What is a CAPTCHA? A comprehensive guide

The idea for the test was first created by Alan Turing, a mathematician and an important figure in computer science. The Turing Test, which he proposed in the 1950s, is one of the key contributions to artificial intelligence.

The test involved a human evaluator communicating with an entity they couldn’t see — a human or a machine — through text. If the evaluator couldn’t differentiate between the machine and the human, it was considered that the machine passed it. Modern-day CAPTCHAs are more complex tests that are based on this idea.

CAPTCHA tests help detect bot-driven traffic in various online activities, such as completing web forms, reviewing products, writing comments, and responding to polls. Most websites and platforms use CAPTCHAs as part of their cybersecurity strategy. Like multi-factor authentication, CAPTCHAs improve account security and protect users from intruders.

Let’s look at the different types of CAPTCHAs and how they work.

CAPTCHAs come in three main types — text-based, image-based, and sound-based. Let’s look at each type in more detail.

• Text-based CAPTCHAs. Text CAPTCHAs show users distorted text, including random letters, numbers, and well-known phrases. Such tests are the traditional CAPTCHAs because they came before image and audio versions. Text CAPTCHAs don’t just present letters or numbers as they are but show them in a distorted way that requires interpretation. For example, users may see scaled, rotated, or overlapping characters with additional elements (e.g., lines, dots, arcs, or color).
• Image-based CAPTCHAs. An image-based CAPTCHA is also known as an image recognition CAPTCHA because the user has to interpret, recognize, and correctly identify an image. A CAPTCHA image can be anything from photos of animals to graphical elements and scenes. Image recognition CAPTCHAs ask the user to select all images that match a theme (e.g., zebra crossings) or pick those that don’t. Image CAPTCHAs can be easier to complete than text-based CAPTCHA challenges.
• Audio CAPTCHAs. An audio-based CAPTCHA test provides an alternative for visually impaired users. Instead of just showing images or distorted text, the system allows users to listen to the CAPTCHA challenge. They hear a recording of a series of letters or numbers, which they must enter to verify they’re human. The sound is typically distorted or contains background noise, making it more challenging for bots. Audio CAPTCHAs rely on the fact that bots can’t distinguish the relevant characters from the distorted audio or background noise.

CAPTCHAs present a challenge to users that they have to complete to proceed with the action they want to complete. User interaction is required — the CAPTCHA won’t let you complete the web form or access the web page without providing the correct answer.

As mentioned above, image-based captchas show users several images, and most often, users have to select the ones that match or don’t match a theme. Text-based CAPTCHAs are more traditional and provide a distorted string of letters or numbers for the user to type in a box.

Once the user has completed the test, the system knows they’re human and allows them to carry on with whatever they’re doing on the web page.

Programmers use several techniques and algorithms to generate CAPTCHAs, which typically depend on the CAPTCHA type.

For example, text-based CAPTCHA technology uses:

• Gimpy for creating random strings of words that are distorted and not so easy to read.
• Simard’s HIP for selecting random numbers and letters and distorting them with arcs and colors.

Image CAPTCHAs use large databases of various imagery. Using complex algorithms, programmers randomly select and show specific images to the user — whether it’s pictures of animals or fire hydrants.

Programmers can also track how each image is performing. For example, if users get one image more wrong than others, it may indicate that the image is confusing or misleading and may need to be removed or replaced.

When creating image and text CAPTCHAs, developers have to strike a balance between making them challenging for bots but easy enough for humans to complete. Occasionally, you may run into a CAPTCHA that is too confusing or complex – a frustrating experience that may deter users. However, a simple CAPTCHA may not be as effective against bots, with machine learning algorithms managing to complete it as humans would.

CAPTCHAs can be created by enterprises themselves, open-source (e.g., PHP CAPTCHA), or third-party services (such as Google).

What is a CAPTCHA example?

You’ve probably seen hundreds of CAPTCHA images and text in your lifetime, but let’s illustrate the above with an example.

Imagine you want to create an account with an email provider that asks you to complete a CAPTCHA test to verify you’re human. This way, the provider prevents bots from creating accounts for malicious reasons.

At some point in your account creation process, you’re shown a grid of nine images, some containing a bus. These buses vary by color, size, and type. Some of them are school buses; others look like sightseeing buses. There’s even a traditional red London double-decker bus!

The images are distorted using techniques like stretching, twisting, or blurring out some parts of the picture. Some photos have nothing to do with buses and contain objects like apples, trains, and Lego pieces.

You also see a prompt at the top or bottom of the image that reads, “Please select all images that contain a bus.” As the prompt suggests, you’ll need to select all pictures with a bus. If you successfully do this, you’ll be verified as a human and will be able to create an account with this provider.

Generally, CAPTCHAs are used to tell computers and humans apart and filter out unwanted bot-generated internet traffic. By differentiating between human users and bots, CAPTCHAs ensure that only real people access services or interact with content. Here’s how CAPTCHAs are used.

• Preventing automated registrations. CAPTCHA tests limit fake registrations on web pages (i.e., bots registering multiple times). Bots may attempt to create several fake accounts for various reasons, from spamming to targeting users with brute force attacks. Having many accounts means cybercriminals with many failed logins may not draw as much attention to themselves.
• Blocking false comments. Shady companies use bots to spam message boards, forums, and contact forms with fake comments to promote products or services. CAPTCHA tests ensure that only real people can post comments on a web page.
• Maintaining online poll accuracy. Anyone can complete online polls, making them accessible — but vulnerable to bots. Groups or individuals with a specific agenda may use bots to influence online poll results (for example, on questions like which party you plan to vote for). CAPTCHAs help prevent this by ensuring only people can complete these questionnaires.
• Protecting user accounts. Some bots may try to break into user accounts by trying different login combinations. Asking users to perform a CAPTCHA test when entering a password protects against unauthorized access. When a CAPTCHA image, text, or audio is used, websites can ensure that only a human with the right credentials can access a user’s account (even if the bot correctly guesses the user’s credentials).
• Protecting email addresses. Some email providers ask users to complete CAPTCHA tests to access functions like password resetting. This email security step is crucial because some bots are programmed to reset passwords and lock genuine users out of their accounts.
• Preventing cyberattacks. Cybercriminals may create malicious bots (brute force bots) that attempt to break into user accounts and steal personal information. CAPTCHAs limit automated login attempts so that the bots can’t try and guess the password an unlimited number of times. A CAPTCHA is typically introduced after several failed attempts, and hacking into the account becomes more difficult.

Why does Google use CAPTCHA?

Like many other companies, Google uses CAPTCHA to improve account security and prevent unauthorized access. CAPTCHA is an additional security step users must complete when:

• Signing up for a new Google service account (e.g., Gmail, YouTube).
• Registering for a Google Workspace Account.
• Changing a password on their Google account.
• Setting up Google services on a device (e.g., iPhone).
• Suspicious activity is detected on your account (e.g., multiple requests).

Although Google’s CAPTCHAs rely on images, audio versions are available for visually impaired users. Those wanting to access an audio version need to click the wheelchair icon that appears near the text box.

Google also offers a free service called reCAPTCHA. What is a reCAPTCHA? It’s an advanced alternative to traditional CAPTCHAs that businesses can add to their sites to keep out bot traffic. The reCAPTCHA technology was developed by Carnegie Mellon University researchers and then bought by Google.

Compared to CAPTCHA, Google reCAPTCHA is more advanced. These tests include image recognition tasks, selecting a single checkbox, or doing nothing while reCAPTCHA observes and assesses your online behavior.

Generally, using CAPTCHAs is safe, but cybercriminals can still hack or bypass them in several ways.

Cybercriminals may use machine learning technologies to solve certain types of CAPTCHA or even hire people who offer CAPTCHA-solving services. Hackers can send CAPTCHAs to these human workers via APIs, get their response, and input it back into the targeted side in seconds.

What about CAPTCHAs taking your data? While traditional CAPTCHAs don’t store or track your data in any way, modern reCAPTCHAs actually determine whether you’re human or a bot by tracking your user behavior, potentially posing privacy risks.

A reCAPTCHA takes a snapshot of your actions on a website and compares this information to what it knows about bot activity. With this information, it can decide if you’re a human or a bot. While the information reCAPTCHA collects is typically just your IP address and the resources you have loaded (e.g., images) — it still isn’t great that it collects this information.

Finally, can a CAPTCHA be a virus? The answer, unfortunately, is yes. While it isn’t common, cybercriminals can manipulate CAPTCHAs by injecting malicious codes into the images. When users click on the images to select them, they may download a virus onto their browser or computer. That’s why it’s essential to be careful when visiting sites that may appear suspicious or unsafe. Don’t click on anything — not even a CAPTCHA image.

Can CAPTCHAs effectively stop malicious bots?

While CAPTCHAs help prevent malicious bot attacks, they are not foolproof. Even though these tests are helpful when it comes to identifying and filtering out bots, cybercriminals can find ways to manipulate and bypass them.

However, CAPTCHAs still contribute to making accounts and websites safer for users. The complexity of CAPTCHAs makes it more difficult and time-consuming for cybercriminals to carry out attacks. As a result, they need more resources and time to successfully launch an attack, which may deter some of them from targeting a CAPTCHA-protected website.