CAPTCHA
What is CAPTCHA?
CAPTCHAChallenge-response test designed to distinguish humans from automated bots, typically deployed on signup, login, and form-submission endpoints.
CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) presents a task easy for humans but hard for software: distorted text, image selection, audio prompts, or invisible behavioural analysis. Modern services such as Google reCAPTCHA v3, hCaptcha, and Cloudflare Turnstile score requests using browser signals, IP reputation, and interaction patterns. CAPTCHAs reduce credential stuffing, scraping, fake account creation, and comment spam, but they are not authentication and can be solved at scale by ML or paid solver farms. They also raise accessibility and privacy concerns, so use them as one layer among rate limiting, MFA, bot management, and behavioural analytics.
● Examples
- 01
reCAPTCHA v3 returning a 0.0-1.0 risk score for each request.
- 02
Cloudflare Turnstile widget on a login form.
● Frequently asked questions
What is CAPTCHA?
Challenge-response test designed to distinguish humans from automated bots, typically deployed on signup, login, and form-submission endpoints. It belongs to the Application Security category of cybersecurity.
What does CAPTCHA mean?
Challenge-response test designed to distinguish humans from automated bots, typically deployed on signup, login, and form-submission endpoints.
How does CAPTCHA work?
CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) presents a task easy for humans but hard for software: distorted text, image selection, audio prompts, or invisible behavioural analysis. Modern services such as Google reCAPTCHA v3, hCaptcha, and Cloudflare Turnstile score requests using browser signals, IP reputation, and interaction patterns. CAPTCHAs reduce credential stuffing, scraping, fake account creation, and comment spam, but they are not authentication and can be solved at scale by ML or paid solver farms. They also raise accessibility and privacy concerns, so use them as one layer among rate limiting, MFA, bot management, and behavioural analytics.
How do you defend against CAPTCHA?
Defences for CAPTCHA typically combine technical controls and operational practices, as detailed in the full definition above.
● Related terms
- attacks№ 232
Credential Stuffing
An automated attack that replays large lists of username/password pairs leaked from one service against other services, exploiting password reuse to take over accounts.
- attacks№ 130
Brute Force Attack
An attack that systematically tries every possible value — typically passwords, PINs, or keys — until the correct one is found.
- network-security№ 118
Bot Management
Bot management is the practice of detecting automated traffic and distinguishing good bots from malicious ones, then allowing, challenging, or blocking each accordingly.
- network-security№ 904
Rate Limiting
Rate limiting caps the number of requests an identifier (IP, user, API key, or token) may make over a time window, protecting APIs and apps from abuse, scraping, and brute-force.
- network-security№ 1227
Web Application Firewall (WAF)
A reverse-proxy filter that inspects HTTP/HTTPS traffic to block web attacks such as SQL injection, XSS, and bot abuse before they reach the application.
- attacks№ 010
Account Takeover (ATO)
An attack in which a criminal gains unauthorised control of a legitimate user account and uses it to steal funds, data, or commit further fraud.