back to article Who would cross the Bridge of Death? Answer me these questions three! Oh and you'll need two-factor authentication

I have failed the Turing test – again. Apparently I am unable to exhibit intelligent behaviour equivalent to that of a human being. I am trying to sign into some services I set up ages ago but the Login Lords are having none of it. Quite possibly they are punishing me for having the temerity to disable two-factor …

  1. Pascal Monett Silver badge

    You're absolutely right, Dabbsy

    All these websites that are pretending to "secure" my login by asking me my phone number for 2FA, and then they get hacked by miscreants and where's my security now ?

    If I wanted my phone number to be available to the general public, I'd not have chosen to subscribe to the liste rouge, the French version of Do Not Call.

    You're just a website. I can manage my own security better than you, thank you very much.

    1. GlenP Silver badge

      Re: You're absolutely right, Dabbsy

      Like Microsoft endlessly claiming that a 4 digit PIN stored in their "cloud" is more secure than a complex password.

      1. Schultz
        WTF?

        "4 digit PIN stored in their "cloud" is more secure than a complex password"

        Correct me if I am wrong, but I thought Microsoft suggests you use a short pin code for a single device login but recommends a long password for your account. The latter allows access to all online services and also for local device login. Because physical access to a specific device is much harder than online access, this policy would make perfect sense.

    2. jmch Silver badge

      Re: You're absolutely right, Dabbsy

      "If I wanted my phone number to be available to the general public, I'd not have chosen to subscribe to the liste rouge, the French version of Do Not Call."

      Except that if you're on the liste rouge, your number is available to every marketer who checks whether or not you are on the liste rouge...

  2. Ken Moorhouse Silver badge

    Who would cross the Bridge of Death?

    I thought there was already a thread about Windows 11

    1. Anonymous Coward
      Anonymous Coward

      Re: Who would cross the Bridge of Death?

      they definitely have a bridge they wanna sell to you...

  3. chivo243 Silver badge
    Trollface

    Robots and boxes

    I remember reading that a bot trying the CAPTCHA always clicks in the exact center of the box, something no human can possibly do...? Perhaps Dabsy got lucky and did hit the exact center?

    1. Dan 55 Silver badge
      Devil

      Re: Robots and boxes

      If you don't use Chrome that's considered as suspicious and the chances are you'll be asked to click on more images.

      Couldn't find the video on YouTube, but someone was using something like PaleMoon or Waterfox and had 10 minutes of clicking before giving up.

      Nonsense like this (see also YouTube loading much slower on non-Chrome browsers) how Google pushes people into using Chrome, but it's waaaaay over regulators' heads.

      1. Mage Silver badge
        Devil

        Re: If you don't use Chrome

        I can confirm some sites have 3 or 4 pages of images on Waterfox and the same site might have 1 or none on Chromium.

        Also some sites simply don't work at all now except on Chromium based browsers, such as FEC (Farnell etc).

        1. Stoneshop

          Re: If you don't use Chrome

          Also some sites simply don't work at all now except on Chromium based browsers, such as FEC (Farnell etc).

          Works OK in FF with uBlock Origin allowing only *.farnell.com. At least in so far as I can check; I don't have an account (any more).

        2. Pirate Dave Silver badge
          Pirate

          Re: If you don't use Chrome

          "I can confirm some sites have 3 or 4 pages of images"

          I was seeing the same in Palemoon up until about 2 weeks ago. I assumed Google was "hardening" the captcha stuff in their endless cat-and-mouse with the spammers. But then, about 2 weeks ago, it stopped, and suddenly the single checkbox for "I'm not a robot" is all I need for most sites, no more pics.

          1. whitepines
            Big Brother

            Re: If you don't use Chrome

            I've always suspected the ease of captcha completion is directly proportional to how well Google is tracking you. Easy captcha means Google at least thinks it knows exactly who you are, where you are, what you are likely to want to buy next, and can easily serve you ads. Hard captcha means Google doesn't know who you are and has to resort to generic, less profitable, non-personalized ads.

            As much as I don't like endless pictures of trucks and crosswalks, I think I like Google knowing exactly who I am and where I am at any given time much less. Gives a lot of time to think about whether the web site on the other end of the endless captchas is actually worth visiting, too.

      2. Dave559 Silver badge

        Re: Robots and boxes

        "If you don't use Chrome that's considered as suspicious and the chances are you'll be asked to click on more images."

        I suspect that it's not that not using Chrome per se is deemed to be suspicious, but that Chrome is designed to slurp up profiling data for its masters and therefore it more likely knows much more about the users (and that they aren't robots, as it's tracking their movements all over the web), and that other browsers (and especially their wise and sensible users) are more likely to be set up to not slurp as much data as Chrome (clear cookies, local storage, etc, etc, on exit, using NoScript, etc) and so Google has less to go on when a user arrives on a site containing its horrible CAPTCHA. There surely has to be a way to implement CAPTCHAs that doesn't compromise the privacy of users.

    2. Alumoi Silver badge

      Re: Robots and boxes

      If they have trouble tracking you (as in you're blocking almost every tracker) you'll be shown endless CAPTCHAs.

      Been there, still doing that.

      1. Stoneshop
        Big Brother

        Re: Robots and boxes

        Get shown captcha -> open in container -> set ublock to temporarily allow google.com -> solve captcha -> slam door on google -> proceed with whatever I need to do on that site.

        1. jake Silver badge

          Re: Robots and boxes

          Better idea:

          Get shown captcha -> close web page, never go back.

          When in the mood, call company/.gov office citing ADA, "no access for blind people".

          https://www.latimes.com/politics/story/2019-10-07/blind-person-dominos-ada-supreme-court-disabled

          1. Anonymous Coward
            Anonymous Coward

            Re: Get shown captcha -> close web page,

            yeah, until you come across an NHS "report covid test result page, click now to submit". As one of the increasing number of those, kinda indispensable, interactions you have with your overlords :(

  4. brotherelf

    Ah yes, the chimneys.

    2021 is the year of Google Robot Santa.

  5. macjules
    Flame

    Am experiencing exactly the same

    My iPhone decided that with the last update that it would remove all Google Authenticator data and none of my 2FA settings had been backed up (it has to back up to Google cloud, not the Apple cloud). So just now I tried to log into a client portal and it wouldn't allow me in. Never mind the "Is it done yet?" Teams messages which I have circumvented by saying "Tech issue - ticket raised".

    Now waiting on a nice lady in Manila at ServiceNow to unblock 2FA and let me manage to screw it all up again.

  6. ShadowSystems

    Fuck CAPTCHA's.

    That is all.

    1. Jan 0 Silver badge

      Re: Fuck CAPTCHA's.

      You'll feel better if you fuck people.

      1. Paul Crawford Silver badge

        Re: Fuck CAPTCHA's.

        Exactly, get a job in politics.

        1. Potemkine! Silver badge

          Re: Fuck CAPTCHA's.

          Or PR. Works also for Insurance companies Banks, Mechanics...

          Before this post, I didn't realise there were so many people screwing all day long!

      2. Psmo
        Meh

        Re: Fuck CAPTCHA's.

        Hundreds of people seem dedicated to fucking me. Autorenewals, terms and conditions changing, political deals modifying the game rules.

        It's getting pretty hard to keep track of them all.

      3. Anonymous Coward
        Anonymous Coward

        Re: Fuck CAPTCHA's.

        But nobody every got a CAPTCHA pregnant by accident...

  7. Jan 0 Silver badge

    Ah Captcha!

    That strange game where I'm asked to tick squares with fire hydrants, yet there's no sign of a cast iron lid or a yellow "FH” plaque! (Other styles are available in those countries that have fire hydrants.)

    Traffic lights are more uniform around the world, but is the pole part of the traffic light or not? In contrast, a tiny triangle of white paint in an adjacent square is apparently not part of a pedestrian crossing!

    Surely we can do better!

    1. Anonymous Custard
      Boffin

      Re: Ah Captcha!

      But if we do, how are all the self-driving cars supposed to know what's what?

      I'm personally convinced that all this Captcha stuff is really just for the crowd-sourced data that their cars are using to identify stuff on/around the road.

      So maybe Tesla need to push for a few more Captcha's featuring semi trucks and trailers?

      1. Mage Silver badge
        Big Brother

        Re: their cars are using to identify stuff

        USA Roads.

      2. TomPhan

        Re: Ah Captcha!

        My fear is that it's all happening real-time and there's a "self driving" car about to plough into a pedestrian if the right square isn't clicked within the next five seconds.

        1. Dante Alighieri
          Holmes

          Obligatory

          https://xkcd.com/1897/

    2. Howard Sway Silver badge

      Re: Ah Captcha!

      Captcha, the bot-check that leaves you with the weird sense of foreboding that you're going to get hit by a bus you didn't see coming whilst crossing the road.

    3. The commentard formerly known as Mister_C Silver badge

      Re: Ah Captcha!

      I've never been asked to select the pedestrian crossings by a Captcha. I have, however, been asked to select the crosswalks.

      If a Captcha ever asked me to select the pavement then I would fail because I'd select the sidewalks when it was expecting me to select the carriageway.

      1. stiine Silver badge

        Re: Ah Captcha!

        My record for incorrect captcha entries in a row without giving up is about 15 minutes worth...sometimes its a fun game to click on all of the people when its asking for fire hydrants, trees when its asking for people, sidewalks when its asking for buildings, but for traffic lights, i click every box that contains no traffic lights. On the flip side are the picutures that contain NONE of the items you have to identify. In those I click all of the boxes on the bottom row, or top row just to fuck with google.

        On the other hand, I used to spend hours and hours solving the original badly-scanned-text captchas. They were fun, challenging, and what else is there to do at 3am...

        1. RockBurner

          Re: Ah Captcha!

          So, when the AI-controlled cars are rampaging downtown {anycity} mowing pedestrians over left right and centre, it'll all be YOUR fault.

          ;)

      2. Sykowasp

        Re: Ah Captcha!

        The crosswalks one was difficult, because they looked just like the areas we have in the UK at traffic lights for bikes to be safe in, and that was when you could actually see anything in the blurry image. Google really needs to sort out the cultural issues with Captcha.

        1. Mage Silver badge
          Coffee/keyboard

          Re: cultural issues

          Why? It's to acquire information about USA roads. They don't much care about the EU, UK, Kenya or Chinese roads.

          1. MiguelC Silver badge

            Re: cultural issues

            "It may as well show me photos of school playgrounds and ask me to click on all the squares containing semi-automatic weapons."

            In retrospect, I believe I may have laughed to hard when reading that one....

      3. Graham Cobb Silver badge

        Re: Ah Captcha!

        I wonder if Monsieur Aleister is browsing in French and the captcha has actually asked him for whatever pedestrian crossings are in French?

        That could be very confusing if Google ever learnt to translate from American to English as if it asked me to click on "zebra crossings" I would expect them to not look like crosswalks!

        1. Kubla Cant

          Re: Ah Captcha!

          whatever pedestrian crossings are in French

          Based on my experience of French drivers, it's cibles légitimes.

          1. Anonymous Coward
            Anonymous Coward

            Re: Ah Captcha!

            you say "cibles légitimes", I read "imbeciles". And I don't even drive. Must be all that (virtual, future) weekend intoxication cloud...

        2. Anonymous Coward
          Anonymous Coward

          Re: Ah Captcha!

          As an American child reading HHGTTG for the first time, the line about "...and for an encore goes on to prove that black is white and gets himself killed on the next zebra crossing." was actually funnier than if I understood what someone from the other side of the Atlantic calls crosswalks.

          The same applies for the most gratuitous use of the word "Belgium". I'm not offended by profanity, but I actually think the Americanized version was funnier and more befitting the Adams style of humor (sorry, "humour")

      4. Anonymous Coward
        Anonymous Coward

        Re: expecting me to select the carriageway

        (in the Monty Python mood) single, or dual?

    4. ibmalone

      Re: Ah Captcha!

      "Taxis" = yellow cars (rather than a Prius or an old black Merc with a sign on top). They're not yellow here. Are they even uniformly yellow across the USA?

  8. Mage Silver badge
    Black Helicopters

    From these tests

    They are not really about validating you. It's crowd funded machine learning.

    I put on my web form, in different places:

    The Subject must be at least a ten character phrase.

    Please enter a sentence of at least ten characters as your message:

    and the CAPTCHA is a simple addition question like 3 + 2 =

    Spam has dropped to zero.

    Yes, it useless for people that can't read and write English, but I as the recipient can only read and write English. I did upgrade to HTTPS: which has increased page hits by about x100, though I suspect bots, even though my counter is supposed to ignore bots. How does that code know?

    https://xkcd.com/2228/

    and

    https://xkcd.com/1897/

    1. DS999 Silver badge

      Re: From these tests

      That's why I always take a minute to deliberately pollute their learning by getting a lot of wrong answers. If I REALLY need to access the site I'll get it right eventually, but more often than not I abandon it after failing.

      Someone needs to do a public service and design a spider to crawl sites using CAPTCHA and flood them with random answers, but masquerade as a browser with a human behind it so they can't easily throw them out. Once Google can't tell a car from a bicycle or a crosswalk from a bridge, they'll be forced to give up on CAPTCHA once and for all!

  9. Anonymous Coward
    Anonymous Coward

    Captcha

    Most of them are utter garbage. I mostly fail 3-4 times before succeeding.

    Very ennoying.

    2FA is good for security but assumes you'll NEVER loose your phone. It should be securely attached to your skin.

    I've grown so panicked of loosing all banking access by loosing my phone I now have an identical model as backup !

    1. Mage Silver badge

      Re: I now have an identical model as backup!

      All the 2FA that I'm forced to use, uses SMS. Those can be diverted or intercepted.

      But it's the PHONE NUMBER you need, not an identical phone. I've tested by putting the SIM in a basic GSM only 2.5" square screen feature phone. Still works.

      So how do I clone my SIM for my backup phone (a nice 4.3" Sony Android)? You can get a new free SIM from an operator. Getting the same number from a lost or stolen SIM is hard. In contrast, changing operator and having existing number from a not-lost SIM transferred works in less than 15 minutes.

      I view Apple's software SIM idea as simply Apple's way to lock you to an iPhone.

      1. Anonymous Coward
        Anonymous Coward

        Re: I now have an identical model as backup!

        I have 3 services (2 banks plus Steam), that use secure 2FA (and not SMS !). The 2 banks require you to register your phone through a the portal, after the first 2FA auth, which MUST be sent via regular mail.

        Then this is the phone used by an app which provides 2FA, never SMS.

        Since regular mail is regularly lost in my place, that's why I have a backup solution.

      2. Stoneshop

        Re: I now have an identical model as backup!

        You can get a new free SIM from an operator.

        I have two SIMs associated with the same phone number; it's an option my operator offers. You obviously can't have both active at the same time, if you switch on the backup phone the other gets kicked off.

        That second SIM sits in its phone with a fleck of kapton over the contacts.

  10. Warm Braw

    It's a type of gamification and that's all the rage

    It's certainly responsible for quite a lot of mine, though I try to keep some rage spare as I seem to need so much thanks to information technology and all it has wrought.

  11. Anonymous Coward
    Anonymous Coward

    Six of one....

    I needed to change details of a website and email server when I left a business recently. I had been the administrator and the account details included a personal email address for resilience. It all went OK. I did the changes, the new admin confirmed she could access the control panel and she changed the access security. But I was still getting all the account admin emails. I couldn't log into the CP so I talked to the new admin who insisted that she'd set everything up properly and wasn't getting the emails I was, but she didn't seem too motivated to fix it. I called the ISP - not expecting much help, given that I didn't know what accounts, passwords or other security had been set up. I explained the problem to the help desk and they fixed it - changed the email address to the new admin's, deleted mine and confirmed that my name and address didn't appear anywhere in relation to the account.

    First thoughts - Wow! That was a lot easier than I expected. Thank goodness for helpful help desks.

    Second thoughts - Wow! What crap security. Remind me never to use them.

    1. Anonymous Coward
      Anonymous Coward

      Re: What crap security

      I recall once hearing of someone with really tight security. They couldn't download anything from you. You couldn't upload anything to them. You had to email, and only email, but any message with encrypted or password protected attachments were automatically and silently blocked by some sort of firewall/scanner arrangement.

      They were, in fact, so secure that it was impossible to send them anything securely! :-)

      1. Uncle Slacky Silver badge

        Re: What crap security

        I once got around that by uuencoding the encrypted file and sending it in a plain text email. I had to instruct the recipient how to uudecode it, but it worked (eventually).

  12. Martin-R
    Pint

    An upvote for flagging the colour blindness issue...

    It's often not even that I can't see a difference in two colours, but move them away from the 'key' and I have no idea which colour is which. These bands would certainly give me a problem, and the London Tube map is a nightmare!

    1. Sykowasp

      Re: An upvote for flagging the colour blindness issue...

      You can order a colour blind tube map here - https://tfl.gov.uk/forms/12387.aspx

  13. The commentard formerly known as Mister_C Silver badge

    As I see it

    2FA is needed for security because password recycling has killed email + password security. So the option that most popular websites use is token recycling as they all (*) use the same token - your mobile number. Utterly meaningless as a security factor when the mobile phone is being used to access a website - if your phone gets stolen then the 2FA token has also been stolen. There's no real increase in security, just an extra piece of PII that's been grabbed.

    (*) banks seem to be the exception with their token generator keyfobs that cause Mrs C to generate new and interesting combinations of expletives when they don't work.

    1. Dave K

      Re: As I see it

      However 2FA can be considered a failure when mobile apps on my work phone use it. I launch Teams on my phone for example, and as well as my password, I also need to authenticate via the Microsoft Authenticator app. But the app is on the same phone - so zero increase of security there!

    2. ibmalone
      Flame

      Re: As I see it

      My bank ditched the chip-and-pin token generator for SMS 2FA a couple of years ago. Soooo much more secure.... (see icon ->)

      1. Paul Crawford Silver badge

        Re: As I see it

        Ah, but you are making a school boy error in assuming that the bank wants to eliminate fraud vis near-perfect security.

        What they are actually doing is reducing fraud to the point that it is cheaper than increasing security measures.

      2. ThatOne Silver badge
        Unhappy

        Re: As I see it

        > My bank ditched the chip-and-pin token generator for SMS 2FA

        They all do it apparently, sooner or later. SMS is way cheaper than handing out key fobs.

    3. This post has been deleted by its author

  14. Franco

    *Rest assured, dear reader, everything is this column is the gospel Liber AL truth, as Thoth is my witness. Everything is permitted. Call me Aleister.

    And that'll be Ozzy Osbourne and Randy Rhoads stuck in my head for the next few hours. No bad thing though.

    https://www.youtube.com/watch?v=G3LvhdFEOqs

  15. Potemkine! Silver badge

    Some of the covers are brilliant. I love Lithium the Green Day. Not so much for NOFX, bpm is too slow, the outstanding bass line from Fat Mike is missing... But for most of the other ones, it's splendid!

    Oh, by the way, a note for Mr. Dabbs: please continue your brilliant posts on LinkedIn. It's the major reason why I check this site from time to time.

    1. Alistair Dabbs

      LinkedIn posts

      Ah, I thought I'd better tone down my caustic comments added to other people's LinkedIn virtue-signalling posts for fear of frightening away potential work. Although I can barely believe I'm about to type the words that follow, I have recently received paying work through LinkedIn. I'm not worried about taking the piss about virtue-signallers but I don't want all my comments to appear in all my contacts' feeds and make me look like an arse.

      1. mdubash

        Re: LinkedIn posts

        Best thing to do Ali is retire...

      2. Franco

        Re: LinkedIn posts

        You getting work via LinkedIn is particularly amusing for me Dabbsy, because my introduction to your work had you being added randomly by Norbert Spankmonkey and Hank Waggenburger III

        https://www.theregister.com/2014/06/20/dont_add_me_to_your_network_i_have_no_idea_who_you_are/

        Seven year old column, and that shit still happens to me to this day. In amongst all the virtue-signalling. (not by me!)

  16. Terry 6 Silver badge

    Bit slow off the mark there. We were commenting on just this days ago. Particularly the confusion between yellow vehicles and taxis/school buses and the failure to correctly name Zebra Crossings. Also fire hydrants, which as far as I'm aware are just film props.

    1. John Brown (no body) Silver badge

      "Also fire hydrants, which as far as I'm aware are just film props."

      Yes, my entire experience of US fire hydrants is that they are props placed by the road side for cars and trucks to crash into and cause "spectacular" fountains. Or for New York kids to congregate around when the weather gets a bit warm.

  17. Cuddles

    Ceci n'est pas une robot

    Let's just be thankful they don't ask you to identify pictures of pipes.

    1. Uncle Slacky Silver badge

      Re: Ceci n'est pas une robot

      You could also interpret it as "I am not a food processor" as French tends to overload its nouns.

      1. LastTangoInParis

        Re: Ceci n'est pas une robot

        Or indeed, in South Africa, “I am not a traffic light”. Perhaps the localised version there would ask to click on the robots …..

  18. T. F. M. Reader

    I understand 2FA a work

    if something happens to my second factor, e.g., phone, while I am on a business trip (remember those?), I am fairly sure I can call the sysadmin from the hotel or from a substitute phone, and he will recognize my voice, and will reset whatever needs to be reset.

    For the life of me I don't understand how I can prove to someone like Google that I am who I say I am if I haven't got my phone anymore. It seems to me that being locked out is a much bigger problem then my gmail password being swiped.

    [To say nothing of the fact that I always travel with a different phone with a different SIM and a number associated with a different country, for economy reasons. SMS simply won't arrive.]

  19. itzman
    Devil

    Book of Lies?

    *Rest assured, dear reader, everything is this column is the gospel Liber AL truth, as Thoth is my witness. Everything is permitted. Call me Aleister."

    Golly. I never would have pegged you as a student of the occult!

  20. Blackjack Silver badge

    [From these tests, I am led to believe that robots don't know what roads, traffic lights, road signs, or road vehicles look like. Good job nobody in their right mind expects a robot to drive their car for them or we'd be in real trouble.]

    Yes, we are lucky we do not trust robots to drive cars for us, or to hire or fire people or to control our economy.

  21. Anonymous Coward
    Anonymous Coward

    Don't click on me. I am not a robot. I'm a screenshot

    Ha! You should have put a counter on that png! This could prove SO MANY points, you know...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like