109001967937
AVG Signal Blog Privacy Privacy Tips What Is CAPTCHA and How Does It Work?
Signal-What-Is-CAPTCHA-and-How-Does-It-Work-Hero

Written by Danielle Bodnar
Published on April 5, 2023

What is CAPTCHA?

CAPTCHA, which stands for Completely Automated Public Turing Test to Tell Computers and Humans Apart, is a type of challenge or test designed to distinguish humans from robots. CAPTCHAs are a security measure used to prevent automated web crawlers, also known as bots, from commenting, submitting forms, or otherwise spamming websites.

This article contains:

    There are different types of CAPTCHA tests: distorted text in an image, a series of images, or even text dictated in an audio file. CAPTCHAs have evolved for accessibility and to keep up with the increasing sophistication of bot technology.

    What is the purpose of CAPTCHA?

    CAPTCHAs are used to verify that a user trying to access a website is a human and not a bot. Websites that employ CAPTCHA technology aim to prevent bots from disrupting their sites and using features inappropriately.

    Here are some examples of when CAPTCHA codes are used:

    • For online purchases

    • To access secure areas of a website

    • When collecting email registrations (to ensure authentic email lists)

    • To verify accuracy in polls and surveys (to ensure only human votes are counted)

    CAPTCHA also works to prevent spammers and hackers from inserting malware into online forms. So, CAPTCHAs are also used to defend against the following types of online threats:

    While CAPTCHA’s question, “Are you a robot?” may seem unnecessary and annoying, it serves an essential security purpose.

    The history of CAPTCHA

    CAPTCHA’s history started with the Turing test, created in 1950 by Alan Turing. Turing wanted to see whether machines could think or appear as humans. The test consisted of a series of questions that a human and a machine had to answer. If the interviewer couldn’t tell the difference between the human answers and those of the machine, the machine passed the test.

    With the mass adoption of the internet in the 1990s, distinguishing between machines and humans became more than just a thought experiment. The CAPTCHA system was first invented in 1997 to stop URL submission abuse to the search engine AltaVista. Its deployment successfully reduced the number of spam submissions by 95%.

    However, the system wasn’t called CAPTCHA until 2003, when Luis von Ahn, co-creator of Duolingo and founder of reCAPTCHA, coined the term.

    How does CAPTCHA work?

    CAPTCHA works by prompting users to complete a quick challenge or task to prove that they are human. These tasks are designed to be impossible for a bot to solve. CAPTCHA then checks the user’s responses against the “answers” in its system. If the responses and answers match, the user can proceed.

    What causes a CAPTCHA test to launch?

    Many websites have CAPTCHA tests that are triggered when users enter certain access points on the site. But sometimes user behavior itself can trigger a CAPTCHA test, especially if it resembles that of a robot.

    A CAPTCHA test can be triggered if:

    • A user’s IP address has been identified as a bot.

    • Styles or images aren’t loaded on a web page.

    • There are multiple attempts to load a page.

    • A user isn’t signed in to Google.

    • The system detects strange clicking behavior, no mouse movement, or perfectly-centered checkbox clicking.

    • A user’s browser shows no browsing history.

    • A user fails the first CAPTCHA test.

    CAPTCHA types

    Different types of CAPTCHA tests as well as best practices have evolved since the test’s inception. Now, there are many different types of CAPTCHA tests used.

    Here are some of the different types of CAPTCHA tests used today:

    Text CAPTCHA

    Text CAPTCHA is the most basic type of CAPTCHA. This CAPTCHA appears in the form of a sequence of letters and numbers, which can appear in a few different ways:

    • Gimpy Text CAPTCHA selects a random number of words from an 850-word lexicon and presents them in a distorted form.

    • EZ-Gimpy distorts just one word.

    • Gimpy-r chooses random letters, distorts them, and adds background noise.

    • Simard’s HIP selects letters and digits at random and distorts them with arcs and colors.

    Image of a text CAPTCHA test, with a distorted series of lettersSource: Wikimedia Commons

    Many websites use text CAPTCHAs, and you can often find them on online polls.

    Audio CAPTCHA

    Audio CAPTCHA was developed for visually impaired users, because alt text can’t be used in visual CAPTCHAs. This type of CAPTCHA is an audio recording of a series of letters and numbers. When the recording plays, users must listen to input the sequence correctly. Audio CAPTCHAs tend to be challenging for humans to work out as well as computers — and they disadvantage hearing-impaired users.

    Check out this article from Ars Technica to see what an audio CAPTCHA looks like.

    Image CAPTCHA

    Image CAPTCHAs, or CAPTCHA picture tests, were developed to replace text CAPTCHAs as computers got better at cracking code.

    Image CAPTCHAs work by showing the user a set of pictures and asking them to identify a feature (such as a particular orientation) or element (such as traffic lights) found in some but not all of the images. This type of CAPTCHA has more advanced security, but disadvantages visually-impaired users. Here’s an article from Vox with more about image CAPTCHAs.

    Word or math CAPTCHA

    Word CAPTCHAs require some literacy knowledge, as users must input the missing word in a given phrase or complete a sequence of related terms to advance to the next page.

    Some so-called math CAPTCHAs require users to complete a math problem. These are usually simple but randomly generated, making it more difficult for basic bots to guess the answer. Sometimes the numbers are presented in a distorted, hard-to-read way, similar to text CAPTCHAs, to make it more difficult for bots to interprete.

    A math CAPTCHA test, with a simple math equation presented in a distorted imageSource: Wikimedia Commons

    Other popular CAPTCHA methods

    Other types of CAPTCHA tests are out there, some of them feeling barely like tests at all.

    Time-based CAPTCHAs measure the time it takes for the user to enter information. If a form is filled out too quickly, which may indicate the work of a bot, then the user is locked out.

    Puzzle CAPTCHAs usually involve a drag-and-drop motion to line up shapes in a puzzle. They were designed to be quick and accessible for humans across many regions, and difficult for bots to complete.

    Puzzle CAPTCHAs are quick and accessible for humans, and difficult for bots to complete.

    Another popular test is where the user has to check a box confirming “I am not a robot.” Secretly, this CAPTCHA test is tracking user movements to see if it more closely resembles that of a bot or a human.

    Social media single sign-on

    Social media single sign-on (SSO) is another, more subtle type of CAPTCHA. With this type of CAPTCHA, users are prompted to sign in to a social media account. The single sign-on functionality is then used to automatically fill in the user’s details. While the form is filled in quickly, the user has proven they are a human by showing that they have a legitimate social media account.

    A single-sign-on page, with the options to sign in via LinkedIn, Facebook, or Google

    What is No CAPTCHA reCAPTCHA?

    No CAPTCHA reCAPTCHA was developed by Google to counteract advanced bots who could crack conventional CAPTCHA tests. It also makes life easier for users as you can confirm you aren’t a robot with a single click.

    The earliest version of reCAPTCHA uses text and imagery from the real world, such as images from street view and text from books scanned by Google, to test whether the user is a robot.

    No CAPTCHA reCAPTCHA is a more sophisticated method that tracks a user’s activity as they check the “I’m not a robot” box. The technology may also assess the cookies stored on the user’s browser, as well as the device’s history, to determine whether the user is a robot. If it can’t confidently verify the user’s a human, a conventional image CAPTCHA is loaded.

    Google uses reCAPTCHA for several of its services, including:

    • Signing up for a Google service

    • Signing up for a G Suite account
    • Changing a password on an existing account

    • Setting up Google services on a third-party device, such as an iPhone

    Google reCAPTCHA tests are constantly evolving, with a third version currently out. The latest iteration requires no user input, meaning that users benefit from no interruption. The program calculates a score according to the user’s behavior and history — depending on the score, the website owner has the option to grant access or deploy a different test.

    A No CAPTCHA reCAPTCHA pop-up box with the text "I'm not a robot" and a checkbox next to it

    How secure are CAPTCHAs?

    CAPTCHAs are generally safe, but they can be hacked. CAPTCHAs help prevent bots, including malicious ones, from accessing sensitive sections of a site or generating spam messages.

    Since modern reCAPTCHAs determine whether the user is a robot by tracking browsing behavior, this can be intrusive to user privacy. The privacy-focused hCAPTCHA is arguably a more secure alternative to reCAPTCHA. hCAPTCHA relies on instant feedback from users on a simple CAPTCHA test and doesn’t collect data.

    And while CAPTCHA helps stop bots and keep us safer, it doesn’t stop online tracking and third parties from collecting your data. For this, you need to use a VPN, especially when browsing on public Wi-Fi. A VPN helps to keep your online activity and IP address private. You can even install a VPN on your mobile phone, so you can stay protected on the go.

    Advantages of CAPTCHA

    Adding CAPTCHA to a website offers a host of advantages. First, CAPTCHAs help improve overall website safety. An effectively implemented CAPTCHA prevents malicious bot software from sending requests, thus protecting websites from malware and DDoS attacks. CAPTCHA also helps preserve the integrity of data, protecting the results of activities like online polls.

    CAPTCHA also improves the safety of online purchases, prevents fake registrations or sign-ups on websites, protects email addresses from scammers, and defends against junk mail. And CAPTCHA is easy to implement and free, so just about any website can set it up.

    Drawbacks of CAPTCHA

    Of course, CAPTCHA has drawbacks. There’s the ever-present challenge of technological progress: bots are getting better all the time at passing CAPTCHA tests. And emerging generative AI technology like ChatGPT could make it easier for bots to bypass CAPTCHA tests.

    Additionally, CAPTCHA services can disrupt the flow of a user’s activity, resulting in a poor user experience on a site. CAPTCHA may not be supported by all browsers, either. Nor are all CAPTCHAs accessible to everyone — visually-impaired users are often unable to complete image-based CAPTCHAs.

    And there are some browser extensions that help you bypass CAPTCHAs (we recommend not using these plug-ins, because they may pose a security risk). And newer reCAPTCHAs mean your browsing activity is being tracked to some extent, so it’s still important to use additional security tools like a VPN to protect your data and privacy.

    Secure your personal information with a VPN

    AVG Secure VPN helps keep your data secure no matter where you are or what device you’re using. AVG Secure VPN creates an encrypted internet connection that safeguards your online activity and helps prevent snoops from tracking what you do online. Keep your browsing, banking, and online activities hidden with AVG Secure VPN. Try it for free today.

    Protect your privacy and data with AVG Secure VPN

    Free trial

    Protect your privacy and data with AVG Secure VPN

    Free trial
    Privacy Tips
    Privacy
    Danielle Bodnar
    5-04-2023