The purpose of this page is to show you how to improve the security of your
website by adding an image with deformed numbers that the visitors needs to
type into an input field.
If you use such a mechanism in your login page, you will for all practical
purposes ensure that a brute force approach to crack user passwords will
fail. eBay uses this mechanism to protect the viewing of member pages.
To see it, go to
http://hub.ebay.com.au/community and attempt to view someone's member
profile.
Let me know whether you like my solution. The Java module
Dibdef.java generates the numbers and the images on the basis of ten
templates, but I had to do quite a bit of fiddly work to create the templates
themselves.
I first tried to generate
GIF
images, but ran into problems because GIFs are compressed with the
LZW algorithm.
Each generated image would have had a different length, thereby
adding a level of complexity to the generating algorithm. I tried to create
uncompressed GIFs but, I confess, failed to do so. I still think I did
everything right, but the images were not displayed correctly. Finally,
I decided to use Device-Independent Bitmaps
(
DIBs),
which are uncompressed. I was reluctant to do so, because they are nothing
else than Microsoft BMP images, and I am not in love with Microsoft. But what
convinced me was that DIB/BMP images have a very simple file format.
The
latest HTML standard only states
that the
src attribute of the
img tag "
specifies
the location of the image resource. Examples of widely recognized image
formats include GIF, JPEG, and PNG", but the fact that Mozilla Firefox
supports BMPs tells me that they are widely accepted.
To keep everything as simple and efficient as possible, I hardcoded
colours and dimensions of the digits, limited the colours to 16 levels
of grey, and defined a colour palette with white in the first position
(i.e., with colour index zero), so that arrays of colour indices default
to white. I also pre-calculated and saved the information necessary to
generate seven different skews of each decimal digit from '0' to '9', so as
to avoid having to calculate the skews for every newly generated digit.
I initially generated a single multi-dimensional array to store the digit
templates, but immediately discovered that it exceeded the limit of 64kB
available by default for each Java source. That's why I defined ten
separate classes, from
D0 to
D9
Actually, I am not completely happy to have to generate a file for each new
number, but to avoid the creation of image files I would have had to use an
applet, and I always try to avoid using applets if I can. Their support in
HTML and JSP is limited and will probably disappear sooner or later.
I make this software available under the
GNU General Public License.
Click
here
to download the JAR file with Java sources and compiled classes. Look at the
source of this web page to see how to use the package. FYI, just in case you
don't know, JAR files use the same compression mechanism of zip files.
Therefore, to access the content of a JAR file on a PC you only need to change
the file extension from
.jar to
.zip and
double-click on it.
.
