Laurent - stock.adobe.com
Answer
Learn about the purpose of CAPTCHA challenges that enable websites to differentiate bots from authentic users to stop spammers from hijacking forums and blog comment sections.
By
- Joel Dubin
Published: 16 Sep 2019
What is the technology used on blogs and some web search tools when a user is presented a box with letters and...
Sign in for existing members
Enjoy this article as well as all of our content, including E-Guides, news, tips and more.
Step 2 of 2:
You forgot to provide an Email Address.
This email address doesn’t appear to be valid.
This email address is already registered. Please log in.
You have exceeded the maximum character limit.
Please provide a Corporate Email Address.
Please check the box if you want to proceed.
Please check the box if you want to proceed.
has to retype the displayed information to verify their identity or that they are the intended recipient?
This technology is CAPTCHA, an acronym for Completely Automated Public Turing test to tell Computers and Humans Apart. A CAPTCHA is usually a graphic image with a series of distorted letters on an equally distorted or multicolored background. Other types of CAPTCHA challenges require a user to identify photos, do simple arithmetic problems, provide a response to an audio snippet or simply click a box that says, "I'm not a robot."
The CAPTCHA algorithm is public, as the "P" in the name implies. The test was developed in various forms around 1996, but it got its distinctive name in 2000 from researchers at Carnegie Mellon University and IBM. Cracking the algorithm won't make the CAPTCHA vulnerable, since the algorithm is only used for generating the random series of letters and numbers in the image. The system works because humans and computers process strings of characters differently.
Why is CAPTCHA important?
One of the most important reasons for CAPTCHA is to defend against ad spammers who promote their scams in comments on webpages. By requiring all users to negotiate the CAPTCHA authentication, administrators can filter out spammers who attempt to automate their activities.
CAPTCHA technology authenticates that a real person is accessing the web content to block spammers and bots that try to automatically harvest email addresses or try to automatically sign up for access to websites, blogs or forums. CAPTCHA blocks automated systems, which can't read the distorted letters in the graphic.
How CAPTCHA works
CAPTCHA is a form of challenge-response authentication, using challenges that can easily be responded to by people but that are difficult for bots. Rather than authenticating the identity of the person accessing the resource, CAPTCHA is used to authenticate that the entity attempting to access the resource is actually human and not a bot or other piece of malicious software.
CAPTCHA challenges need to be difficult enough to defeat attacks that use AI to try to solve them but easy enough for people to solve.
One of the problems with CAPTCHA is that, sometimes, the characters are so distorted that they can't even be recognized by people with good vision -- let alone visually impaired individuals. Depending on local accessibility regulations for websites, this can also be a compliance issue for some web-based businesses.
The reCAPTCHA project improves on CAPTCHA's
antibot strategy.
Even as the CAPTCHA developers continue to improve the utility, attackers are also always on the alert for new vulnerabilities and tactics for defeating CAPTCHA. In 2015, CAPTCHA-bypassing malware was discovered in Android apps offered through Google Play Store. And, early in 2019, security researchers reported the ability to bypass spoken phrases with the UnCAPTCHA proof-of-concept attack. The reCAPTCHA project aims to strengthen CAPTCHA, even as attackers continue to target it through exploits like ReBreakCAPTCHA.
When to use CAPTCHA
Use CAPTCHA for webpages that accept input from unauthenticated users. CAPTCHA is not usually needed for accepting input from users who have already logged into their accounts, but it can help slow down unauthenticated users -- like bots -- that try to post spammy comments in forums or blogs without the need to be authenticated as legitimate users.
CAPTCHA technology is easy to implement but requires some knowledge of PHP or other web scripting languages. For more information about integrating CAPTCHA protections, check the reCAPTCHA project's developer's guide.
Related Resources
- E-Guide: How to tie SIM to identity management for security effectiveness–TechTarget Security
- Aligning Enterprise Identity and Access Management with CIO Priorities–TechTarget Security
- New SaaS Identity Access Management Tools Emerge, Outdo Legacy IAM–TechTarget Security
- Cloud IAM: Is it worth the move?–TechTarget Security
Dig Deeper on Identity and access management
- 8 influential Hispanic leaders in technologyBy: Kaitlin Herbert
- SMS pumping attacks and how to mitigate themBy: KyleJohnson
- What enumeration attacks are and how to prevent themBy: RaviDas
- spambotBy: SeanKerner
Related Q&A from Joel Dubin
How to use a public key and private key in digital signatures
Ensuring authenticity of online communications is critical to conduct business. Learn how to use a public key and private key in digital signatures ...Continue Reading
Single sign-on best practices: How can enterprises get SSO right?
Proper planning is at the top of the list for single sign-on best practices, but it's important to get enterprise SSO implementations off to a good ...Continue Reading
What is the purpose of RFID identification?
RFID identification can be used to keep track of everything from credit cards to livestock. But what security risks are involved?Continue Reading
Certainly! CAPTCHA, or Completely Automated Public Turing test to tell Computers and Humans Apart, is a crucial technology employed by websites to differentiate between human users and automated bots. My knowledge about CAPTCHA stems from its inception, its various iterations, and its evolution to combat spam and malicious activities online.
The purpose of CAPTCHA is multi-faceted. It primarily serves as a defense mechanism against spammers who attempt to flood websites with scams or irrelevant content. By implementing CAPTCHA challenges, websites verify that the user accessing the content is a real person, thereby filtering out automated bots that attempt to exploit forums, blogs, or comment sections.
The technology behind CAPTCHA presents challenges that are relatively easy for humans to solve but considerably difficult for bots. Initially developed around 1996, CAPTCHA gained its distinct name in 2000. Its algorithm generates distorted characters or tasks like identifying photos or solving arithmetic problems to verify human presence. The randomness in these challenges makes it challenging for automated systems to crack them.
However, CAPTCHA isn't without its challenges. Sometimes, the distortions in CAPTCHA challenges can be too complex even for people with good vision, leading to accessibility issues, particularly for visually impaired individuals. To address this, projects like reCAPTCHA have been initiated to enhance CAPTCHA's effectiveness while considering accessibility concerns.
Attackers constantly aim to exploit CAPTCHA vulnerabilities. Instances like CAPTCHA-bypassing malware in Android apps and proof-of-concept attacks like UnCAPTCHA highlight the evolving challenges in keeping CAPTCHA secure. Despite these attempts, ongoing projects like reCAPTCHA persist in strengthening this technology against exploitation.
When to use CAPTCHA? It's ideal for webpages that receive input from unauthenticated users, especially to deter spammy comments in forums or blogs. Integrating CAPTCHA requires some knowledge of scripting languages like PHP.
This technology's evolution and its ongoing battle against exploitation demonstrate the dynamic nature of cybersecurity measures in the online realm.
