CAPTCHAs: What They Are and Why They're So Hard to Enter
What Is the Meaning and Purpose of a CAPTCHA?
A CAPTCHA is a test that companies use to ensure that a human is submitting an online form. It's intended to prevent bots, automatic sweepstakes entry services, hackers, and other types of programs from cheating the system.
Why the funny name? CAPTCHA is an acronym that stands for "Completely Automated Public Turing Test to tell Computers and Humans Apart." A Turing Test is a test for intelligence in a computer or a program.
CAPTCHAs have a wide range of applications. They prevent hackers from performing "brute force" attacks where they try to break into an account by guessing every possible password combination, and they can also prevent fraudulent sweepstakes entries or illegitimate contest votes.
How Do CAPTCHAs Work?
The most common CAPTCHAs display a series of distorted letters and numbers. The entrant needs to type those letters and numbers into a box before the form will submit successfully.
In theory, computers can recognize text from images -- but to do so reliably, they have to have a clean, crisp image.
Therefore, CAPTCHAs are often distorted or placed on a confusing background pattern so that software programs cannot easily identify the letters and numbers by their shape.
Instead of strange letters and numbers, some CAPTCHAs ask people to play a game, such as putting all of the moving images of food on a plate (while ignoring other moving images that don't show food). This is also a test that is difficult for a computer to pass.
Some CAPTCHAs offer the option to listen to the letters as they are spoken out loud (which is especially important for the visually impaired) or ask you to perform other actions, such as picking all of the pictures that show a house or a road sign.
Why Are CAPTCHAs So Tricky?
Although they're supposed to be easy for humans to solve, CAPTCHA codes can be confusing frustrating. However, there's a good reason why they are not easier.
Blocking cheaters and spammers is a game of cat and mouse; cheaters are always trying to crack CAPTCHAs, and companies are trying to strengthen their security to make them harder to get around (while still letting legitimate entries through).
Understanding the methods that spammers use to circumvent CAPTCHA sheds light on why those CAPTCHA codes are getting harder to enter. Here are some of the most common ones:
Avoiding CAPTCHA with OCR
OCR, which stands for Optical Character Recognition, is a way for computers to identify text from images. If you want to scan a document into your computer and edit it like any other electronic document, you'll scan the image into the computer and then use OCR software to convert the image into text.
If you have a nice, clear text CAPTCHA, cheaters can use OCR software to break the code.
This is why so many CAPTCHA codes are blurry, have wavy lines behind them, turn the letters sideways, or otherwise make the text hard to read.
If you've ever tried to scan any documents, you'll notice that while many words go through without problems, anything that makes the text a little unclear, like smears or smudges on the paper, will cause the OCR software to make errors and confuse the words.
When CAPTCHA codes are hard to read, it increases the chance that cheaters' OCR software won't be able to break the code.
Displaying CAPTCHA Codes on Other Websites
CAPTCHAs are designed to be easy for humans to solve, but very hard for computers to enter automatically. But that doesn't help if it's humans who are unwittingly solving the CAPTCHAs.
Cheaters and spammers have gotten around CAPTCHAs by passing the code to another website, where people enter the code to get access to some other feature. For example, the people think they're solving a puzzle or typing a code to get access to an (often pornographic) picture.
This is one reason why some CAPTCHAs expire so quickly. If a new CAPTCHA needs to be entered every few seconds, it reduces the odds that cheaters can trick someone into typing the response quickly enough.
Paying People to Crack CAPTCHAs
Some companies offer programs that allow cheaters to crack CAPTCHAs for $1 or less per crack. They are similar to the trick above, but they pass the CAPTCHA codes to people working in sweatshops in third-world countries to solve. A fast-expiring CAPTCHA can also fight this kind of hack.
Exploiting Poorly-Coded CAPTCHAs
Some CAPTCHAs are not coded correctly, so that it's possible to guess the desired result from the code or to have the same CAPTCHA accepted over and over again. Luckily, companies can avoid this problem by using free and reliable CAPTCHA programs like Google's Recaptcha.
It would be great if we didn't have to jump through hoops to submit a simple entry form, but those hoops are actually there for our protection.
For example, Kmart had to suspend a big giveaway when hackers started winning all of their prizes. Which was fairly easy to do, since the sweepstakes didn't use CAPTCHAs.
Nowadays, it's pretty rare to find a giveaway that doesn't use some kind of protection, either through a CAPTCHA or through a different verification method.
The courts have found that circumventing CAPTCA violates the DMCA, making it illegal. You can read more about the issues involved in this Wired article: Is Breaking CAPTCHA a Crime?
But despite the illegality, as long as there's profit in circumventing CAPTCHAs, criminals will always look for new ways to crack them, while companies will try new methods to boost security.