CAPTCHA is an acronym for “completely automated public Turing test to tell computers and humans apart.” Computer scientists came up with the simple tests in the 1990s. They are designed to be easy for humans to solve but difficult for computers, and they are still widely used today to prevent bots from spamming websites.
Whether it’s having to pick out all the squares that have kittens, move a puzzle piece to the right spot, or type the scribbled letters shown, we’ve all jumped through our share of hoops. While they can sometimes be annoying, CAPTCHAs are necessary to protect websites from exploitation by hackers and other malicious third parties
How does CAPTCHA work?
Sites generally present a user with several images, a line of text or numbers, or an audio track. Users will have to follow the instructions given by the CAPTCHA and input some sort of response to prove that they’re human.
While CAPTCHAs are helpful, they don’t entirely prevent bots or spammers. By copying how humans think and perceive, Neural network technology can Cybercriminals can create computers with neural network AI can AI-enabled software or to solve CAPTCHAs with a high success rate. Therefore, CAPTCHAs should never be the only defense against spam or bots.
What triggers a CAPTCHA test?
CAPTCHA tests are usually triggered when a website detects suspicious activity or behavior that seems automated. We look at some of the common things and activity that alert a website to trigger a CAPTCHA test:
IP address changes
If you’re using a VPN, you’re likely to encounter CAPTCHAs because a VPN provides you with an alternative IP address. As IP addresses reveal the general location of a user, the sudden change might make a website suspect that you’re a bot or an automated script.
Large loading requests
As we know, websites and online services employ the use of CAPTCHAs to prevent bots and other malicious actors from overloading their servers and disrupting the experience for genuine users. As such, if you’re suddenly making large requests for images, videos, and other media content, a site might view your behaviour as suspicious and trigger CAPTCHAs between searches.
Logging in to an account
In this instance, CAPTCHAs are deployed as an additional security layer to verify that you’re indeed human and are trying to log into your account.
Bot-like behavior
Completing forms quickly, strange clicking partterns and unusual amounts of server requests constitute bot-like behavior.
Lack of browsing history
To be clear, CAPTCHAs cannot see your browsing history. However, because reCAPTCHA is owned by Google, many Internet users believe that the big tech company will trigger a CAPTCHA test if they can’t detect a user’s browsing history.
Types of CAPTCHAs
We look at some of the different types of CAPTCHAs commonly used on websites, the best ways to solve them, and their efficacy rates.
Text-based CAPTCHAs
Text-based CAPTCHAs (example above) require users to input a code that consists of letters, numbers, or a mixture of both to verify that they’re human.
Effectiveness: Over the years, some conflicting reports claim that text-based CAPTCHAs aren’t as effective as people initially thought. However, many big e-commerce brands and tech companies use them to hedge against malicious bots.
Tips to solve: None, really. Text-based CAPTCHAs are generally easy to solve.
Types of text-based CAPTCHAs include
Gimpy
The word “gimpy” refers to the distorted text in an image that a user has to decipher and input to prove that they are human. Gimpy CAPTCHAs use any number of words from an 850-word dictionary to throw bots off.
EZ-Gimpy
EZ-Gimpy is a subset of the Gimpy CAPTCHA and is generally easier to solve as it usually includes one word or phrase.
Gimpy-r
Gimpy-r picks letters randomly and adds background color to confuse bots further. Thanks to all the noise in the background, Gimpy-rs can also be confusing to humans.
Simard’s HIP
Simard’s HIPs go a step further than Gimpy-rs by including numbers for humans to fill and adding patterns to the background.
Audio CAPTCHA
Audio CAPTCHAs (example above) are an alternative to text-based CAPTCHAs for people with visual disabilities or motor impairments. To verify, users must listen to a recording and input the code.
Effectiveness: While they’re slightly uncomfortable and annoying to listen to, audio CAPTCHAs are said to be most effective against bots. Most bots aren’t trained in speech recognition or to differentiate letters from background sounds.
Tips to solve: Lots of focus! To solve this one, listen hard to the audio track being played and do your best.
Confident ReCAPTCHA or image CAPTCHAs
The most popular form of CAPTCHA—and the subject of a thousand memes—these tests involve selecting photos based on given instructions. To get this right in one go, you’ll need to think like the crowd and click on photos you think everyone else will click on. No time for overthinking!
Effectiveness: With a purported success rate of 96%, we’d rate this as high. The images presented are subjective enough that bots aren’t currently equipped to identify them.
Tips to solve: Don’t overthink it. If you fail, you’ll get a new test that might be easier.
No CAPTCHA reCAPTCHA (or reCAPTCHA V2)
Introduced by Google in 2014, this test is simple: Just click on a box that says “I am not a robot.” The CAPTCHA then determines if the user is a human or a bot based on which part of the box was clicked. Bots will tend to click the box directly in the middle. If by some coincidence, a human clicks directly in the center, a backup verification method will be deployed where a user must type out a combination of numbers or letters.
Effectiveness: High
Tips to solve: Don’t click directly in the center of the box; it’s hard to get this wrong if you’re human.
Math problems or word tasks
For these CAPTCHAs, the challenges range from solving a simple arithmetic problem to typing out a specified word. Despite how easy they might seem to humans, these tests are surprisingly difficult for bots to solve.
Effectiveness: Medium. In particular, bots have become adept at solving the classic challenge of typing out a line of distorted text.
Tips to solve: Think of your favorite school teacher cheering you on. You can do it!
The honeypot CAPTCHA
Honeypots are hardcoded forms of CAPTCHA that only bots can see. These CAPTCHAs often appear as empty fields in a form. As a result, bots will automatically attempt to fill them in, which allows websites to easily reject any answers or forms when they’ve been submitted.
Effectiveness: Medium; some bots are not fooled
Tips to solve: N/A; humans don’t have to do anything
Time forms
Another form of CAPTCHA involves timing how long it takes someone to fill out a form. Bots fill in forms instantly, so if you’re human, taking your time will prove it.
Effectiveness: High
Tips to solve: Fill out forms at human speed (i.e., slow) and don’t use automation.
Social media sign-in
Quite possibly the securest form of CAPTCHA, social media logins require humans to sign into their Facebook, Instagram, or Google accounts to access websites. Since bots are not meant to have social media accounts, it’s pretty easy to ensure they won’t get past these tests. A significant downside is that users might find it a hassle to log in with a separate account and think twice about linking their personal information.
Effectiveness: High
Tips to solve: This is as simple as having a social media account. You don’t even have to use your primary, or active account. Setting up an account specifically for social media sign-in could be an excellent way to bypass these CAPTCHAs quickly without compromising your privacy.
Invisible CAPTCHA (or reCAPTCHA V3)
According to Google, this works in the background to determine whether a site visitor is human or a bot. This method doesn’t require any input on the user’s behalf and monitors how the activity is conducted on a site to issue a score between 0 and 1—where a score between 0 and 0.3 is considered a bot, and a score between 0.4 and 1.0 is deemed human. How does it work exactly? Nobody knows, as Google hasn’t opened it up to public scrutiny. We suppose, from their perspective, this makes sense as it keeps malicious actors one step behind.
Effectiveness: Unknown
Tips to solve: Be human. It has been found that visiting sites with a Google cookie installed on your browser increases your chances of being perceived as human.
How else are CAPTCHAs commonly used on websites?
Besides protecting sites from spam and bot fraud, CAPTCHAs are also deployed for various reasons.
To maintain poll accuracy
CAPTCHAs prevent poll or voting results from being skewed by authenticating that each voter is, in fact, human. As CAPTCHAs also take time to fill, bots will have more difficulty spamming a polling or voting platform.
For limiting registration for services
CAPTCHAs limit the creation of bot accounts on social media platforms, event registration pages, and free services. This frees up the resources needed by companies for legitimate accounts.
In 2020, Instagram announced it was attempting to stamp out bot accounts on its platform by making owners of profiles with suspicious behavior provide additional identification information and confirm that they are real. It’s estimated that Instagram has over 95 million fake accounts.
To prevent price inflation on tickets
Some ticketing sytems, like Ticketmaster alter the price of tickets based on demand. The company claims that this prevents scalpers from purchasing tickets and reselling them. However, bots can still drive up the cost of tickets, leading to even more issues.
Ticketing systems can prevent this by including CAPTCHAs in their purchasing process to slow bots down and deter scalpers.
To prevent false comments, spam or harassment
CAPTCHAs can be particularly useful for websites or blogs that allow for comments as they slow bots (or people) down which could prevent spam, false comments, and even harassment.
To prevent scalpers from purchasing limited edition products
CAPTCHAs can prevent resellers with bots from having an unfair advantage over human buyers when purchasing limited edition products. Resellers have famously used bots to purchase limited-edition sneakers, bags, and electronics.
In 2022, Nike updated its terms of sale to crack down on resellers and bots. The sneaker giant has also gone on to cancel orders that they suspect were made by bots.
Cons of using CAPTCHA
If you’ve encountered CAPTCHAs, chances are you’ve also failed a CAPTCHA. Not being able to prove your humanness is disheartening—but perhaps more common than you think.
CAPTCHAs can be frustrating and disruptive
In 2014, Google tested its machine-learning algorithm against humans in solving the most complex types of CAPTCHAs the company could dream up. Humans got through the tests at a laughable 33% pass rate, while Google’s machines passed 99.8% of the time.
May be difficult to understand or use
On some level, CAPTCHAs are now more difficult for humans to solve than computers, raising questions about their relevance. Meanwhile, solving CAPTCHAs has become a side hustle for some. So yes, you can hire someone to figure out which images have awnings in them.
Some CAPTCHA types are not accessible to users
Users with visual, auditory or motor impairments might have difficulties accessing and solving CAPTCHAs. This might also lead to frustration and unhappiness when accessing certain sites.
Some websites might experience fewer page views
As CAPTCHAs can be a bit of a deterrent for visitors, websites that recently implement them might notice a dip in traffic momentarily.