Does CAPTCHA Really Enhance Login Security?

CAPTCHA Login Security

Every second counts on the Internet, and even the most patient users get frustrated when online tasks aren't completed in the quickest, most efficient way possible. Hence, even the most tolerant people are often annoyed by CAPTCHAs – the simple tests that are often put in registration forms and comment sections.

To a layman, CAPTCHAs look like an unnecessary annoyance created by someone who just wants to make people's lives harder. More experience users know that although they bring additional friction to the overall experience, we need them for security purposes. Few, however, realize just how many problems CAPTCHA tests solve, and how important they are.

What is a CAPTCHA test

CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. It's not the nicest-sounding name in the world, but at least it does the job of conveying what the technology is all about – it's an automated way of discovering whether or not a real person is on the other end of the keyboard. But why do we need to do this at all?

As we mentioned already, in the online world, it's important to do as much as possible in as little time as possible. And this goes not only for regular computer users but also for people who are up to no good. Automated scripts can now do most of the things you can do – post comments, log in to online accounts, and register for new services. Often, the bad guys program automated scripts to do all these things with the intent of causing harm, compromising users' privacy, or simply, to annoy them. CAPTCHA's goal is to limit these activities.

The annoying problems CAPTCHA solves

If you're developing a service or a product, it's important to hear what people think about it, and thanks to the Internet, this is easier than ever. Negative customer reviews can often act as a deal-breaker for many people, and naturally enough, vendors are scared of them. Many try to silence any criticism by realizing that some mistakes might have been made during the design and development of the product, and then investing time and effort into fixing the errors.

Sadly, others take a different approach. They use automated bots to post an overwhelming number of positive reviews and comments about their own products. The positivity drowns out the real opinions, and would-be customers get a wrong impression of what real users actually think. Obviously, the same technique can be used in the opposite direction – flooding comment sections and discussion boards with negative reviews about a certain product in order to sway people away from it.

CAPTCHA tests don't allow comments or reviews to be posted by automated bots meaning that people who want to gain an unfair advantage by influencing users' opinion need to do it manually which is neither quick nor efficient. This is good news, but there's a lot more to CAPTCHA than this.

As you probably know, there are many people out there that want to collect as much information about you as possible. The activity is known as web scraping, and although it could have legal repercussions in some countries, this obviously isn't enough to deter many people and organizations. Once again, speed is of the essence which is why there are tools designed to harvest data automatically. As you might have guessed already, CAPTCHA tests render them inefficient.

The more serious problems CAPTCHA solves

Having your personal information collected by aggressive marketers isn't particularly pleasant, and neither is getting fooled into buying a low-quality product. Both these things, however, are unlikely to have particularly long-lasting effects on your life. Unfortunately, automated scripts are sometimes used for schemes that have far more serious consequences.

Spam, as you probably know, is one of the biggest problems cybersecurity professionals face. It's used for anything from advertising dodgy pharmaceutical products to distributing malware, and it can be a very powerful weapon in the crooks' arsenal. The criminals need to send the spam from somewhere, though, which often presents a bit of a problem.

They can (and often do) use compromised email accounts of users who don't suspect a thing. The problem for the spammers is that soon after the first wave of fraudulent messages is unleashed, the senders are added to blacklists quickly, and subsequent messages often remain undelivered.

Free email providers that don't have CAPTCHA tests on their registration pages give crooks a solution. The spammers can simply write an automatic tool that creates hundreds of new, unique email accounts in minutes. Then, when those get blocked, the script can register another batch of accounts, and so on. All the crooks need to do is click some buttons, sit back, and wait for the results.

Speaking of which, this is pretty much all they do when they launch an online brute-force attack as well. Contrary to popular belief, you don't actually need to do a lot of "hacking" in order to launch a cyberattack. Often, it's all down to finding the right tools and deploying them. In a brute-force scenario, a CAPTCHA test could mean the difference between a successful attack and a failure, especially when the attackers aren't very sophisticated. Unfortunately, they sometimes are.

The evolution of CAPTCHA

Most of you probably think of images of distorted words when you discuss CAPTCHA. You might have noticed, however, that CAPTCHA tests have changed somewhat over the last few years.

The whole point of a CAPTCHA test is that it should be easy for a human but an impassable obstacle for a computer. Some years ago, the classic CAPTCHAs with the twisted words were just that. Over the years, however, Optical Character Recognition (OCR) technology got better and better, and slowly but surely, computers started "reading" the distorted words. Developers responded by making the challenges more difficult, but at one point, people started complaining that the words are quite simply unreadable. The audio equivalents provided for visually impaired users were also proven to be ineffective against sophisticated attacks.

Realizing that something must be done, Google developed noCAPTCHA reCAPTCHA – a test that is seemingly a lot easier to solve than the classic CAPTCHA. Right now, on most websites, you just need to click a checkbox to prove that you are a human being, and when there is another challenge, it's usually something easy like selecting a group of photographs that have similar objects on them.

Google is tight-lipped on how the technology works, but it's supposed to be much more reliable than the traditional CAPTCHA. Apparently, it takes a number of different factors into consideration in an attempt to determine whether a real person is interacting with the service. If it thinks that you might be a bot, it will present the checkbox challenge, and if it still isn't sure, it will give you a selection of photos, asking you to pick the odd ones out.

As you can see, CAPTCHA is a very important, rather clever solution to a variety of different problems. It has been criticized in the past, but over the years, it has come leaps and bounds in terms of both user experience and security.

Is CAPTCHA the perfect solution

No, it doesn't. For one, although Google's new system is supposed to be quite effective against automated bots, some hackers still reckon that they can organize an attack with a respectable success rate. Even if they can't do it right now, they will sooner or later find a way of fooling Google's bot-recognition system, and the experts will need to work hard to stay one step ahead.

There's more. As we mentioned already, some people think that working around CAPTCHA tests is crucial for their business success, and sure enough, there are organizations that are willing to cater to them. A number of CAPTCHA-breaking services are just a Google search away, with some of them basing their tools on OCR technology while others are reportedly paying real people woefully small amounts of money in exchange for solved CAPTCHA tests.

Of course, there is also the fact that while it can be a solution to quite a few problems, it's not (and will never be) a panacea. In an offline brute-force attack, for example, it is not going to do much.

So, CAPTCHA is not perfect. It is rather good at what it's designed to do, however, and although it often means that we need to spend a bit more time completing a particular task, we shouldn't underestimate its importance.

By Duran
January 2, 2019
Tips
English
January 2, 2019
Tips

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Tips

How to Handle Login/Password Security Questions

Security questions, also known as secret questions, are arguably among the worst backup authentication and account recovery mechanisms you can possibly see at the moment. In the past they did work, but right now, they... Read more

March 14, 2018
Tips

Top Security Tips for Those Using Banking Apps

Online banking is just one of the many examples of how the Internet and IT, in general, has made the everyday lives of people easier and more comfortable. However, measures taken to improve convenience don't always... Read more

October 26, 2018
Tips

Top Tips to Make Your Mediacom Login More Secure

Can you imagine your life without the Internet? Probably not. These days, even your grandma wakes up to check the latest weather forecast on her smartphone. Consequently, users rely on the Internet service providers,... Read more

August 6, 2018
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.