How does a CAPTCHA work?: This lets websites know that you are not a robot.

Although we’re used to seeing them often, they’ve been featured in jokes, pranks, and memes on the Internet for years. CAPTCHA is security tool that use millions of web pages to distinguish human users from possible bots or programs designed to crack passwords or automate access to certain online services. A familiar element of our daily lives that comes in many forms and variations, some of which are very curious. Others are difficult to decipher even for humans.

Its name is reminiscent of a region of Russia known for its crabs and landscapes. But CAPTCHA is not from Russian. This is actually an acronym meaning Fully automated public Turing test to distinguish computers from humans. That is, public and automatic Turing test distinguish computers from people. The concept arose in 2000, and the first to talk about captchas were Louis von Ahn, Manuel Blum and Nicholas J. Hopper from Carnegie Mellon University and John Langford from IBM.

CAPTCHA is less known as a reverse Turing test, as it is a machine, computer or program that is responsible for identify a person, and not vice versa. And it consists of asking us humans to do something in a web browser that a machine shouldn’t do in principle. From write a few words that appear distorted in the image, to select some icons on the screen rather than others, to move a puzzle piece, or select images which contain a certain object and not another. There are many types of CAPTCHAs, but how does the website you’re on know about it? you are a person, not a computer program?

Why is CAPTCHA needed?

Google says CAPTCHA “helps you protects you from spam and password hacking asks you to take a simple test that will prove that you are a person and not a computer trying to access a password-protected account.” Depending on which web pages you will encounter captchas if you try to access multiple links. very fast or if you use programs that automatically download images or content from web pages. In short, the purpose of CAPTCHA detect internet bots.

Going back to Google’s explanation, a regular CAPTCHA usually shows “sequence of letters or numbers is randomly generated and looks like distorted image” You as a person must be able to read and write this sequence of letters or numbers. If you can’t do it right, you can try your luck again and even ask a robotic voice to read to you subsequence. In principle, an Internet bot will not be able to decipher this image. And although image recognition has evolved today, it is still a good security tool.

We find captchas on millions of web pages and in many different places: login, registering new users, forms, online surveys, changing passwords for already created accounts, logging into new devices and much more. As I mentioned earlier, a captcha can appear if the web page detects that we are performing too fast actions on habitual human behavior. For example, when you click on links or images.

Why CAPTCHA is effective against bots

The traditional CAPTCHA is still in use. But on many websites it has been replaced by improved and more complex versions. Or alternatives such as reCAPTCHA, developed by researchers at Carnegie Mellon University and later acquired by Google in 2009. However, in most cases the CAPTCHA continues to work well.

As explained on the Cloudflare website, the most common bots They use brute force to find the password or secret word. In the case of a CAPTCHA, the letters are entered randomly. And while in its standard form this may work with simple keys and some time, It’s useless to decipher what’s hidden distorted image. And for advanced bots which have appeared in recent years and which use machine learning More complex tests, such as the reCAPTCHA mentioned above, have been included to identify malformed letters.

Known to everyone because show images of real photos, from Google Street View or other publicly available sources, recaptchas add a little more complexity. Instead of identifying the word, you need to mark parts of an image which contain what the statement requires. And then confirm your choice by pressing the button. We’ve all encountered reCAPTCHAs that ask us to choose photos with a traffic light, a staircase, or a zebra crossing. If it’s already difficult for a bot to recognize words, then even more so detect elements in a photograph. And although artificial intelligence is making giant strides in this direction, it has not yet been implemented in this type of bot on a mass scale.

Other recaptchas just ask you check the box in which he says, “I’m not a robot.” It’s all about the appearance of this challenge, because behind it lies a carefully thought out strategy.

Your movement reveals you, human or robot

Since bots have the ability to recognize images, how to test? distinguish people from robots In the Internet? The answer lies in movement. Not from you. At the moment, the most modern captchas or recaptchas are focused on cursor movement. They are also known as No captcha. If you need to check a box that says you are not a robot, on a computer you will have to use your mouse or trackpad to move the cursor to that box. And once there, click. This strategy is also used in a CAPTCHA that asks you place the puzzle piece or select multiple icons in the order listed.

This is a cursor movement activated mouse or trackpad which, in turn, moves with your hand, has its own characteristics. Microscopic patterns characteristic of humans. Imperceptible movements in a split second that bots cannot imitate easily. Cloudflare sums it up this way: “If cursor movement contains some of this unpredictability, then the test decides that the user is probably legitimate.” And if that wasn’t enough, cookie stored in the web browser and the device itself They also help determine whether a bot or a human is browsing the Internet.

What about touch screens?

To talk about mice or trackpads today means leaving aside the thousands of touch screens that we use every day on tablets, smartphones and even computers with these types of screens. The cursor movements there are different. It’s more. The cursor is not visible. Your finger puts a tick confirmation that you are human. How to detect a pattern of movement there? Obviously, in this case, the CAPTCHA or reCAPTCHA takes into account more elements to decide whether you are a human or a robot.

As we saw earlier, in addition to traffic patterns, the API responsible for enforcing CAPTCHA also takes into account information provided by the web browser and the device itself. Added to this sensory eventsthat is, those actions a user performs on a touch device touching the screen. From touching with one, two or more fingers to dragging a finger across the screen, doing it with more or less pressure… These are different interactions that the device translates into different actions, such as opening a context menu, opening an application or marking an item. And in this case it helps to find out whether the one who ticks the box is the person.