Is Captcha Really Helping to Secure Our Websites?
For years, we have seen Captcha as one of the main ways to protect our websites from spammers and other malicious users.
It’s easy to see why Captcha has been so widely used – it’s an effective method of securing our websites, which are often targeted by hackers who want to take over our sites or insert malicious code into them.
So is Captcha helping us secure our websites? And if not, what should we be using instead?
Let’s take a look at the pros and cons of Captcha and other methods of website security in this article.
Table of Contents
What is CAPTCHA (or what it does)?
In short, CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a type of challenge-response test used in computing to determine whether or not a user is human. The term was coined in 2000 by Luis von Ahn, Manuel Blum, Nicholas J. Hopper, and John Langford of Carnegie Mellon University.
These are often used in forms such as registration and contact forms on web pages to prevent bots from using them for spamming. Like filling out information that humans are likely to fill out correctly but computer programs might not understand.
There is also a trend toward using captchas for email validation. If you want to register for an account with say, Amazon Web Services (AWS), you will be required to answer a captcha question before you can continue with your signup process.
Similarly, we use captcha systems when we login into our bank accounts so they’re harder for automated scripts to hack into.
Now, machines have gotten very advanced at cracking captchas. If a program has been designed specifically to crack captchas, it could successfully crack even most hard-to-read pictures within 2 seconds. Moreover, some people don’t even see what is going on because their brains cannot distinguish between letters and images.
Why are we using CAPTCHA?
The practice of using CAPTCHA to prevent automated programs from submitting forms can be traced back to 2000.
In that year, Yahoo! introduced a version of it (referred to as Secret Key) that required users to enter both letters and numbers. Other companies such as AOL soon followed suit.
However, these early versions were not very effective. Bots could still submit web form data with ease. Over time, however, technology evolved and so did CAPTCHA solutions – but only for those paying for these newer versions.
Today, there are two competing methods to secure web pages. One uses AI to test whether or not you’re human, while another provides simple image-matching tests. Some websites choose one method over another, while others provide both options on each page. Are they helping websites become more secure though? Or is there another solution we should be looking at instead? Let’s find out.
Which Companies Use Artificial Intelligence?
If a website offers you an option to prove you’re human via an AI test, then they’re most likely relying on reCAPTCHA. This tool was created by Google after purchasing the company whose system provided the answer checks when filling out online forms. It became obsolete after its sale and has since been replaced by Invisible reCAPTCHA.
So what does invisible mean?
It means that instead of reading distorted text or entering numbers from scanned images, users are now asked to select all pictures that contain cats from an image grid. The names used for both tools can be confusing because many people still refer to both of them as captchas.
Are we creating barriers for users instead of securing the website?
As a business, you want users to feel safe while they’re browsing your website. Although it’s tempting to make your website secure by requiring a human touch. Like asking users to decipher confusing characters before entering a password or other ways don’t disrupt user experience or slow down page loads.
Although CAPTCHA is said to be used as a security measure, it can also be viewed as a barrier. There are many instances of websites utilizing CAPTCHA that either don’t even need it, or that could benefit from alternate security measures.
If you’re trying to secure your website with CAPTCHA and not seeing great results, perhaps you should reevaluate your use of it before allowing it to get in between your users and access. There are additional ways to combat bots on your site without negatively impacting performance.
- try using whitelists
- filters based on speed (the time it takes for someone to solve/read)
- mobile support via verification through SMS/call
These methods have proven much more effective at combating spambots than text-based CAPTCHA tests while providing quick and easy user experiences. For example, LivePerson has implemented human interaction into their signup process in an effort to combat spambots. Once a form is submitted, they call up potential customers instead of requiring them to manually enter a complex word string—not only does LivePerson save time by eliminating one step of information entry per registration, but they also personalize their registration process by chatting with each individual customer. The result?
An alternative approach – Artificial Intelligence
While captchas might be good for keeping out your everyday spambot, they do little in terms of stopping a determined hacker. It would take less than ten minutes for a hacker to create a bot that could defeat most captchas with 99% accuracy. And once someone has broken past your captcha, it’s game over.
An alternative approach is to use an information security system like Apache’s WAF (Web Application Firewall). Using AI, these types of systems can identify and block attacks in real-time based on pre-defined signatures. That means you can secure not only login functionality but also every other aspect of your website without sacrificing usability. And no coding is required.
An alternative approach – Information Security: Though they may seem secure, captchas are just puzzles meant to stymie easy access by bots.
They do nothing to protect your business from hackers; after all, hacking itself involves building artificial intelligence meant to replicate human thought and action. When given enough resources (say $100k), even the simplest captcha will fall—all it takes is one misdirected click for any small business.
Web Application Firewall in short:
WAF is an additional layer of protection that acts as a filter against malicious traffic. It operates in addition to, and sometimes independently of, an existing firewall or proxy server. It resides between your web application and an internet connection, filtering content and blocking requests deemed as malicious. This enables a website owner/administrator or hosting provider to block attacks on a website without having access or control over their source code. The goal of a WAF is not to prevent attacks, but rather to detect them so that mitigation actions can be taken by administrators (e.g. removing or blacklisting attacker IP addresses).