5 qw(md5_hex); $ok = param('cap_h') eq md5_hex(param('cap_t').$password); die if !$ok;`
PHP:	`$ok = !strcmp($_REQUEST['cap_h'],md5($_REQUEST['cap_t'].$password)); $ok or exit();`
ASP:	Function cap_VerifyHash(ByVal text As String, ByVal password as String, ByVal hash as String) As String Dim input as String = text + password Dim md5Hasher As MD5 = MD5.Create() Dim data As Byte() = md5Hasher.ComputeHash(Encoding.Default.GetBytes(input)) Dim sBuilder As New StringBuilder() Dim i As Integer For i = 0 To data.Length - 1 sBuilder.Append(data(i).ToString("x2")) Next i Dim comparer As StringComparer = StringComparer.OrdinalIgnoreCase If 0 = comparer.Compare(sBuilder.ToString(), hash) Then Return True Else Return False End If End Function

Function cap_VerifyHash(ByVal text As String, ByVal password as String, ByVal hash as String) As String
	Dim input as String = text + password
        Dim md5Hasher As MD5 = MD5.Create()
        Dim data As Byte() = md5Hasher.ComputeHash(Encoding.Default.GetBytes(input))
        Dim sBuilder As New StringBuilder()
        Dim i As Integer
        For i = 0 To data.Length - 1
            sBuilder.Append(data(i).ToString("x2"))
        Next i
        Dim comparer As StringComparer = StringComparer.OrdinalIgnoreCase
        If 0 = comparer.Compare(sBuilder.ToString(), hash) Then
            Return True
        Else
            Return False
        End If
End Function

Scriptless Validation

With or without javascript support, you can, optionally, post the keyed text to the server for validation. It's a bit more expensive, but allows clients that do not support javascript to work. The caveat is that you have to generate your own hard-to guess GUID's (passed as cap_c to the image generator). This is complex because it's hard to assign "id's" to clients that my site (capthca.cc) and your site both agree on. IMO, you really shouldn't use this since most "human users" have javascript working.

GUID snippets (this goes on the page with your form):

Perl:	`$CID = int(rand()1000000) . int(rand()1000000); print "<input type=hidden name=cap_c value=\"$CID\"><img src=\"http://www.captcha.cc/img.cgi?cap_k=$KEY&cap_c=$CID\">";`
PHP:	`$CID = int(rand()1000000) . int(rand()1000000); print "<input type=hidden name=cap_c value=\"$CID\"><img src=\"http://www.captcha.cc/img.cgi?cap_k=$KEY&cap_c=$CID\">";`

Validation snippets (this goes on the page that processes your form):

Perl:	`use LWP::Simple; $ok = get("http://www.captcha.cc/val.cgi?cap_k=$KEY&cap_c=$CID&cap_t=".escape(param('cap_t')));`
PHP:	`$ok = include("http://www.captcha.cc/val.cgi?cap_k=$KEY&cap_c=$CID&cap_t=".urlencode($_POST('cap_t')));`

Simple/Scriptless IP-Based Validation

If you don't have a busy site, you can do a scriptless/simple version of keying that uses ip's as the guids. This should work OK for about 99% of the people who use it, since captcha's don't last more than a few minutes anyway. No GUID code is needed, your form can be plain HTML.

Validation snippets (this goes on the page that processes your form):

Perl:	`use LWP::Simple; $CID = remote_addr(); $ok = get("http://www.captcha.cc/val.cgi?cap_k=$KEY&cap_c=$ENV{REMOTE_HOST}&cap_t=".escape(param('cap_t')));`
PHP:	`$CID = $_ENV{'HTTP_CLIENT_IP'} ? $_ENV{'HTTP_CLIENT_IP'} : $_ENV{'REMOTE_HOST'}; $ok = include("http://www.captcha.cc/val.cgi?cap_k=$KEY&cap_c=$CID&cap_t=".urlencode($_POST('cap_t')));`

Variable Definitions

Variables and what they mean to us:

cap_k:	Key generated when you sign up on our home page. It's linked to all your preferences. It's also linked to your logfile & statistics. Somtimes referred to in code samples as $KEY.
cap_c:	Unique number identifying the client using the captcha. Also named $CID in code samples.
cap_t:	Text entered by the user to answer a captcha request.
cap_h:	Hash key formed by hashing the concatenation of the "cap_t" text and your private password.

Contact Info

Questions, help, sharp criticisms, features? info at captcha dot cc

When I click submit on my form nothing happens!

If you have a button named "submit", there's no (reasonable) way for the javascript to submit your form. Rename your button, and the submit() function will work, and the captcha scripts will work. If this is not an option, you'll need to use the scriptless version (above).