When logging into a website on the Internet or entering sensitive information, you may sometimes be asked to select a check box, match images, or enter a random string of numbers and letters.
This is called a CAPTCHA. It is designed to stop inhuman behavior on the Internet. But what does this actually mean? And can a CAPTCHA with a simple step like checking a checkbox really stop bots from performing actions on the web?
Let’s take a closer look at what a CAPTCHA is and how it is used to keep the entire web safe.
What is a CAPTCHA?
CAPTCHA is a weird acronym for a fairly easy-to-understand sentence – it stands for a fully automated, publicly available Turing test to distinguish computers from humans.
So, in essence, a CAPTCHA as we know it on the web is an automated test to determine if a user is a human or a bot. A bot could be automated software designed to post spam comments on the Internet, a login page using a set of passwords, or perhaps software that attempts to automatically clean up information from other sites. CAPTCHAs can be used to prevent robots from performing this automatic behavior.
A CAPTCHA can really be anything as long as it can use some kind of test that can only be passed by thinking like a human. In the past, the most common type of CAPTCHA was a series of jumbled letters and numbers that users entered to take a test.
The letters were drawn in an almost unsuitable font, making them very difficult for any type of automated software to read. It worked, but as the AI ??grew more powerful, the security it offered has been dubious over the years.
The most common CAPTCHA you see on the web these days is the reCAPTCHA from Google. There are alternatives, but we can use Google as an explanation of how it all works.
reCAPTCHA types and does it work?
So far Google has gone through three major versions of the reCAPTCHA software. Let’s see how each version differs from each other and how they work to stop bots.
reCAPTCHA v1 – Traditional Text Test
The original version of reCAPTCHA v1 may seem nostalgic to you because it is no longer used for a good reason. This method requires users to enter words by reading and rewriting what they saw on the screen. The text has always been difficult to read in order to prevent bots from hacking it.
Ultimately, this level of CAPTCHA did not provide sufficient protection for long, and with such a frustrating system, it annoyed users and resulted in loss of traffic for many website owners.
When we entered the era of mobile devices and lowered focus, Google wanted to create a better solution, and so reCAPTCHA v1 was canceled and v2 appeared.
reCAPTCHA v2 – I’m not a robot, checkbox
reCAPTCHA v2 was a huge step in the right direction. With reCAPTCHA v2, Google software will pay attention to keystrokes and mouse movement to determine if you are a robot or not.
With every interaction on a website with reCAPTCHA v2, the software learns more about what human behavior is and what isn’t, making it more accurate as it learns. If you are behaving humanly, it is enough to check the box.
If you are flagged as suspicious, you will be prompted to click on the matching pictures in the photo. This is a test that gives the end user just 55 seconds to solve. This may seem daunting to a bot, and Google seems to support it by protecting websites from bots. However, a Google search will reveal all sorts of research, tests and software claiming to have hacked the system using a bot.
Thus, reCAPTCHA v2 will stop the bots, it will slow them down, perhaps to the point where it is not worth trying, but it may not always stop a motivated person or organization.
reCAPTCHA v3 – Hidden CAPTCHA
reCAPTCHA 3 is different from the above options. Instead of running a test to determine if a user is a bot or not, reCAPTCHA will track the user’s interaction with the website to give that user a score.
This assessment will take into account various factors, such as how they navigate the site or which pages they visit first, and backed up by previous data.
The website owner can then configure reCAPTCHA v3 to block or deny access to the user based on their rating level. In addition, it can be configured so that actions are throttled or limited for a short time, messages are sent to moderation queues, or secondary authentication is required.
Again, research is underway to try and crack reCAPTCHA v3. This time, however, researchers are looking to create an AI that can visit a web page and perform human-like actions on it in order to pass invisible CAPTCHA tests.
Does the CAPTCHA actually work?
So far, one thing is clear – research has shown that CAPTCHA or reCAPTCHA does not stop all non-human activity. However, it severely restricts bot traffic and stops most of it. So in this sense, we can say that the CAPTCHA works even if it does not have 100% success.
Perhaps AI will become smarter and be able to behave like a human, but in this case Google will abandon reCAPTCHA v4, or other CAPTCHA developers will release something new.
It’s like an endless game of cat and mouse. Ultimately, a website has a much better CAPTCHA and can reduce bot activity from thousands to almost negligible amounts.