For some, they’re quite annoying, interrupting browsing time and getting in the way – but CAPTCHAs have a serious job to do. They’re used to determine whether someone is attempting to use a site legitimately, or if they’re a bot. The original tests started to appear in the 1990s and they’re now more sophisticated than ever. But…do they actually work?
Why do we use CAPTCHAs?
Whether you’re trying to weigh up whether to use google recaptcha vs hcaptcha they all have pretty much the same function. They aim to prevent bots who are posing as humans from getting to resources that are only meant for humans and no one else.
Why does this matter? For numerous reasons – we don’t want bad bots to access certain pages as they can find ways to create fake accounts to increase traffic, overload servers, or even prevent real customers from accessing services. They can fraudulently take over sites by gaining control of contact forms and spamming content containing dangerous links to unsuspecting users.
Sometimes they can interfere with things like online polls by voting uncontrollably, or even tamper with reviews on legitimate sites to make them appear either better or worse.
As bots have developed in sophistication over the years they have learned to bypass some CAPTCHA challenges which means they now have to be more sophisticated.
CAPTCHAs in action
How do they work? If a CAPTCHA is triggered it enables a pop-up window when users attempt to access specific pages or input information. This prompts users to complete a CAPTCHA test. In the early days, text would appear blended or out of shape and bots would find this hard to work out – thus it was successful. Humans were more able to work these out and pass them.
Traditional CAPTCHAs come in a few different forms such as:
Text CAPTCHA: The most common type, and it required users to type in displayed words to pass the test. The text was often blurred or distorted and came with a similarly distorted background. The main complaint about these was that they discriminated against visually impaired people.
Image CAPTCHA: Here, users get given a few selected images and are told to pick the ones that contain a specified object. This tends to be more effective as it’s easier for humans to recognize images and bots will find this trickier. However, as they’ve gained sophistication over the years it’s become easier for them to bypass these types of CAPTCHAs and get through. Now with machine learning and AI, companies like Google are retraining their CAPTCHAs to make them more adept at preventing bots.
Audio CAPTCHA: Here, one of the keys has to be accessibility – audio CAPTCHAs can be used alongside text ones to make them more user-friendly. With something like this a generated voice will speak out the letters and numbers or mention words that begin with the specified letters you’re being asked to enter.
CAPTCHA Test triggers
The main triggers for a CAPTCHA test are suspicious behaviors that come from both humans and bots.
There are some common ones to look out for and these include factors like IP tracking, for instance, if a user’s IP has been identified as a potential bot.
Something like resource loading, where a user doesn’t automatically load styles or images. The next trigger might be a sign-in error, whereby a user isn’t signed into Google or Gmail when they access a site.
There might be concerns over bot-like behavior, like weird clicking patterns or strange mouse movements that are picked up on, too. Browsing history might be checked as there are very few (if any) humans that will only log onto one web page over and over again.
With all this in mind let’s take a look at whether CAPTCHAs work well or not.
What are the negative points of CAPTCHAs?
These days traditional CAPTCHAs are nowhere near strong enough to keep bots away from your site, app, or otherwise and a big name like Google CAPTCHA might rely far too heavily on people using their respective accounts or emails to be safe enough. Some experts have concerns about their privacy compliance too. Over the last few years, it’s become easier for bots to solve CAPTCHAs or even use CAPTCHA farms to pass challenges making it easier for them to get a website and make changes like the ones we’ve mentioned above.
Do CAPTCHAs actually work?
They’re like the curate’s egg, essentially – good in parts. They work well in some circumstances and not so well in others. Of course, they can stop very simple bots, but in terms of anything more sophisticated they tend to struggle – and they don’t always perform their original objective as well as they could. They will always work best when they’re paired up with powerful bot detection. That said, they are still a useful tool to have in a website’s security arsenal and a worthwhile consideration – they just need a little extra help at times.