Every time you sign up for a new account or comment on a web article, you are asked to type the letters and numbers from the distorted image provided. Have you ever wondered what those symbols are and why you are required to type them in a box?
Those distorted, sometimes partially obscured letters are called CAPTCHA. It is a user identification feature that aims to protect websites and applications against computer bots by generating tests that only humans can pass. CAPTCHA stands for ‘Completely Automated Public Turing Test to Tell Computers and Humans Apart’ – humans can read and retype the distorted symbols on the image while computers cannot.
History of CAPTCHA
In the earliest days of the Internet, some people wanted to bypass computer filters that prevents them from posting some content online. An example of these people are hackers who post sensitive content in online forums, but are sometimes unable to do so since they believe they were monitored for specific keywords. To spoof such keywords, they used alternative symbols for phrases (‘hello’ would become |-| 3 |_ |_ (), etc.) to prevent the filter from detecting all of them.
CAPTCHA was first used in 1997 by Mark D. Lillibridge, Martin Abadi, Krishna Bharat, and Andrei Broder, a team from AltaVista who wanted to prevent bots from adding URLs to their web search engine. They created puzzles that had different typefaces and colored or obscured background to prevent bots from automatically detecting the symbols. However, another team claimed inventing rights to CAPTCHA consisting of Luis von Ahn, Manuel Blum, Nicholas J. Hopper, and John Langford. This team coined the term CAPTCHA in 2003 in a publication and received more popular press than the first team.
Abilities of a CAPTCHA
To fully understand what is CAPTCHA and what its uses are, we will discuss its three abilities that enable it to differentiate human activity from a computer’s. CAPTCHAs are fully automated and require little maintenance, and are therefore, time- and cost-efficient. It requires the simultaneous use of these three abilities to produce consistent tasks:
Segmentation – the ability to separate one letter or number from another. CAPTCHAs make it difficult for this since the numbers and letters are crowded together with no white space in between.
Parsing – the ability to put the word into context. An example of this is when a segmented letter looks like a letter ‘m’, but when you take the word into context will you realize that it is actually an inverted ‘u’ and a ‘n’.
Invariant recognition – the ability to recognize letters and numbers in a large amount of variation and shapes. The human brain can identify multitudes of shapes, but a computer can’t do so because it has to be programmed to do such, and that is an extremely challenging task.
Applications of CAPTCHA
Now that we have discussed what is CAPTCHA and its abilities, we will proceed to the applications of CAPTCHA for practical security:
Protects website registration. Companies such as Microsoft and Yahoo! offer free email services, and several years ago, these email services suffered from bot attacks. These bots would sign up for thousands of email accounts every minute, since it could complete the sign-up process in a very short period of time. To prevent this attack from persisting, CAPTCHAs were used to ensure that only humans can create free email accounts. Free services are now protected with a CAPTCHA to prevent automated script abuse.
Prevents comment-spamming in blogs and online forums. There are sneaky websites that use bots to submit bogus comments in blogs and online forums to raise their search engine ranks. The comment may include a link to the website and could appear multiple times in a single blog post to ensure publicity. These are called spam comments, and CAPTCHAs prevent these by enabling a CAPTCHA before a user can post a comment. As a result, only humans can post comment, and spam comments are avoided.
Hides your email address from Web scrapers. Some Web scrapers crawl the Internet for email addresses that are displayed in full, readable text, then send this email address with spam messages. Before you know it, your inbox is full your spam messages that you have no idea what to do with. You can use a CAPTCHA before showing your email address to make sure that only humans can obtain it.
Ensures accurate online poll results. Websites that release online polls record the IP addresses of its voters to make sure that a computer only gets to vote one. However, some people or companies might create bots that can bypass this security measure and enable one computer to vote hundreds of times. A CAPTCHA can solve this problem by asking voters to enter the letters and symbols before they can cast their vote.
Guidelines for CAPTCHA
If you have a website and would like to place additional security measures to it, you can make use of CAPTCHA. Since you now know what is CAPTCHA, its abilities, and applications, you can find a code that will meet your needs. Here are the guidelines that make an efficient CAPTCHA, according to captcha.net:
Accessibility. CAPTCHAs have been criticized by visually-impaired users since the distorted and obscured images make it difficult for them to read it. A CAPTCHA should be accessible, meaning that it has to have another option in case a user cannot read the image, such as an audio or sound CAPTCHA.
Image Security. The images should be distorted randomly and obscured moderately before being shown to the user. Some CAPTCHA images are only partially distorted and could still be read by bots, making the website more vulnerable to attacks.
Script Security. A secure CAPTCHA should make sure that there are no easy ways to bypass its script, as opposed to ordinary CAPTCHA scripts. Common examples of insecurities in this respect include: (1) Systems that pass the answer to the CAPTCHA in plain text as part of the web form. (2) Systems where a solution to the same CAPTCHA can be used multiple times (this makes the CAPTCHA vulnerable to so-called ‘replay attacks’. Most CAPTCHA scripts found freely on the Web are vulnerable to these types of attacks.
Security Even After Wide-Spread Adoption. True CAPTCHAs should be secure even after it is adopted by plenty of websites. Easy, repetitive questions can still be bypassed by parsers and could make the website vulnerable to attacks even with the use of CAPTCHAs.