Understanding Captchas: Types Pros Cons alternatives to combat Spam

Understanding Captchas: Types Pros Cons alternatives to combat Spam
Published in : 05 Jan 2024

Understanding Captchas: Types Pros Cons alternatives to combat Spam

Spam will be a thing of the past in two years! ". With this prediction, Bill Gates surprised the public at the World Economic Forum in Davos in 2004. This fatal error still makes the Internet community laugh today and permanently places the co-founder of Microsoft on the list of the most hazardous statements of the IT industry.

In 2004, even Bill Gates had no idea how spam would evolve in the years that followed. Even today, only a day goes by with most Internet users being confronted with automatically generated advertising content, whether in their mailbox, on their favorite blog, in the comment function of an online store, or the guestbook on their homepage.

Spambots are getting smarter and wiser. Large standalone computer programs search the Internet for form fields and other interactive web page elements to quickly place your programmers' advertising messages and overcome even ingenious anti-spam procedures.

For a long time, the captcha was considered a defense against spam. But its annoying queries are more often an obstacle for human users today than for sophisticated programs. Recent studies on captcha technology have shown that spambots often have a lower error rate than humans. Is this the end of captcha codes, picture quizzes, and logic tests? Here is an overview of the application areas of CAPTCHA technology, a comparison of the different types, and spam prevention alternatives.

Understanding Captchas

A captcha is a method of spam protection. The goal is to protect interactive websites from abuse by filtering automatically generated entries. The acronym captcha stands for Completely Automated Public Turing test to tell Computers and Humans Apart. In literal French, a captcha is a fully automatic public Turing test to distinguish computers from humans.

As early as 1950, computer scientist Alan Turing proposed a procedure to test the thinking capacity of artificial intelligence. According to this computer pioneer, a machine can imitate human thinking if it communicates with people without them noticing that it is a computer.

The Turing test entered the history of research on AI (artificial intelligence) and had yet to be passed by a computer program before 2014. Eugene Goostman was the first machine in the world to deceive more than 30% of people. An independent jury for at least 5 minutes. Eugene pretended to be a Ukrainian teenager with guinea pigs and was charmed by the politically incorrect lyrics of rapper Eminem.

What seems like science fiction is one of the biggest problems with the Internet today. For interactive websites, it is essential to distinguish Internet users from computer programs in the context of human verification. Increasingly sophisticated captchas are designed to help prevent automated entries or spam queries and click robots (bots).

Why Do We Use Captchas?

Captchas are typically used when web applications require user participation. Imagine that you operate an online store and allow your customers to write product reviews with a comment feature. In this case, you want to make sure that the entries come from your customers or at least from human visitors to your website. Instead, you often find many automatically generated spam messages, with, in the worst cases, links to competitors.

This damage can be limited by using a captcha to secure online forms, which requires user verifications before sending their submissions. Today, captchas can be found in almost all areas where Internet users must be distinguished from robots. This includes registration forms for email services, newsletters, communities, social networks, and online surveys or web services such as search engines.

Over time, different human verification methods have been developed. However, in principle, no established method provides 100% security against spam; in any case, captcha technology is associated with a loss of usability.

Different Kinds of Captchas

The concept of captchas is based on the assumption that, despite rapid progress in AI research, there are still differences between the mental capacity of a human being and that of a computer program. Each captcha, therefore, includes at least one task that must be easily mastered by human users but which, in theory, represents an insoluble problem for robots.

Captcha-based methods for human verification can be divided into several categories: text and image recognition, audio capture, mathematical calculation, logical question, and gamification methods.

Text-based captchas

The oldest form of human verification is a text captcha. Known words or random combinations of letters and numbers are hidden. To pass the test, the user must decipher the solution displayed in the captcha area and enter it in a dedicated text field. Traditional methods used to create text captchas are Gimpy, ez-Gimpy, Gimpy-r, and HIP from Simard.

Partial scrambling involves different stages in which the individual characters of the solution word are distorted, change scale, or are curved and combined with other graphic elements such as lines, arcs, dots, and color gradients: colors or background noise. The following illustrations show a selection of possible text transformations that can be encountered on the Internet.

Text Based Captcha

Text captchas provide reliable protection against spam only if the displayed solution word represents an insurmountable obstacle for programs with automatic text recognition. However, this usually involves distortion, significantly limiting readability for human users.

This problem is well illustrated through the following examples. To register a free email address with GMX, you are, for example, confronted with text-based captchas according to the following diagram.

Text Based Captcha Example

A human user can easily recognize the 1VYEJX characters, but the code is sometimes more complicated to read due to heavily distorted characters.

Confirmation Code Captcha

The distortion sometimes goes so far that even human users can be overwhelmed. A well-implemented captcha offers the possibility of skipping the first proposition and trying another more readable word. But this is not a cakewalk for website visitors often faced with complicated captchas.

Over time, many alternatives to text-based captcha technology have been implemented. Google offers a famous variation of classic text capture with reCAPTCHA. Instead of generating random solution words, reCAPTCHA feeds from various digitization projects such as Google Books or Google Street View.

For example, users can view street names, house numbers, road signs, city signs, and fragments of scanned text segments, which must be deciphered and entered into a text field at the keyboard help. The software always offers three elements: known, confirmed, and unconfirmed. In principle, users only need to recognize the first element to complete the captcha. Users who also decipher the second element participate in Google's scanning program. Entries are verified on a statistical basis. Decrypted items are always presented to multiple users. The most common answer is correct.

The following example shows two differently designed reCAPTCHA queries that users encounter in the context of community check-ins, for example.

Redesign Captcha 2015

Image-based captchas

Image-based methods are an alternative to text captchas. Instead of presenting users with a solution consisting of numbers and letters, image-based captchas rely on graphical elements that can be recognized quickly. Typically, several designs are presented side by side. Users can click on a specific pattern, identify similar patterns, or represent a semantic connection.

The following example shows an image-based captcha used in the Google reCAPTCHA service. The user is asked to select all images showing coffee.

Google images based Captcha

Additionally, Google uses captchas that allow users to select only certain areas of a photo, such as all fields where parts of a street sign are displayed. Unlike textual reCAPTCHA’s, simply clicking on the corresponding screen areas is enough to pass this testing step.

Example of google image captcha

Most users identify the solution of an image-based captcha within a few clicks. However, the ability of computer programs to place an image, classify it with words, and spot similar patterns still needs to be improved today. Therefore, image-based image-based captchas have a higher protective effect than textual methods.

Audio captchas

Text and image captures can be assigned to human graphics review procedures. The ability of a human user to complete this testing step depends on their ability to recognize textual or iconographic information. A graphical captcha can pose an insurmountable obstacle for people with visual impairments.

Captchas, which can only be perceived by one of the human senses, therefore have low usability and are not considered barrier-free. Therefore, website operators using captchas should ensure that the chosen testing method offers users multiple solutions across different sensory channels.

To enable visually impaired people to access captcha-protected areas of a web application, text- or image-based testing methods are usually combined with audio captchas. Often, this is a button with which users can listen to an audio recording, for example, a short sequence of numbers, which must then be typed into a field provided for this purpose.

Google currently implements audio captchas in the following way:

Example of google audio captcha

To ensure ease of use of the captcha, the recorded sound must be understandable and adapted to the user's language. Google could be a better model for this. Although the captcha graphical interface can be displayed in French, it is only possible to play an English sound.

Math and logic captchas

A captcha alternative, which also considers the needs of the visually impaired, relies on mathematical tasks or puzzles to filter out spambots. A task like the one in the example below can also be read with a screen reader if necessary and is therefore also available to users via non-visual output devices.

Simple math tasks usually require only basic school knowledge, but they don't pose a significant obstacle for spambots because computers are superior to humans at crunching numbers. Therefore, this type of captcha is often combined with the different possibilities of distorting the text, but this eliminates accessibility for screen readers.

It becomes much more difficult for programs if the calculation result is not requested in the form of a number but in the form of a digital word or if it is followed by an instruction (Example: calculate 7 x 7 and enter the first figure of the result in the field provided for this purpose). The calculation result would be 49, but the captcha solution is 4.

In addition to mathematical tasks, logic tasks or general knowledge questions are also used in captchas, often with a thematic reference to the corresponding web application.

Math and Logic Captcha Example

Logic captchas include questions that may seem insignificant to human users. However, traditional spambots are generally not able to perform the following reasoning:

  1. Name all the colors on the list: apple, green, orange, tomato, and yellow. (Answer: green, orange, yellow)
  2. Enter the fourth word in this sentence. (Answer: word)
  3. What is the third letter of the penultimate word? (Answer: r)
  4. How many udders does a cow have? (Answer: one)

Captchas of this type are usually designed so that several variations (e.g. upper and lower case) lead to the desired result.

Adding Fun to Captchas

Website operators who fear scaring visitors with cryptic text captchas or arduous math tasks can take advantage of the gaming trend taking over captchas. Providers such as SweetCaptcha and FunCaptcha offer more or less entertaining mini-games that can be integrated as fun captchas.

SweetCaptcha leverages users' ability to associate with others and provides them with simple games. In the following example, move the sticks on the drum to identify yourself as a human being.

Sweetcaptcha Example

Classic Puzzle Captcha

SweetCaptcha also uses a classic captcha puzzle variation in which users must drag and drop image elements into the correct position:

Classic Puzzle Captcha

FunCaptcha rotates images only when the pattern is in the correct position so the software can allow the user to access the site's content.

Rotation Funcaptcha example

Without being particularly entertaining, this little game is nevertheless more amusing than distorted text.

Pros and Cons of Captchas

If a captcha can reliably block spambots but allows access to human users, that's a significantly reduced administrative burden for running a website. Therefore, site operators that offer user-generated content do not need to verify contributions manually. Additionally, it is a huge relief for a server if automatic inputs and requests are blocked before these resource-intensive reactions trigger the system. But what makes a good captcha?

Research into artificial intelligence is progressing steadily. The ability of specialized programs to read distorted texts or solve logical tasks is rapidly improving. As early as 2014, a Google research team published a study according to which classic reCAPTCHA's can be solved automatically in 99.8% of cases. As a database, 10 million annotated house numbers were used, which the team generated via Google Street View.

Many captcha providers attempt to compensate for advances in machine learning with increasingly complex testing procedures. In practice, captchas often reach the limits of insolubility.

As early as 2010, Stanford University researchers published a study showing that, in many cases, captchas pose a significant challenge, even for Internet users. This study asked more than 1,100 people to solve approximately 318,000 captchas of the most commonly used patterns.

On average, tested participants responded to visual captchas in 9.8 seconds. For audio captchas, test takers took almost three times as long at 28.4 seconds. If the same visual captcha were shown to 3 subjects, they only found the same solution in 71% of cases. For audio captchas, the 31% match was even lower. Additionally, researchers found that digital audio captchas had a 50% bounce rate. Whether and how human verification is used affects a visitor's motivation to interact with the website.

As early as 2009, SaaS company MOZ published a blog post on the effect of captchas on web form conversion rates. In a case study, Moz author Casey Henry investigated more than 50 different business websites over six months and found that online form convergence rates (e.g., subscriptions to the newsletter) fell by 3.2% on average if captchas were activated. However, spam volume was also reduced by 88%.

Businesses that generate revenue by allowing people to interact on the website should consider whether a bounce rate of this magnitude is acceptable. Here, the costs of alternative methods of combating spam must be offset by the loss of revenue from captchas.

Making Captchas Accessible

Choosing a suitable captcha technology becomes difficult for website operators who want to make their Internet offerings accessible to everyone, including people with disabilities.

Most people with disabilities use the Internet. The possibilities of the World Wide Web often promise to make everyday life much easier, especially for Internet users who spend their lives with restrictions.

However, most online services are still not accessible to people with disabilities. Captchas also often represent an insurmountable barrier, for example, if the possibility of verification cannot be perceived due to limited visual acuity or mental disability.

The Web Content Accessibility Guidelines (WCAG) of the Web Accessibility Initiative (WAI) of the World Wide Web Consortium (W3C) address the problem of accessibility from the perspective of captchas and specify the following as minimum requirements for a captcha accessible:

  1. If non-text content (e.g., graphics) distinguishes human users from computer programs, a textual alternative should be provided to explain the purpose of the non-textual content.
  2. If captcha technology is used, it should be designed so that there are alternative solutions that take into account different forms of disability.

Beyond these minimum requirements, it is advisable always to integrate the captchas into an explanatory accompanying text. Website operators who use captchas as a means of spam prevention should ensure that Internet users understand how they can identify themselves as human users.

This includes clear instructions for the Turing test presented in machine-readable text form and correctly labeled input fields. In any case, users should be able to skip unreadable captchas and repeat the check with a new captcha if their guess is incorrect.

A captcha should never be the only way to use a website. It is recommended always to offer users the opportunity to gain admission to a website by contacting the administrator or customer support.

It is also recommended to minimize the use of captchas. If a user has already successfully logged into the system, no further verification in the form of captchas should take place.

Are there alternatives to captchas?

Even though captchas are ubiquitous today, procedures based on the Turing test are by no means the only way to secure an interactive website against spam. In 2005, the WAI published Working Group Note 23.

With the Inaccessibility of CAPTCHA – Alternatives to Visual Turing Tests on the Web, the WAI developed a catalog of proposals for preventing spam without a captcha. Over time, many methods have been developed to identify automatic queries or entries:

  1. Blocklists: If a particular source can be identified for spam messages or mass automated requests, website operators can block all interactions from that address by adding them to the blocklist, i.e., blocklist. This lists all servers or IP addresses to block for future requests. Such a blocklist can be created manually via .htaccess. Various anti-spam networks and professional service providers on the Internet offer centralized and constantly updated blocklists.
  2. Honeypots: Some website operators expose potential applicants to blocklisting by submitting online forms with spam traps. These bait devices, which mean honeypots, correspond to input fields hidden by CSS or JavaScript from Internet users. Simple spambots usually only read the HTML code of a website and even fill hidden fields with auto-generated content. Therefore, this indicates that the request comes from a robber, not a human user.
  3. Content Filter: Content filters provide a way to counter comment spam on blogs, online stores, or forums. They also work with blocklists. Website operators define so-called hot words, keywords mainly appearing in spam comments, to automatically identify suspicious entries as computer-generated. However, if content filters are used, there is an increased risk that contributions from human users will also be blocked if these blocked keywords are included.
  4. Server-side filtering: On most web servers, filtering software detects visible interactions with some website regions, thereby limiting the damage caused by spambots. Spam filters rely on static, heuristic, and behavioral analysis to identify suspicious interactions based on visible characteristics and known patterns. Analyzes in the context of spam filtering refer to the technical characteristics of the user agent. For example, the scope of the data, the IP address, the data entry methods used, signature data, and previously visited websites are evaluated. Additionally, one can use timestamps to track the time between submitting an online form and receiving the response. Unlike human users, spambots demonstrate considerable speed when filling out input fields.

There is a common alternative to the classic captcha, based on behavioral analyses, also from Google. Under the name "No CAPTCHA reCaptcha", Google has offered a human verification service since 2013 that effectively protects interactive sites against abuse and, in most cases, without a captcha.

Instead of presenting users with a task based on visual, auditory, or logical connections, Google's latest reCAPTCHA has just a simple checkbox.

Google's No CAPTCHA reCAPTCHA includes no codes, image quizzes, or math questions.

Google Checkbox Simple Captcha

If a user checks the "I am not a robot" box, the software checks in the background how likely it is to be an autofill. Google relies on advanced risk analysis. The testing stages of this algorithm are kept secret by Google. However, the following features are discussed in the network:

  1. Cookies
  2. The IP address
  3. Mouse movements in the checkbox area
  4. The duration

If the software concludes that the user is human, the user can access the desired page. On the other hand, if the analysis results conclude that there is a high risk of spam, it is necessary to use a captcha. No captcha is, therefore, a preliminary testing procedure that evaluates whether verification via the Turing Test is essential or can be skipped. It is convenient for the user regarding ergonomics but poses data protection problems.

Website operators using the new reCAPTCHA automatically transmit Google transaction data to their users. Users must be explicitly informed in the data protection declaration that third-party software is used for spam prevention.

It is also striking that Google indicates the general terms of use and a comprehensive privacy statement for the new reCAPTCHA.

It also applies to all other Google services. It cannot be ruled out that the company also uses the collected data beyond spam prevention to optimize its services, for example, in advertising. This problem is addressed in an article in the online magazine Business Insider.

In January 2017, the home page of Google's reCAPTCHA project announced Invisible reCAPTCHA, a development of No CAPTCHA reCAPTCHA, which works without a check box.

Invisible Recaptcha

In theory, invisible reCAPTCHA works as follows: when a user fills out an online form, various analysis processes occur in the background. However, Google has so far kept silent about these processes.