What Is a CAPTCHA Test? How Do CAPTCHAs Work?

Protecting websites from hackers, a few random characters at a time

CAPTCHA: Completely Automated Public Turing test to tell Computers and Humans Apart. screenshot

A CAPTCHA is a short online typing test that is easy for humans to pass but difficult for robotic software programs to complete—hence the test's actual name, Completely Automated Public Turing test to tell Computers and Humans Apart. The purpose of a CAPTCHA is to discourage hackers and spammers from using auto-filling software programs on websites.

Why Are CAPTCHAs Necessary?

CAPTCHAs deter hackers from abusing online services. Hackers and spammers attempt unethical online activities, including:

  • Swaying an online poll by robotically submitting hundreds of false responses
  • Brute-force opening someone's online account by repeatedly attempting different passwords
  • Signing up for hundreds of free email accounts
  • Spamming blogs and news stories with dozens of bogus comments and search-engine links
  • Scraping (copying) people's email addresses from websites, to use them later in spam attacks
  • Falsifying torrent seed counts and positive feedback in order to lure people into downloading a trojan payload

CAPTCHA tests can stop many common, automated attacks by blocking the robot software from submitting online requests. They're deployed most frequently when website owners would rather use technology to block spammy information in the first place, than to have to clean up that content after it's been added. Some website operators, for example, avoid CAPTCHAs to reduce user friction and instead employ algorithms to scan and quarantine suspect comments or accounts after they've been created.

How Do CAPTCHAs Work?

CAPTCHAs work by asking you to type a phrase that a robot would be hard-pressed to read. Commonly, these CAPTCHA phrases are pictures of scrambled words, but for visually impaired people they also could be voice recordings. These pictures and recordings are hard for conventional software programs to understand, and hence, robots are usually unable to type the phrase in response to the picture or recording. As artificial intelligence capabilities increase, the spam bots grow more sophisticated, so the CAPTCHAs generally evolve in complexity as a response.

Are CAPTCHAs Successful?

CAPTCHA tests effectively block most unsophisticated automated attacks, which is why they're so prevalent. They're not without their flaws, however, including a tendency to irritate people who have to answer them.

Google's Re-CAPTCHA software—the next evolution of CAPTCHA technology—uses a different approach. It tries to guess whether a session was initiated by a human or a bot by examining the behavior when the page loads. If it can't tell a human is behind the keyboard, it offers a different kind of test, either the "click here to prove you're human" box or a visual puzzle based on a Google Images photo or a phrase scanned from Google Books. In the photo test, you click all the parts of an image that contain some sort of object, like a street sign or an automobile. Answer correctly, and you continue; answer incorrectly, and you're presented with another image puzzle to solve.

Some vendors offer technology that removes the "test" part of the CAPTCHA by granting or denying website access solely on some criteria related to the pattern of interaction of a Web session. If the security software suspects there's no human driving the session, it silently denies a connection. Otherwise, it grants access to the requested page without any intermediary test or quiz.