In fact, what is the use of the "verification code" on the website?

Q: Hei Fengbing (4952959) (25-7-25 2: 7: 38)

Forum administrator

Can you tell me why the verification code can't be displayed? You only said the solution in the forum.

I wonder why.

can you talk about it?

a: this is a political issue, hehe. at present, many websites adopt verification code technology to prevent users from automatically registering, logging in and pouring water by robots. The so-called verification code is to generate a picture from a string of randomly generated numbers or symbols, and add some disturbing pixels to the picture (to prevent OCR). The user can identify the verification code information with the naked eye, enter the form and submit it to the website for verification. Only after the verification is successful can a certain function be used. Well, our Legion Forum also played this trick. Last night, I couldn't post, ran several patches, and then restarted ie. I still couldn't see the verification code. I suspected that my machine security measures were too high, so I found that I was forbidden to modify the registry. After the ban was changed, the problem remained, so I had to do it manually. The problem was solved.

Many friends had doubts about the verification code, and users in major forums also hated it. Let's decrypt this Dongdong. It's still my style, popular and thorough, divided into several parts and answered step by step. Let's start:

The initial verification code is just a few randomly generated numbers. However, the height of the road is one foot and the height of the magic is ten feet. Soon there will be software that can recognize numbers. "Collectors" use this software to obtain accounts in batches or detect passwords, because the software can tirelessly submit them. As a result, there is a verification code in the form of a picture, plus an irregular background. Since it is difficult for the human eye to distinguish it, it is difficult to distinguish it by software. However, Tencent began to use Chinese character pictures as verification codes. Does it mean that the technology of cracking verification codes has made new progress, and the verification codes in the form of numbers or letters with backgrounds can also be distinguished by software?

It is worth noting that the verification code is different from the registration code. The registration code is a password calculated by the software author through a special algorithm according to the submitted machine code, which can make the software run normally.

1. Common verification code

1, four digits, random one-digit string, the most original verification code, the verification effect is almost zero.

2. Users of CSDN website log in in GIF format, which is a commonly used random digital picture verification code. The characters in the picture are quite satisfactory, and the verification effect is better than the last one. People who have no basic knowledge of graphics and iconology cannot be broken! It's a pity that the program to read it seems to have been published in the forum on the first day of using it in CSDN. What a pity!

3. QQ website users log in in PNG format, and the pictures use random numbers and random capitalized English letters. The whole composition is a bit flamboyant, and each character will change its position every time it is refreshed! Sometimes the pictures that come out can't be recognized by human eyes, which is amazing ...

4. When MS applied for hotmail, it was in BMP format, with random numbers+random uppercase English letters+random interference pixels+random positions.

5. Google's Gmail is registered in JPG format, with random English letters+random colors+random positions+random lengths.

6. Other forums are in XBM format with random contents.

ii. analysis of the function of captcha

the origin of captcha: because attackers will use harmful programs to register a large number of Web service accounts (such as Passport). Attackers can use these accounts to create trouble for other users, such as sending spam or slowing down the service by repeatedly logging in to multiple accounts at the same time. In most cases, the automatic registration program cannot recognize the characters in this picture. Simply put, it is to prevent attackers from writing programs, automatically registering, and repeatedly logging in to violently crack passwords. Verification code technology came into being.

verification code implementation process: the server randomly generates verification code strings, saves them in memory, writes them into pictures, and sends them to the browser for display. The browser inputs the characters on the verification code pictures, and then submits them to the server. Whether the submitted characters are consistent with the characters saved by the server is verified. Continue if it is consistent, or return to the prompt. The robot program written by the attacker is difficult to identify the characters of verification code and successfully complete automatic registration and login. . . . . . . . . And users can identify the filling, so this realizes the role of blocking attacks. The character recognition of a picture depends on the interference intensity on the picture. As far as the actual effect is concerned, the verification code only increases the difficulty of the attacker, and it is impossible to completely prevent it.

1, the role of verification code in the forum

At present, many websites have adopted verification code technology to prevent users from automatically registering, logging in and pouring water by robots. The so-called verification code is to generate a picture from a string of randomly generated numbers or symbols, and add some disturbing pixels to the picture (to prevent OCR). The user can identify the verification code information with the naked eye, enter the form and submit it to the website for verification. Only after the verification is successful can a certain function be used.

Because your website sometimes encounters malicious attacks from clients, one of the most common means of attack is identity spoofing. It writes some code in the client script, and then uses its client to log in to the website forum repeatedly, or the attacker creates an HTML form. If the form contains the same fields as your registration form or posting form, Then using "EXPlorer and Outlook EXPress to deal with WEB pages, HTML mails and EMAIL attachments, malformed Xbm image files will lead to crashes. The problem lies in the lack of checking the contents of Xbm files. MSIE allocates memory according to the length and width of images, and attackers can increase the oversized length and width values, resulting in system memory consumption or access conflicts.

In other words, if you construct an Xbm file with a particularly large length and width, it will easily lead to the exhaustion of Windows' memory, and the program will be unresponsive or crash. In itself, this is not a particularly serious vulnerability, because according to the security bulletin, it can't cause overflow, and there won't be too many permission loopholes. However, because SP2 of XP emphasizes security, Xbm function is disabled. From this point, we can see that SP2 really pays more attention to security, and basically makes up or disables the vulnerable functions. As a network administrator, I support Microsoft's approach, because the unsafe default settings of the operating system are often the primary factor that causes non-professional users to be attacked.

method of lifting the ban:

From this, it will be quite inconvenient for us to visit some sites that use generated Xbm as verification code in the future. If necessary, we can restore the functions we need by simply operating the registry.

open the registry (start-run-regedit-enter), and then go to the key value [HKEY _ local _ machine \ software \ Microsoft \ Internet Explorer \ security]

Change the value of blockXbm to (dword, double bytes), or create a new one.

after that, restart IE or restart the machine, and the pictures in Xbm format can be seen.

v. the trend of Xbm

from the trend of banning Xbm in SP2, it seems that Microsoft intends to give up its support for Xbm format. Then, as a programmer, it is necessary to plan ahead and find other ways to generate verification codes. In php, you can generate the registration verification code in jpg/gif and other graphic formats by calling gd library, so is there any other way in asp?

In fact, the key of image verification password is that you can't leave the real url of the image on the client, or the information corresponding to the reverse source address. Therefore, asp can realize the graphic verification code supporting SP2 in the following two ways.

if it is a purchased virtual host, you can put jpg/gif pictures into the database, then transfer the values by session, and finally output the pictures directly from the database by asp. The advantage of this method is that you don't need to set up a server, but the disadvantage is that you need to connect with the database every time you generate a verification picture, which increases the overhead.

if you are a user with administrator control rights, you can consider using a third-party component to implement it. Lucky chance personally recommended the ASP image component shotgraph. Its free version has certain restrictions on the generated graphics, but it is enough to make verification codes.