Although we are already used to seeing them frequently, for years they have starred in jokes, pranks and memes on the internet. The CAPTCHA is a security tool that use millions of web pages with the aim of differentiate human users from possible bots or programs designed to crack passwords or automate access to certain online services. A familiar element in our daily lives and that has many forms and variants, some of them very curious. Others difficult to unravel even for a human.
Its name is reminiscent of an area of Russia known for its crabs and its landscapes. But CAPTCHA does not come from Russian. It is actually an acronym that means Completely Automated Public Turing test to tell Computers and Humans Apart. That is to say, public and automatic Turing test to distinguish computers from humans. The concept emerged in 2000 and the first to talk about captchas were Luis von Ahn, Manuel Blum and Nicholas J. Hopper from Carnegie Mellon University and John Langford from IBM.
The CAPTCHA is known to a lesser extent as the reverse Turing test, since it is a machine, computer or program that is responsible for identify the human and not the other way around. And it consists of asking us humans to do something in the web browser that, in principle, a machine should not be able to do. From write some words that appear deformed in an image to select some icons on the screen and not others, move a piece within a puzzle or choose images that contain a certain object and not another. There are many types of CAPTCHA, but how does the website you are on know that you are a human and not a computer program?
What is a CAPTCHA for?
Google says that a CAPTCHA “helps you protect you from spam and password cracking asking you to complete a simple test that proves you are human and not a computer trying to access a password-protected account.” Depending on which web pages, you will encounter captchas if you try to access several links very quickly or if you use programs that download images or content from web pages automatically. In short, the CAPTCHA aims detect internet bots.
Going back to Google’s explanation, the usual CAPTCHA usually shows a “sequence of letters or numbers randomly generated that appears as a distorted image”. You, as a human, should be able to read and write that sequence of letters or numbers. If you can’t get it right, you can try your luck again and even ask a robotic voice to read to you sequence. In principle, an internet bot should not be able to decrypt that image. And although image recognition has evolved today, it is still a good security tool.
We find captchas on millions of web pages and in many different places: login, registration of new users, forms, online surveys, password changes for already created accounts, login to new devices and much more. As I mentioned before, a captcha can appear if a web page detects that we are performing actions that are too fast according to the habitual behavior of a person. For example, when clicking on links or images.
Why CAPTCHA is effective against bots
The traditional CAPTCHA is still used. But on many websites it has been replaced by improved and more elaborate versions. Or alternatives such as reCAPTCHA, developed by researchers at Carnegie Mellon University and later purchased by Google in 2009. However, CAPTCHA continues to work well in most cases.
As explained on the Cloudflare website, the most common bots They use brute force to find the password or secret word. In the case of a CAPTCHA, they enter letters randomly. And although this can work in a standard form with simple keys and some time, It is not useful to decipher what is hidden a distorted image. And for the advanced bots that have been appearing in recent years and that use machine learning To identify distorted letters, more complex tests have been incorporated, such as the reCAPTCHA mentioned above.
Known to everyone because show images of real photographs, from Google Street View or other public sources, recaptchas add a little more complexity. Instead of identifying a word, you have to mark parts of an image that contain what the statement asks for. And then confirm your choice by pressing a button. We have all come across a reCAPTCHA asking you to select photos with traffic lights, stairs or zebra crossings. If it is already difficult for a bot to identify words, it is even more so detect elements in a photograph. And although artificial intelligence is taking giant steps in this regard, it is not yet implemented in this type of bots in a general way.
Other recaptchas simply ask you to check a checkbox in which he says “I am not a robot.” The thing is simply because of the appearance of this test, because behind it hides an elaborate strategy.
Your movement gives you away, human or robot
As bots incorporate the ability to recognize images, how do you make a test differentiate humans from robots In Internet? The answer is in the motion. Not from you. At the moment, the most modern captchas or recaptchas focus on the cursor movement. They are also known as No CAPTCHA. If you have to check a box that says you are not a robot, on a computer you have to use the mouse or trackpad to move the cursor to that checkbox. And, once there, click. This strategy is also used in a CAPTCHA that asks you place a puzzle piece either select some icons in the order indicated.
That movement of the cursor, activated by a mouse or trackpad which, in turn, is moved by your hand, has its own characteristics. Microscopic patterns characteristic of humans. Imperceptible fraction-of-a-second movements that bots cannot easily imitate. Cloudflare sums it up like this: “If cursor movement contains some of this unpredictability, then the test decides that the user is probably legitimate.” And if this were not enough, the cookies stored in the web browser and the device itself They also help to discern whether it is a bot or a human browsing the internet.
What about touch screens?
Talking about mice or trackpads today means leaving aside thousands of touch screens, which we use daily on tablets, smartphones and even computers with screens of this type. There, the cursor movements are different. It’s more. There is no cursor in sight. Your finger checks the box verification to indicate that you are a human being. How to detect a movement pattern there? Obviously, in this case, the CAPTCHA or reCAPTCHA takes into account more elements to decide if you are human or robot.
As we saw before, along with movement patterns, the API in charge of applying the CAPTCHA also takes into account information provided by the web browser and the device itself. Added to this are the touch eventsthat is, those actions that the user performs on the touch device by touching the screen. From touching with one, two or more fingers to dragging your finger across the screen, doing it with more or less pressure… These are different interactions that the device translates into different actions, such as opening a contextual menu, opening an application or marking an item. And in this case, it serves to discern whether whoever checks the checkbox is human.