CAPTCHA
What is CAPTCHA?
CAPTCHAChallenge-response test designed to distinguish humans from automated bots, typically deployed on signup, login, and form-submission endpoints.
CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) presents a task easy for humans but hard for software: distorted text, image selection, audio prompts, or invisible behavioural analysis. The term was coined in a 2003 paper by Luis von Ahn, Manuel Blum, Nicholas Hopper, and John Langford at Carnegie Mellon, framing the challenge as a "hard AI problem" — any program that solves it advances AI, so the test stays useful either way. reCAPTCHA, the same team's spin-off that crowdsourced book digitisation through challenges, was acquired by Google in 2009.
flowchart TD
U[Visitor submits form] --> W{CAPTCHA / risk check}
W -->|signals: mouse, IP, browser| SC[Score request]
SC -->|high confidence human| P[Allow]
SC -->|low score| CH[Interactive challenge]
CH -->|passes| P
CH -->|fails / solver farm| B[Block or step up]Modern services such as Google reCAPTCHA v3, hCaptcha, and Cloudflare Turnstile score requests using browser signals, IP reputation, and interaction patterns rather than always showing a puzzle. CAPTCHAs reduce credential stuffing, scraping, fake-account creation, and comment spam, but they are not authentication: image and text challenges are routinely defeated at scale by modern computer-vision models and by paid human solver farms (services like 2Captcha price thousands of solves for a few dollars). They also raise accessibility and privacy concerns. Treat CAPTCHA as one layer among rate limiting, MFA, bot management, and behavioural analytics rather than a standalone gate.
● Examples
- 01
reCAPTCHA v3 returning a 0.0-1.0 risk score for each request.
- 02
Cloudflare Turnstile widget on a login form.
● Frequently asked questions
What is CAPTCHA?
Challenge-response test designed to distinguish humans from automated bots, typically deployed on signup, login, and form-submission endpoints. It belongs to the Application Security category of cybersecurity.
What does CAPTCHA mean?
Challenge-response test designed to distinguish humans from automated bots, typically deployed on signup, login, and form-submission endpoints.
How do you defend against CAPTCHA?
Defences for CAPTCHA typically combine technical controls and operational practices, as detailed in the full definition above.