Definition

CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart)

What is CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart)?

A CAPTCHA is a type of challenge-response system designed to differentiate humans from robotic computer programs. CAPTCHAs are used as security checks to deter spammers and hackers from using forms on web pages to insert malicious or frivolous code.

How does CAPTCHA work?

Quite simply, CAPTCHA works by asking end users to perform some task that a software bot cannot do. If the user can do the task correctly, it provides authentication to the service that the user is a human being and not a spambot and allows the user to continue.

Tests often involve JPEG or GIF images because while bots can identify the existence of an image by reading source code, they cannot tell what the image depicts.

Because some CAPTCHA images are difficult to interpret, human users are usually given the option to request a new CAPTCHA test.

CAPTCHA example
Examples of CAPTCHA challenges, which slow down bots trying to post spam and more.

History of CAPTCHA

The need for CAPTCHAs began as far back as 1997. At that time, the internet search engine AltaVista was looking for a way to block automated URL submissions to the platform that were skewing the search engine's ranking algorithms.

To solve the problem, Andrei Broder, formerly AltaVista's chief scientist, developed an algorithm that randomly generated an image of printed text.

Although computers could not recognize the image, humans could read the message the image contained and respond appropriately. Broder and his team were issued a patent for the technology in April 2001.

In 2003, Nicholas Hopper, Manuel Blum, Luis von Ahn of Carnegie Mellon University, and John Langford of IBM perfected the algorithm and coined the term CAPTCHA for Completely Automated Public Turing Test to Tell Computers and Humans Apart.

A Turing test uses artificial intelligence (AI) to determine whether a computer is capable of thinking like a human being or not. It is named after its founder, Alan Turing, a computer scientist, cryptanalyst, mathematician and theoretical biologist.

Jason Polakis, a professor in computer science, took credit for an increase in CAPTCHA difficulty in 2016 when he published a paper where he used image recognition tools to solve Google image CAPTCHAs with an accuracy of 70%.

Polakis believes we are at a point at which making CAPTCHAs harder for software to solve will now simultaneously make it more difficult for humans to solve.

Different types of CAPTCHAs

The most common type of CAPTCHA is the text CAPTCHA, which requires the user to view distorted letters or distorted text, usually containing a string of alphanumeric characters in an image, and enter the characters in an attached form.

This throws off bots that are typically trained in pattern recognition and are simply unable to react independently as a human would.

Text CAPTCHAS are also rendered as MP3 audio CAPTCHAs to meet the needs of the visually impaired. Just as with images, bots can detect the presence of an audio file, but only a human can listen and know the information the file contains.

Another common CAPTCHA uses picture recognition by asking users to identify a subset of images within a larger set of images. For instance, the user may be given a set of images and asked to click on all the ones that have cars, buses or street signs in them.

Arkose Labs ML models for 3D questions used for fraud prevention purposes
Cybersecurity vendor Arkose Labs implements ML models to generate 3D questions for fraud prevention purposes.

Other forms of CAPTCHAs include:

  • Math CAPTCHA. Requires the user to solve a basic math problem, such as adding or subtracting two numbers.
  • 3D Super CAPTCHA. Requires the user to identify an image rendered in 3D.
  • I am not a robot CAPTCHA. Requires the user to check a box.
  • Marketing CAPTCHA. Requires the user to type a particular word or phrase related to the sponsor's brand.
I am not a robot CAPTCHA
Example of an I am not a robot CAPTCHA in action.

Advantages and disadvantages of CAPTCHAs

Advantages of CAPTCHAs include:

  • They prevent spam from automated programs that could send emails, comments or advertisements.
  • They prevent fake registrations or sign-ups for websites.
  • CAPTCHAs are familiar, so website visitors automatically understand what they are tasked to do.
  • CAPTCHAs are also easy to implement in building a website.

Disadvantages of CAPTCHAs include:

  • CAPTCHAs are not foolproof and can only limit spam.
  • They can be time consuming or annoying to end users.
  • To some people, CAPTCHAs may be challenging to read.
  • Websites using CAPTCHAs may notice traffic decreases because users find the tasks difficult.

How attackers defeat CAPTCHAs

Attackers have multiple ways they can get around CAPTCHAs, such as using machine learning (ML) algorithms, which provide a fast and accurate way of defeating a CAPTCHA.

Attackers can use either a deep learning model, which downloads a large collection of CAPTCHA examples that the model learns how to solve, or use a generative adversarial network (GAN) to create CAPTCHAs to then learn how to solve them.

Additionally, CAPTCHAs using MD5 hashes are susceptible to brute-force attacks.

To combat this, many organizations have developed more advanced CAPTCHA systems, such as the Google reCAPTCHA which uses advanced risk analysis and adaptive challenges to keep malicious software from invading the user's information system.

Bypassing CAPTCHA

Users who don't like solving CAPTCHAs can use any of several browser add-ons that allow users to bypass CAPTCHAs. Popular browser add-ons include AntiCaptcha and Rumola.

The AntiCaptcha automatic CAPTCHA solver plug-in app for Chrome and Firefox automatically finds a CAPTCHA on a webpage and solves it for the user. This extension is promoted as being helpful for users with vision impairments, as well as for users who prefer to bypass CAPTCHA codes.

The Rumola add-on for Firefox, Chrome and Safari automatically searches for CAPTCHAs on the web pages a user visits. For those who do not want to install an extension, Rumola offers a bookmarklet.

Because third parties create CAPTCHA bypass add-ons, end users should be aware that browser extensions could expose their browsing activity to untrusted sources.

Another reason not to use CAPTCHA bypasses is that the performance of the extensions is inconsistent. This is primarily because as bots get smarter, CAPTCHAs are also evolving and it can be difficult for the add-on programs to keep up.

This was last updated in November 2021

Continue Reading About CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart)

Dig Deeper on Network security