CAPTCHAs - HackMD

**Cracking the Code: How CAPTCHAs challenge Humans and Machines.** *Written by Laquinta, Ochea, Tan* --- **What are CAPTCHAs?** I'm sure each and everyone of us internet users have already come across some form of CAPTCHA. If a website asks you to enter a series of random letters in a textbox or asked to pick images based on an instruction, then you've most likely encountered a CAPTCHA. **CAPTCHA** is short for "Completely Automated Public Turing test to tell Computers and Humans apart". It's a bit of a mouthful, hence the abbreviation. It refers to the authentication methods that are used to validate users as humans, and not bots. These authentication methods are easy for humans to accomplish but is difficult for machines. **The CAPTCHA Types** **| Math Problems** Math Problem CAPTCHA does exactly what it sounds like. The user is presented with a problem where they have to input the correct answer in the box. ![math captcha](https://hackmd.io/_uploads/Sy_YI8FxR.png) *Image retrieved from https://www.cashify.in/what-is-captcha* **| Text-based CAPTCHAs** Text-based CAPTCHAs presents users with a string of random letters and characters. The string is often obscured by some form of distortion or image filter that would make it hards for bots to interpret. ![text captcha](https://hackmd.io/_uploads/HJZqLIYgA.png) *Image retrieved from https://www.okta.com/uk/identity-101/captcha/* **| Image-based** Image recognition CAPTCHAs presents users a series of images in a grid. The user must then select the images that relate to the given theme. Unfortunately, this can also pose as a problem for visually impaired users. ![image captcha](https://hackmd.io/_uploads/SkO5UIYl0.jpg) *Image retrieved from https://www.wallarm.com/what/what-is-captcha-types-and-examples* **| reCAPTCHA** reCAPTCHA test might seem simple as you simply have to click the box to prove that you are not a robot, however, the box also contains a checkbox. Humans will naturally click on the checkbox when asked to click a box but bots are not the same as they are more methodical. The bots are more likely to click the center of the box instead of the checkbox. ![recaptcha](https://hackmd.io/_uploads/H1yiLUYeA.png) *Image retrieved from https://www.cashify.in/what-is-captcha* **| Audio CAPTCHA** Audio CAPTCHAs play audio clips that recite characters and letters to the user. Background noise is often incorporated to trick the bots interpretation. ![Screenshot 2024-04-15 213337](https://hackmd.io/_uploads/rytanj5eR.png) *Image retrieved from https://www.cashify.in/what-is-captcha* **How does it work?** The classic CAPTCHA (not reCAPTCHA), involve asking users to identify distorted letters and input the correct letters into a form field. If the letters don't match, the CAPTCHA simply prompts the user to try again. If you fail multiple times, it is a sign that you are probably not a human or simply a dunderhead and would be blocked access from the website. This is difficult for machines to accomplish as a computer program would have problems interpreting the distorted letters, unlike humans who are used to identifying letters with different fonts, writing styles, languages. It is also the same for an image reCAPTCHA test, where users are typically presented with a 3x3 or 4x4 square image. Each image block may be part of a whole picture or different from each other, where the user will be prompted to identify images that contain selected objects. For machines and even advanced AI programs, they would have difficulty in accomplishing this especially if the given image is blurry. **When should CAPTCHAs be used and what do they prevent?** CAPTCHAs are used to distinguish humans and bots. They are used when trying to prevent unauthorized access to user accounts, spamming, scraping website data, and possible distributed denial-of-service (DDoS) attacks. CAPTCHAs are created with the goal of preventing bots from taking over the web, especially on certain websites that are meant for human users only. Why do we have to prevent bots from taking over the web pages though? This is because malicious bots can do the following: - **Create many fake accounts.** This will definitely consume unnecessary resources which can lead to increase in web traffic and overloading of servers which could possibly deny real users of the services provided by the website. - **Take over websites.** Bots can potentially spam websites with comments and messages which may contain scams and dangerous links which may potentially harm the users. - **Affect results and/or sales.** Scalpers can use bots to purchase products in large quantities (which they can resell for higher prices) or directly affect online polls by spamming votes. **How are CAPTCHAs defeated?** CAPTCHAs cannot prevent bots entirely. As CAPTCHAs evolve, so do the bots. CAPTCHAs are not foolproof, therefore they should never be set as a website's first line of defense, particularly if on its own. CAPTCHAs can now easily be bypassed since attackers are now capable of creating bots that use artificial intelligence to conquer the tests. Certain bots are now able to imitate human-like behaviors in order to bypass CAPTCHAs. Additionally, there are CAPTCHA farms which uses *real* humans to bypass CAPTCHAs that the bots cannot. This definitely sounds like a 2-vs-1: *Humans and Bots* versus *CAPTCHAs*. **The Captcha Conundrum** In order to understand the potential problems or inconveniences posed by CAPTCHAs, it is essential to discuss some core concepts regarding CAPTCHA. **| User-Centered Factors** - **Visual Impairment Among Users**. People with disabilities such as color-blindess and far-sightedness might find it difficult to solve some CAPTCHA tests such as text- or image-based CAPTCHAs. - **User Convenience**. One of the most fundamental aspects of web browsing is user experience and there are multitude of factors that can affect this aspect especially when CAPTCHA tests are involved. CAPTCHA tests can be **time consuming**. One study (Burzstein et al, 2010) concluded that on average, humans take around 9.8 seconds to solve image captcha and 28.4 seconds for audio captcha. Another factor is for **mobile users**, some website do not have user-friendly and mobile-compatible interface counterpart. CAPTCHA tests with poor interface can absolutely hinder user experience. **| What triggers a CAPTCHA test?** - When a user's IP is recognized as a bot. - Failure to load a site's resources (i.e., images and styles) - Unusual behavior or navigation (i.e., mouse movement, clicking, site navigation) - Unusual browsing history (i.e., only repeated login attempts, no browsing history) **| Emerging Technologies** While CAPTCHAs were quite effective before, they have become less capable of maintaining their objective. Due to emerging technologies which allow the creation of more sophisticated bots, CAPTCHAs became less and less effective in distinguishing bots from real human users. **Conclusion** Despite these challenges, CAPTCHA tests remain effective within the broader context of the web space. But then again, CAPTCHAs are not perfect and can be unreliable at times. Until we develop an alternative capable of addressing the issues associated with CAPTCHA tests while maintaining or enhancing their functionality, CAPTCHA remains our best option for safeguarding websites. **References:** Burszstein, E., & Jurafsky, D. (2010). CAPTCHA. Stanford University. Retrieved from https://web.stanford.edu/~jurafsky/burszstein_2010_captcha.pdf DataDome. (2023). What is CAPTCHA and How Does It Work?. DataDome. Retrieved from https://datadome.co/guides/captcha/what-is-captcha-and-how-does-it-work/ IBM. (n.d.). CAPTCHA. IBM. Retrieved from https://www.ibm.com/topics/captcha SoftwareLab. (2023). What is a CAPTCHA?. SoftwareLab. Retrieved from https://softwarelab.org/blog/what-is-a-captcha/