What are captchas?

Captchas protect web applications from harmful access by bots and spammers. However, the extra security comes at the cost of disadvantages in terms of accessibility and usability. The small image and audio puzzles are also a hurdle for some human users.

Myra Services on this topic: Block unwanted access and prevent malicious traffic with Myra Deep Bot Management


Captchas: a definition

When surfing the Internet, users have been encountering various captcha procedures for several years now. The little pictures and word puzzles on websites are intended to ensure that only human visitors can access the services hidden behind them. In this way, the small tools protect against misuse on Internet platforms. The term Captcha is an acronym and comes from the English: "Completely Automated Public Turing test to tell Computers and Humans Apart". Thus, the word Captcha serves as a collective term for all forms of automated Turing tests, which are used by computers to tell humans and machines apart.


How do captchas work?

The concept of Captcha procedures provides for tasks that are easily solvable by humans, but cause major problems for computer systems. In practice, therefore, image or word puzzles are usually used in conjunction with blurs and similar optical manipulations. To solve these tasks by machine, sophisticated algorithms for image recognition and powerful hardware are required. These hurdles are used to defend against automated queries and spammers.

Captchas are used everywhere on the net where services are threatened by bot access. Webmasters sometimes use the technology to protect online surveys, e-mail services, or even sensitive services such as online banking from misuse.


What are the disadvantages of captchas? 

The use of captchas to protect web services is not without controversy. For example, the integrated picture puzzles massively restrict the accessibility of the underlying web application. Particularly for visually impaired people, such captcha tasks cause great difficulties when logging in. Acoustic captchas promise a remedy, but they are criticized for their high degree of difficulty and cause particularly great problems for the hearing-impaired. 

In terms of user-friendliness, captchas are also considered problematic because they represent an additional step to logging in to web stores and other portals. The additional effort for potential customers has a negative effect on the conversion rate. The negative effect is reinforced by increasingly demanding captcha tasks. However, these are necessary to compensate for advances in artificial intelligence that enable automated systems to solve simple captchas without much effort. A team of researchers at Stanford University questioned the future viability of common captcha methods back in 2010. Already at that time, many human users had problems answering the small riddles.

Person working on a laptop with code on the screen

Google reCAPTCHA: controversial convenience service

Since 2013, the Google service reCAPTCHA has been addressing the problem of overly complex login processes with the so-called No CAPTCHA. This is a checking method that evaluates browsing data in the background, such as IP addresses, location, dwell time and mouse movements. If the collected data indicates that it is a valid user request, a simple mouse click on the text field "I am not a robot" is sufficient to solve the captcha. If, on the other hand, the results are less clear, the familiar visual or acoustic captchas are used to thwart malicious bot access. The further development reCAPTCHA v3 does not even require any additional user queries. Here, automatic accesses are identified and managed in the background. For website visitors, reCAPTCHA may be a welcome gain in convenience, but data protection organizations are increasingly bothered by the disclosure of sensitive user information to the US company.


How cybercriminals circumvent captchas 

In practice, captcha queries are primarily used to thwart misuse and attacks by means of credential stuffing or credential cracking. In most cases, cybercriminals target lucrative accounts for online banking or payment in their attacks. The captchas serve as an additional security layer here - however, the queries are less suitable as a sole protective wall. For cybercriminals and their bot armies, captchas are not an insurmountable hurdle, because there are various methods to circumvent the protective function:


Modern algorithms are capable of reliably solving even complex captchas and usually perform better than human users. In the technological race, therefore, constantly improved captcha methods are required to ensure reliable protection.


Trojans can trick thousands of users into filling out captcha queries manually - disguised as mini-games on websites or local systems, for example.


Captcha solving services offer the resolution of captcha queries as a service at ridiculous prices and even provide interfaces for further processing of the data. With these services, the answering of the captchas is done by armies of cheap laborers who solve the digital puzzles manually in developing countries. Via API integration, captcha solving services can even be directly connected to the cybercriminals' automated attack tools.


How can the protection of captchas be extended?

The examples presented show that the captcha procedure alone is not sufficient for the protection of accounts and log-ins. Although many malicious bot requests can be prevented through the targeted use of captchas, ambitious criminals cannot impress webmasters with this.

Malicious traffic can be fended off much more effectively using bot management services, for example. The security solution clearly identifies bot requests and enables site operators to granularly control which types of machine traffic are allowed on the website and when. The precise management of traffic not only increases the protection of log-ins, but also allows for a more performant and cost-effective operation of the website. For example, desired bot requests can be moved to low-traffic times of the day to provide more power for human access at peak times.


Captchas: What you need to know 

Captchas are small pictures and word puzzles designed to prevent automated access to websites by bots. These Turing tests are designed so that only human users can successfully pass them. However, cybercriminals have various methods at their disposal to get their malicious bots past captcha blockers. Special algorithms, Trojans or captcha solving services are used for this purpose. Captchas are therefore unsuitable for holistic control of automated access. This requires more comprehensive tools such as Bot Management Services, which allow granular control of bots on the company's own websites.

With Myra Web Application Security, you can precisely manage all requests on your website thanks to Deep Bot Management. Using fingerprinting technology, Myra reliably identifies and manages incoming bot requests, while malicious traffic is automatically blocked or redirected. The solution prevents false positives through downstream captcha prompts. In this way, optimal performance is always available for both traditional user requests and machine-generated bot requests, without compromising the security of online accounts.

Learn more about Myra Deep Bot Management