CAPTCHA for human verification!

CAPTCHA was born in response to the hacker threat, due to the creation of robots to bypass different systems. Nowadays, CAPTCHA usage is very popular on the Internet. In this note, our ZARZA Engineers discuss about this interesting topic, sharing specific and accurate information about it and it’s correct use, along with alternative recommended measures.

What is CAPTCHA? What is it for?

When we sign up in a website, or complete a form, we get a warped text, an image. You’re asked to write down what it says, or in fact, to transcribe its content… That’s a CAPTCHA, it determines if the form is being filled whether by a software (a programmed robot), or a human being.

CAPTCHA: Completely Automated Public Turing test to tell Computers and Humans Apart

What we understand as CAPTCHA is the Turing test, a completely automatic and public test to differentiate computers from humans. It looks like this example:

CAPTCHA

As you see, the letters suffer variations, making more difficult the robot’s characters discernment, but still letting humans identifying the sequence, which is «smwm», however, statistics show it’s not that easy for everyone.

CAPTCHA may contain not only distorted letter but also lines, gradients and distracting elements to increase its level’s complexity.

Modern CAPTCHA also include the option to listen to its letters, but also trying with a different CAPTCHA, in the event we can’t decode it. For example, one of the most highlighted ones, is the free one offered by reCAPTCHA (currently owned by Google), combining 2 or more words, as you will see on the following example:

CAPTCHA

CAPTCHA complexity will continue to increase and become more modern, however we’ll still see the fine line between what’s comprehensible for a human, but not for a robot.

Is CATPCHA totally impassable? No, it’s not.

Nowadays, both, Black Hat Hacking and White Hat Hacking practitioners, know that there are visual recognition tools promoted via Internet, and even some payed services whiting and outside the Deep Web, offering expedited connections to decode different CAPTCHA, infringing systems and slowing them down.

That’s exactly why when developing your software, or paying for it, you must consider CAPTCHA just as an additional precaution, never as the only control method to keep your system protected.

Additional recommendations, depending on the system’s scheme, may be the following:

  • Limit the number of queries: Either by IP address, country, time or type of consultation. By doing so, even if the attacker gets to decode the CAPTCHA, he’ll face limits physically impossible to bypass for human beings.
  • Verify the amount of errors: Very often, the scripts used to decode CAPTCHA send arrays with multiple possibilities, perhaps ending up in an amount of errors higher than what an user might retry. Give it a try, ask your developer (or do it yourself if you’re a programmer) to eventually adjust this parameters, based on your own users statistics of use.
  • Verify the services per users: If the scheme lets you, go ahead and require credentials validation along with CAPTCHA identification, but as well at the same time, log the usage, finding by doing so, abusive users to exclude manually or automatically.

This kind of elements might often be frustrating for real users, so you may also consider not to block all the queries, but establish a wait time, even seconds, making the user wait a certain amount of time between tries, once it’s successful, let them wait again to get the results, based on their behavior and policies established for each range of users. Same parameters shouldn’t apply to already known registered users, but is should for visitants or recently enrolled users.

To ZARZA Engineers it’s, and it’ll be a pleasure to help you in all your software developing needs, remember that our specialty is to satisfy your needs,  keep you safe and protected and raise your performance, but also raise the performance of your presence on the Internet.