1. Introduction

CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a security task verifying if the user is a human.

This tutorial will elaborate on how it works and what kind of protection it provides.

2. Security

The CAPTCHA is an algorithm preventing applications from bots and various spam attacks. The most common type of CAPTCHA is a distorted image of text that users must correctly rewrite into a text field. The image is malformed in a way that only humans can correctly evaluate it and computer software should not. Below we can see an example of such a CAPTCHA:

CAPTCHA test

Example applications of CAPTCHAs are:

  • Preventing spam on blogs and forums – spammers are always looking for places to send spam to promote some products, publish unwanted content, or rising ranks. Spam software can send thousands of messages in a short time. By using CAPTCHA, websites can block such unwanted actions.
  • Protecting website registration – websites offering free services upon registration are often attacked by automated scripts that create thousands of accounts to obtain the free service or sell them. CAPTCHA can protect applications from such abuse.
  • Preventing brute force attacks – hypothetically there exist brute force attacks that can iterate through all possible password combinations to hack a user account. Usually, websites blocks user accounts after several failed logins. Although, it’s not a good solution to enable attackers to block a specific user account easily. Therefore, instead of blocking the user account, a better solution is to present a CAPTCHA.
  • Preventing scraping data – scrapers are programs that automatically collect user data. Attackers use scrapers,e.g., to collect contact data from users and send spam. CAPTCHA can protect sensitive data from scraping bots.

We can see that CAPTCHA can be a useful tool. It increases applications and data security. Moreover, CAPTCHA isn’t always used for security reasons. In some cases, CAPTCHA can be a tool that teaches AI models. Such models can later be used for various purposes like digitalizing books, annotating images, and improving Google Maps.

Let’s see how CAPTCHA algorithms work.

3. Algorithm

The CAPTCHA algorithms are fully automated and reliable. They are often public but sometimes patent-covered. Making the CAPTCHA algorithm public proves and highlights its complexity. It shows that the algorithm can’t be bypassed by simply reverse engineering. Rather, cracking the algorithm would be a complex, AI-related solution.

The CAPTCHA algorithms rely on three abilities invariant recognition, segmentation, and context recognition. A human can use those abilities simultaneously to correctly and efficiently complete the CAPTCHA task. Let’s analyze them:

  • Invariant recognition is the ability of the human brain to distinguish objects represented by different variations. The objects, e.g. letters, may come in different sizes, rotations, or even distortions. Still, humans can correctly and effectively identify them. On the other hand, computers don’t have this ability. Teaching them to distinguish objects in many forms is a complex task. Moreover, it’s always possible that even the best AI algorithms could fail.
  • Segmentation is the ability to distinguish objects even if they’re crowded together and lack of gaps between them.
  • Context recognition is important while solving CAPTCHAs. For example, sometimes identifying crowded, similar letters like “u”, “n” and “m can be only achieved by recognizing the word as a whole. A human brain is able to understand the word in many ways, e.g., seeing only the first and last letters, and omitting the middle.

As we can see, solving a CAPTCHA is a more complex task than we can think. That’s because our brains are powerful and can handle it without much effort. Although, computers don’t possess such cognitive abilities. Therefore, solving CAPTCHA is very difficult to bypass by software.

4. Types of CAPTCHA

Nowadays, there are different types of CAPTCHA available. In the beginning, there were only text-based CAPTCHAs. Text CAPTCHAs evolved into multiple subtypes, like:

  • Gimpy – presents an arbitrary number of words in a distorted form
  • EZ-Gimpy – similar to Gimpy but presents only a single word
  • Gimpy-r – presents random letters with a noisy background
  • Simard’s HIP – shows random numbers and letters in a distorted way

The second type is image CAPTCHA. Typically, they present multiple images and challenge users to choose those matching a specific theme or contain a given object:Reverse CAPTCHA

An example of CAPTCHA is an audio-based CAPTCHA. It’s usually combined with a text one. A text can be played as audio. Audio-based CAPTCHA was created especially for visually impaired people that could have problems with solving only text-based ones:

audio captcha

There can be other variants of CAPTCHA such as solving math problems or answering a question.

CAPTCHAs are criticized by a lot of Internet users. They have many disadvantages:

  • There are unfriendly to people with disabilities.
  • In some cases, they make websites difficult to work with.
  • They can make users leave the site. Thus, they can decrease lead generation.
  • They don’t guarantee to be error-proof.

Therefore, Google invented a new generation of CAPTCHA called reCAPTCHA. It’s just a simple checkbox with the text “I’m not a robot” that the user needs to tick. Why is that so simple? The algorithm tracks the website’s visitor behavior. As Google relates, it monitors “the user’s entire engagement” on the website. When a user’s behavior is considered to be strange, the more difficult CAPTCHA problem is presented. Below, we can see the reCaptcha example:

Zrzut ekranu

5. Conclusion

Nowadays, CAPTCHA is still a commonly used protection against spam and bots. There exist some methods to bypass the CAPTCHA, e.g., outsourcing to paid services, machine learning-based attacks, or just insecure implementation of the CAPTCHA algorithm. Although, they are not powerful and effective enough to make CAPTCHA worthless. Therefore, if we want to provide an additional layer of security to the website CAPTCHA is still a good choice.