loader

CAPTCHA: How one test might determine if you’re a bot or not

Home / Guest Posts / CAPTCHA: How one test might determine if you’re a bot or not
Posted on
securitymadesimple Guest Posts 0

Can you stop bad bots with words and pictures? If you use them in the way of challenges, you just might.

For those that don’t know, we’re talking about CAPTCHA, a little challenge involving writing the right words or picking the right pictures to prove that you’re a human – and not a bot.

There’s more to it than pictures and phrases, though. CAPTCHA is more complex than it sounds. Unfortunately, as complex as it is, it might not be enough to stop the latest bots.

Before we determine if CAPTCHA is worth the trouble, we need to understand what it is.

What is CAPTCHA?

A CAPTCHA test is a challenge that will help determine whether a user interacting with a website is human or non-human. In other words, it’s what separates bots from us – or, at least, tries to.

You’re probably familiar with modern CAPTCHA-like challenges: having to choose three out of nine or sixteen images; sometimes, it’s nothing but clicking on a checkbox and carrying on with your day.

There are also other challenge variants, for example, an audio-based one for those visually impaired.

Why do websites implement CAPTCHA challenges? Because bots have a hard time acting human, and these challenges are designed to exploit their bot-like behavior.

How does CAPTCHA work?

As you know, there’s more than one challenge that keeps bots at bay. What you probably don’t know is that there’s a progression behind these challenges.

In modern reCAPTCHA (think of it as CAPTCHA 2.0) challenges, you’ll face two situations:

I’m not a robot test

The first one is simple. All you have to do is click on a checkbox. If reCAPTCHA deems you’re a human, you can carry on with your day.

How can clicking on a checkbox be enough to see if you’re a bot or not? Well, it’s simple to explain – but difficult to implement.

Technically speaking, reCAPTCHA isn’t testing your ability to click on the checkbox. Instead, it tests everything that leads up to that action: your movement patterns, any hesitation, how quick you do it, and more. Bots can’t imitate any of that very well – and that gives them up.

If reCAPTCHA doesn’t recognize you as human, you’ll have to do another test.

Image recognition test

The second one isn’t as simple as clicking on a checkbox – but still quite doable.

In this scenario, you have to pick three images out of a set of nine or sixteen. That’s it! Bots aren’t developed enough to get it right (all the time). In fact, most AI struggles with tests like these.

Unfortunately, people struggle with it as well. Sometimes, it takes two or three attempts to pass this test, making user experience a little troublesome for a lot of people.

Believe it or not, CAPTCHA challenges have come a long way.

It wasn’t always the same way

People old enough might remember the old CAPTCHA challenge: fussy words and barely-readable text users had to write down (and, sometimes, guess) to continue using a website.

Well, that part of the internet is long gone. Or, at least, most websites have implemented reCAPTCHA challenges.

As bots became more advanced and technology allowed non-human elements to act more like humans, CAPTCHA changed. Bot creators eventually found a way to bypass old challenges.

In other words, as bots evolved, so did CAPTCHA challenges.

Nowadays, we have to pick the right pictures to solve one of these challenges – and so do bots.

The question is, how long will it take for bots to be as good as (or better than) humans at this new type of challenge? We may be there already.

Can bots solve CAPTCHA challenges?

Unfortunately, most bots can bypass both CAPTCHA and reCAPTCHA challenges.

On the bright side, not all bots are able to, nor can most bots do so on the first try – that’s why CAPTCHA-like challenges are still around.

Does that mean CAPTCHA is doing more harm than good? Well, not necessarily.

Although we are all aware of how much of a nuisance CAPTCHA challenges are (and how they interfere with user experience), we can’t get rid of them just yet. They still stop a fair number of bots and prove necessary for other bot management methods as well.

Simply put, CAPTCHA solutions aren’t going to stop bots on their own – but they will help alongside other botnet management methods, such as fingerprinting.

For now, both humans and bots will have to handle these challenges.