Those 4 or 5 number/digits

[attis]

For a while now I've noticed some websites using those pictures with 4 or 5 numbers/digits, which in addition to your user/pw, you have to fill into another box to get access.

I think it's well known from free mail services and the like to prevent robots from signing up, but what is the reason for using it for membership access?

Is it a real additional security feature that stops robots from brute force attacks or is it just another gimmick that is trendy at the moment and something you really have to have nowadays?

[haganxy]

you are referring to software programs that enhance the security of your members' area. these programs combat brute password hack attempts, password sharing, as well as "content harvesting" programs.

strongbox is one of the software programs out there that provides an image with letters or numbers for a member to enter.

i believe that some type of this software is important. especially since most customers choose a login something like:

username: bob123
password: password123

which obviously can easily be hacked by one of the hacking robots out there.

[raymor]

Is it a real additional security feature that stops robots from brute force attacks or is it just another gimmick that is trendy at the moment and something you really have to have nowadays?

It's a real security feature that you really should have, AND is trendy at the moment.
The Turing image reduces the number of dictionary attacks, commonly called brute force
attacks, by an average of around 80%. It is also one feature of Strongbox that reduces the
average duration of an attack by 90%. Multiplying the inverses, we get a total reduction in
the number of login attempts that are attacks of about 98%. Because each attempt has
less than a 1% chance of matching the Turing image, the Turing reduces sucessful
attacks by at least 99.98%. If you strip away all of the math, the bottom line is that it's
extremely effective.

What about it being trendy now, though? There are two parts to this. We didn't see it
much until Strongbox introduced the Turing a few years ago. As with most things related
to security systems, the other systems didn't pick it up until after they saw Strongbox
using it and webmasters demanded the additional security. You can tell the difference
between the few who really understand the theory and how to most effectively use it
versus the imitators by looking at the language they use. The correct and rather old term
is a "Turing" image, as it relates to the work of Dr. Alan Turing in distinguishing between
humans and computer programs. The PHP kiddies who try to imitate Strongbox without
really understanding the theory don't know the correct term, so they'll call it a "CAPTCHA"
or some other nonsense word made up in the last year or two.

It's also a bit "trendy" in that it won't stay so effective forever. The crackers are trying
to build OCR into their software that will defeat many Turing Images. Eventually they
will succeed in getting reliable OCR. So the Turing won't last forever, it's just one way
that we stay one step ahead of the bad guys. Soon we'll start using some different types
of Turing images that we have on reserve that are more difficult to OCR, while still
easy for the user to read. At the same time or shortly after, we'll introduce our next
weapon we've so far held in reserve, some simple biometrics that can not only
distinguish between a computer program versus a human, but can indicate whether or
not it's the same human being each time based on measuring the physiological apsects
of their body.