You’re trying to purchase an item or log into an account. You enter your credentials, but before you proceed, you need to prove that you’re a human being. Tick the box marked “I’m not a robot”. You can see a blurred image with skewed digits that you need to decipher. These are CAPTCHAs, and while they can be a nuisance, they’re necessary.
What are CAPTCHAs and how do they work? How are they different from reCAPTCHAs? And why are many of them so difficult?
What Is CAPTCHA?
CAPTCHA stands for Completely Automated Public Turing Test to Tell Computers and Humans Apart. They take their name from Alan Turing, the genius cryptanalysis who created the Turing Test. This is a way of examining a machine’s thinking, to check whether its behavior is indistinguishable from that of a human being.
A standard Turing Test involves a real person judging the subjects. CAPTCHAs don’t: they’re generally administered by a computer. As such, some call them the “reverse Turing Test”, while others know them as Human Interaction Proof (HIP).
CAPTCHAs were created to stop bots from spamming websites. Any proficient technology whizz can make a program that automatically signs up to millions of accounts; CAPTCHAs are designed to stop that from happening.
It’s because computers find it difficult to decipher distorted text—or at least more difficult than humans do. Most CAPTCHAs are paired with different color gradients in the background, to further obscure the message.
There’s debate over who created CAPTCHAs, though the term was coined by Carnegie Mellon University, Pittsburgh, in 2003.
The scholarly team posited that they could be used to secure emails, online polls, and other services requiring registration from search engine bots, worms and spambots, and dictionary attacks. They’re also useful in combating Distributed Denial of Service (DDoS) attacks.
How Do CAPTCHAs Work?
Text can be really obscured, but you can often still make out what it means. The more skewed symbols are, the more effective a CAPTCHA is. That’s because humans exhibit pareidolia, a phenomenon in which our brain tries to make sense of randomness. It’s your mind trying to assign order out of chaos.
Christ I hate these damn captcha security things – can’t see the bloody pics most of the time. Awful. pic.twitter.com/T65tMeKs4U
— Jamie Sefton (@Seffers007) November 24, 2018
Pareidolia is why you infer faces where they shouldn’t be—in clouds, buildings, cliff faces, trees, drinks, flowers, and more.
The most famous examples of this psychological quirk typically feature either religion (with people claiming to see Jesus in their food) and astronomy. You’ll know Barnard 33 by its colloquialism, the Horsehead Nebula, due to its equine qualities; others see a rabbit carved into the craters of the moon.
That’s also why you can make out words in CAPTCHAs even when they’re crossed out and bent out of shape. Our brains make connections that computer programs typically can’t.
Why Are CAPTCHAs So Difficult?
Luis von Ahn, formerly of Carnegie Mellon University’s CAPTCHA team, says it takes an average of nine seconds solving a CAPTCHA. 92 percent get it right. That might make you feel stupid for inputting the wrong combination, but it shouldn’t. Everyone is part of that remaining 8 percent from time to time.
In fact, failure rates rise from 8 percent to nearly 30 percent if the CAPTCHA is case-sensitive.
The problem with inferring information is that we can easily infer the wrong information. An “I” can become a “1”. It’s even harder when the CAPTCHA doesn’t consist of words but random letters.
Fortunately, services know humans are fallible and can’t always read blurred text. Most CAPTCHAs give you the option to generate a new one, so if you’re struggling, refresh it.
— Sarah Doody (@sarahdoody) February 22, 2015
The main reason CAPTCHAs can be so tough is through necessity. As CAPTCHAs have evolved, so too have attackers. Artificial intelligence (AI) can read even particularly distorted text with an estimated 99 percent accuracy. CAPTCHAs have had to up their game.
Notably, Google has advanced the technology considerably, but we’ll come back to that.
How do programs defeat CAPTCHA? They’re cracked using algorithms that look for particular shapes. These typically convert the text box into grayscale, removing the distortion afforded by color artefacts. They then focus on patterns and cross-match these with standard letters and numbers.
The algorithm takes, effectively, educated guesses when it comes to any digits that remain unidentified.
CAPTCHAs: What Could Possibly Go Wrong?
There are numerous problems with CAPTCHAs—especially for those with disabilities. It’s particularly true for people with poor eyesight or suffering from dyslexia.
Yes, CAPTCHAs have developed to fight bots more effectively and get easier for humans. In some cases. It’s done so in a few significant ways. The first is through variation of verification. One widely-used example of this is replacing text with photos.
You might be presented with pictures in a grid and have to click on each box displaying road signs. This works so well because programs suffer from computer vision, i.e. a difficulty understanding the contents of digital images.
Some AI can differentiate and understand what a photo contains. Think about Facebook’s DeepFace technology, which can recognize facial features and suggest profiles. Nonetheless, these types of CAPTCHAs are an extra challenge for bots—an additional hurdle for brute force attacks and their ilk.
Images also work well for those using smartphones and tablets: it’s much easier to tap-select the right squares. That is, as long as those photos load properly!
Another adaptation is audio CAPTCHA, which reads the text for those struggling to make out the digits. These are often accompanied by background sound. This can cause further troubles for spammers using voice-recognition software.
— Mark Frauenfelder (@Frauenfelder) July 23, 2019
The other important way CAPTCHAs have evolved is through integration with Google, and the introduction of reCAPTCHAs. And no, they’re not quite the same thing…
CAPTCHA and reCAPTCHA: What’s the Difference?
Most CAPTCHAs you see are actually reCAPTCHAs. The latter does the same job as the former, but surpasses this by also furthering machine learning.
What’s more, reCAPTCHAs are used for the digitization of books.
They were developed by the same team from Carnegie Mellon University who gave us the term “CAPTCHA”. The open-source software aimed to “preserve literature by deciphering a word that was not readable by computers”. Effectively, each time you decipher a word found in a reCAPTCHA, it’s used for machine learning. You’re helping the program understand the varying shapes and patterns of symbols.
CAPTCHA is a random combination; reCAPTCHA consists of targeted words that bots haven’t been able to analyze previously.
It was released in 2007 and acquired by Google in 2009. Many consider Google a massive conglomerate that you can’t trust, but reCAPTCHAs have done a lot of good. Just two years after the acquisition, the technology had entirely digitized the archives of Google Books and The New York Times. Both are invaluable repositories of information.
It’s ironic that technology can now understand text effectively, making reCAPTCHAs redundant. That’s why Google has pushed the idea further.
Ever wonder what happens when you click on “I’m not a robot” and proceed straight away, without deciphering anything? Google’s new reCAPCTHA analyzes your activity across the whole site then secretly assigns you a probability score to determine whether you’re human or a bot.
Essentially, it’s worked out whether your interactions with the service are more indicative of a real person or a program.
Easy on Humans, Hard on Bots?
As bots become more intelligent, security systems have to advance too. ReCAPTCHA is a solid enough idea. For now.
But many question the power held by Google. Artificial intelligence can recognize human behavior. Factor in all the things Google already knows about you and that’s certainly a cause for concern.