Skip to content
Vol. 1 · Ed. 2026
CyberGlossary
Entry № 165

CAPTCHA

Reviewed byCybersecurity entrepreneur & security researcher

What is CAPTCHA?

CAPTCHAChallenge-response test designed to distinguish humans from automated bots, typically deployed on signup, login, and form-submission endpoints.


CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) presents a task easy for humans but hard for software: distorted text, image selection, audio prompts, or invisible behavioural analysis. The term was coined in a 2003 paper by Luis von Ahn, Manuel Blum, Nicholas Hopper, and John Langford at Carnegie Mellon, framing the challenge as a "hard AI problem" — any program that solves it advances AI, so the test stays useful either way. reCAPTCHA, the same team's spin-off that crowdsourced book digitisation through challenges, was acquired by Google in 2009.

flowchart TD
  U[Visitor submits form] --> W{CAPTCHA / risk check}
  W -->|signals: mouse, IP, browser| SC[Score request]
  SC -->|high confidence human| P[Allow]
  SC -->|low score| CH[Interactive challenge]
  CH -->|passes| P
  CH -->|fails / solver farm| B[Block or step up]

Modern services such as Google reCAPTCHA v3, hCaptcha, and Cloudflare Turnstile score requests using browser signals, IP reputation, and interaction patterns rather than always showing a puzzle. CAPTCHAs reduce credential stuffing, scraping, fake-account creation, and comment spam, but they are not authentication: image and text challenges are routinely defeated at scale by modern computer-vision models and by paid human solver farms (services like 2Captcha price thousands of solves for a few dollars). They also raise accessibility and privacy concerns. Treat CAPTCHA as one layer among rate limiting, MFA, bot management, and behavioural analytics rather than a standalone gate.

Examples

  1. 01

    reCAPTCHA v3 returning a 0.0-1.0 risk score for each request.

  2. 02

    Cloudflare Turnstile widget on a login form.

Frequently asked questions

What is CAPTCHA?

Challenge-response test designed to distinguish humans from automated bots, typically deployed on signup, login, and form-submission endpoints. It belongs to the Application Security category of cybersecurity.

What does CAPTCHA mean?

Challenge-response test designed to distinguish humans from automated bots, typically deployed on signup, login, and form-submission endpoints.

How do you defend against CAPTCHA?

Defences for CAPTCHA typically combine technical controls and operational practices, as detailed in the full definition above.

Related terms