What Is a CAPTCHA Test? How Do CAPTCHAs Work?

Protecting websites from hackers, a few random characters at a time

What is a CAPTCHA test?

A CAPTCHA is a short online typing test that is easy for humans to pass but difficult for robotic software programs to complete — hence the test's name, Completely Automated Public Turing test to tell Computers and Humans Apart. The purpose of a CAPTCHA is to discourage hackers and spammers from using auto-filling software programs on websites.

What We Like

  • Provides an extra measure of security.

  • Doesn't rely on visitors' memories.

  • SMS isn't required to authenticate.

What We Don't Like

  • Many CAPTCHAs are hard to read.

  • Some CAPTCHAs are buggy.

  • Can't be used by those with visual impairments.

Why Are CAPTCHAs Necessary?

CAPTCHA tests deter hackers from abusing online services and stop automated attacks by blocking robot software from submitting online requests. CAPTCHAs prevent unethical online activities, such as when hackers or spammers attempt to:

  • Sway online polls by robotically submitting hundreds of false responses.
  • Brute-force open online accounts by attempting different passwords.
  • Sign up for hundreds of free email accounts.
  • Spam blogs and news stories with fake comments and search engine links.
  • Scrape (copy) email addresses from websites to use in spam attacks.
  • Falsify torrent seed counts and positive feedback to lure people into downloading a Trojan payload.

CAPTCHAs are deployed when website owners would rather use technology to block spammy information than clean up spam content after it's been added. Some website operators avoid CAPTCHAs to reduce user friction and instead employ algorithms to scan and quarantine suspect comments or accounts after they've been created.

How Do CAPTCHAs Work?

CAPTCHAs work by asking you to type a phrase that a robot would be hard-pressed to read. Commonly, a CAPTCHA phrase includes pictures of scrambled words but may be a voice recording.

These pictures and recordings are hard for conventional software programs to understand, and hence, robots are usually unable to type the phrase in response to the picture or recording. As artificial intelligence capabilities increase, spambots grow more sophisticated, so CAPTCHAs generally evolve in complexity as a response.

Are CAPTCHAs Successful?

CAPTCHA tests effectively block most unsophisticated automated attacks, which is why they're so prevalent. They're not without their flaws, however, including a tendency to irritate people who have to answer them.

Google's Re-CAPTCHA software — the next evolution of CAPTCHA technology — uses a different approach. It guesses whether a session was initiated by a human or a bot by examining the behavior when the page loads. When it can't tell if a human is behind the keyboard, it offers a different kind of test, either the "click here to prove you're human" box, a visual puzzle based on a Google Images photo, or a phrase scanned from Google Books. In the photo test, click the parts of an image that contains some sort of object such as a street sign or automobile. Answer correctly, and you continue; answer incorrectly, and you're presented with another image puzzle to solve.

Some vendors offer technology that removes the test part of the CAPTCHA by granting or denying website access solely on criteria related to the pattern of interaction of a web session. If the security software suspects there's no human driving the session, it denies a connection. Otherwise, it grants access to the requested page without an intermediary test or quiz.