
Learn About CAPTCHA: No Bots Allowed. (Sorry, Bots)

Disclosure: Your support helps keep the site running! We earn a referral fee for some of the services we recommend on this page. Learn more
CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and Humans Apart.”
CAPTCHAs have been around in one form or another since the turn of the century, and they are used to ensure that internet users filling out forms on websites — such as contact forms or blog comments — are indeed humans.
Bots are programmed to fill in forms on websites automatically, which is used to generate spam and harvest email among other things. Without CAPTCHAs, the amount of spam produced by bots would be even worse than it is.
But CAPTCHAs themselves can be very annoying for website users. Despite being relatively simple, copying text from unclear images is frustrating and time-consuming, slowing down the process for users — and often hurting conversions for website owners.
On top of that, CAPTCHAs are failing. Algorithms are getting smarter, and Google claims that smart AI can now solve distorted text with 99.8% accuracy.
CAPTCHA Versions
As such, you might want to use a different type of CAPTCHA. Here are some of the options available to you.
The No CAPTCHA reCAPTCHA
The No CAPTCHA reCAPTCHA is Google’s invention, and it was introduced in 2014, since when it has become commonplace on websites around the world.
With this, the user is presented with a JavaScript checkbox that says next to it: “I am not a robot.” The user simply clicks this checkbox with the mouse, and they are determined to be a human.
This works on the idea that humans behave very differently to bots. A bot is more likely to check the box right in the middle, whereas a human usually won’t. By tracking the movement of the mouse, the No CAPTCHA reCAPTCHA can tell with amazing accuracy whether the user is a human or not. (Find out more on Google’s blog.)
However, it’s not foolproof. In the case where it cannot determine whether the user is human or not, it will still ask them to type in a number or text, creating a frustrating experience once again.
There is a slightly different method for mobile devices where the movements of the mouse are not tracked. Rather than clicking a checkbox, users are presented with an image (eg, a cat) and asked to choose all the images from the following selection that are related (eg, all the cats from a selection of animal images).
Again, this is a very simple task for users, but it proves to be difficult for bots.
What exactly Google is doing with this data is anyone’s guess. Perhaps it is using it to help train its Google Photos app to recognize images based on a keyword or to improve its maps. At any rate, it has become the standard type of CAPTCHA over the last few years.
Find out how to add the reCAPTURE to your site in Google’s guide.
The Invisible reCAPTCHA
In 2017, Google announced an update to its No CAPTCHA reCAPTCHA in the form of the Invisible reCAPTCHA.
As the name suggests, this is a type of CAPTCHA that is completely invisible to the user and which requires no input whatsoever from them. Google’s aim with this is to get rid of the need for any kind of interaction on the part of the user.
It is not clear exactly how it works, but there is no box to tick, no text to enter, and no images to match.
Instead, it involves monitoring how users interact with the site, which likely involves the way they click on buttons, the way they move the mouse, and other data that Google has collected. It then aims to tell from this behavior whether the user is a robot or not.
While this is still in its early days, if it proves to be successful, you can expect this to become a lot more commonplace because the user experience is not affected, which has benefits for web users and website owners alike.
Find full details on how to use and customize it in Google’s guide.
Simple Math Problem
Most people know the answer to a simple math problem like “3 + 8.” However, when such a problem is presented as a CAPTCHA, it’s surprisingly difficult for spam bots to crack.
By asking a question like this and requesting the answer, you can provide a relatively smooth experience for the user. After all, it only takes a second or two for the user to work out the answer and type it into the box, and this provides a basic but reasonably effective bot deterrent.
It might not be as sophisticated as some of the more advanced solutions introduced by Google, but it can still be effective and it does not affect the user experience considerably.
There are various options for using such a CAPTCHA on your website. If you run a WordPress site, there is a plugin called Math Captcha that offers a selection of basic math problems that you can add to your forms and blog comments to effectively cut out the spam.
The Captcha plugin is also a popular option for implementing a basic math problem.
If you don’t use WordPress, you can still add a math CAPTCHA to your site using HTML. Follow this guide to set it up on your site.
Simple Word Problem
Similar to the math CAPTCHA, this option involves using a simple word problem to baffle the bots while being reasonably easy for humans to solve.
TextCaptcha is one such tool that you can use. It provides a wide selection of word problems in different formats, including:
Writing one word in capital letters and asking the user which word it is.
Writing a list of three words and asking the user for the second one.
Write a list of words, one of which is a color, then asking the user which word is a color.
These are all very simple, and even a bit quirky — which can have benefits when it comes to the branding of your site if you are targeting users who would find this kind of problem fun to solve.
This is also a good option for visually impaired users who may have trouble with other types of CAPTCHAs.
However, these word problems are not foolproof, and they can still be solved by bots. And as the bots become smarter, it will get more difficult to get rid of spam this way.
The Honeypot Method
The Honeypot CAPTCHA method is popular because it does not involve any interaction on the part of the user, meaning the user experience is not affected.
Instead, it tricks the bots using a simple but smart technique. This involves using hidden fields on the web page that human visitors cannot see.
Because the bots are often programmed to fill out all the fields automatically, they will fill out the field that human visitors cannot see, confirming that they are bots.
This is a great option because it prevents the user being disrupted in any way. They continue to go about their business uninterrupted, and this makes it different from most other CAPTCHAs.
But they are not foolproof. Some browsers like Safari autofill forms and some bots are smart enough to get around this trick.
To implement the Honeypot technique, you simply need to add a hidden field to the form that you are protecting from spam. You can give the field any name you want. Then using CSS, add the rule “display:none”, and this will hide it from human visitors.
If a submission comes in that has filled out the hidden form as well as the other forms, you will immediately know it was filled in by a bot.
Social Account Sign-In
More sites are now providing users with the option of signing up using their social accounts, and this might be a good option for your site.
Rather than asking users to create a username and password, you can allow them to simply use their Facebook or Google account to sign up in a few clicks without having to enter any information, providing a verified sign-in. Another popular tool is Disqus for blog comments.
These all provide a defense against bots because people have to have another account tied to their name in order to sign up.
While this is becoming increasingly common, it isn’t a complete replacement for the CAPTCHA. It is mainly used to save the user time when signing up to a website or leaving a comment on a blog. It is not typically used when sending a message via a contact form.
Also, while it’s quick and easy, some users will be concerned about linking their social sites with a new site they are not familiar with, which might be off-putting.
To add a Facebook sign-in to your site, you will need to create a Developers Account on Facebook and create an app following the instructions. Read a guide to learn how.
Find out how to integrate a Google sign-in using this guide from Google.
Confident Captcha
Confident Captcha is another image-based CAPTCHA that has been developed by Confident Technologies, and it claims to have a 96% solve rate.
The CAPTCHA works by presenting a selection of images and then asking the user to carry out an instruction (eg, including one image of a hat among other images and then presenting the challenge: “Click on the hat.”)
One of the key differences with this CAPTCHA is that website owners can monetize it and earn revenue using CAPTCHA advertising, turning a frustrating necessity into a way to earn money.
Time-Based CAPTCHA
Time-based CAPTCHAs work on a simple principle. This system simply times how long it takes for a user to fill out a form, and from this it can judge whether the user is a human or a bot.
The way this works is that bots tend to fill out forms instantly, while humans usually take a few seconds to type in the required information. It is therefore relatively easy to determine if a bot is being used.
If you use WordPress, you can find out how to implement a time-based capture in this guide.
Biometrics
As technology improves, new types of CAPTCHAs are likely to be developed, and one of these could come in the form of biometrics.
For example, more smartphones and notebooks are now coming with built-in fingerprint sensors. These are currently used in different situations when the user has to confirm their identity, such as when they make a purchase, getting rid of the need for passwords.
While fingerprints are not being used as CAPTCHAs yet, it’s easy to see how biometrics could become a standard way for humans to prove they are who they say they are in the future.
As such, fingerprint scanners (and facial scanners like the one used in the iPhone X) might one day take over from the CAPTCHAs we use today.
Which Version Is Best for Your Website?
As you can see, there are plenty of CAPTCHA versions available to choose from. So which one is right for your site?
A gamified version might be ideal for your brand. But you might prefer to stick with the safer option and use Google’s No CAPTCHA reCAPTCHA, which web users are becoming increasingly used to seeing.
If the Invisible reCAPTCHA proves to be effective, this could become the standard for most websites because it does not generate any friction with users.
You might want to test out a few options on your site. You might even ask your customers for feedback to find out which option they would prefer, which could help you to decide on the right CAPTCHA for your business.
Pico
July 11, 2019
I do believe trying to distinguish between bot and human is by far the best way forward. All methods serverside for preventing Bruteforce Attacks have deep flaws e.g. locking out genuine users, confimation by denial, bandwidth use. The client is the weak point, the human.