Solving CAPTCHAs can seem like playing an endless game of “I Spy”. Everyone who’s tried to fill out a form on a website knows the feeling of being deemed a robot by these digital bouncers.
Since the early 2000s, CAPTCHAs have been asking us to prove our humanity by identifying squiggly letters, solving random puzzles, and identifying all manner of real-world items, from bicycles to traffic lights.
They’re a big deal on the web. BuiltWith found a CAPTCHA on at least one third of the top one million active websites. 90% of those were using Google’s ReCAPTCHA service.
In this article, we’ll look at what CAPTCHAs are and some of the different versions available. We’ll review a brief history of CAPTCHAs, explore how they work, and consider whether CAPTCHAs really help sites control spam and bots. Then, we’ll see how CAPTCHAs compare to services like Akismet, which keeps spam and bots at bay without requiring users to decipher twisted texts or grainy images.
What are CAPTCHAs? How do they work?
CAPTCHAs are used to distinguish between humans and bots. It stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”. What’s a Turing test?
The idea of using Turing tests to deal with spam was developed in the late 1990s and was first used commercially by idrive.com and then-fledgling company PayPal. The term was officially named by Luis von Ahn and his colleagues at Carnegie Mellon University in 2003, though other researchers mentioned it in published papers as early as 2001.
CAPTCHAs are based on the idea that some simple human tasks are quite difficult for computers to do, like recognizing distorted text, images, and even audio. Most CAPTCHAs are two-step tests:
- The website generates some random string of characters or images and embeds them in a webpage. The text and images are usually distorted to make them harder for optical character recognition (OCR) software to read. Images are usually categorized by theme, like animal, vehicle, or streetlights.
- The website asks the user to either enter the right characters or select the images according to some criteria, like “click on all images that contain a streetlight”. If the user’s response matches the answer, they pass the test.
CAPTCHAs are used to stop bots from spamming, abusing, and attacking websites. Bots are programs that can do things repetitively online, like create a new account, enter a new comment, scrape (steal) content, or even gather email addresses.
Businesses sometimes rely on CAPTCHAs to filter out bots from real human interactions to save administrative time and performance bandwidth. Keeping spam at bay can also contribute to a safer environment for both visitors and the assets of the business itself.
The history of CAPTCHA
There’s a bit of controversy around the history of CAPTCHAs in the U.S. This is mostly because researchers worked on the idea of using Turing tests to handle spam and abusive bots years before any patents were filed, research papers were published, or CAPTCHA became a common term.
The creation of CAPTCHA
They were first introduced on websites in the early 2000s, but the concept of CAPTCHAs was born in 1996, when Digital Equipment Corporation (DEC) created a site for opinion polls and instead was inundated with votes from spambots.
To combat this unexpected issue, they tried to use a distorted U.S. flag image, and asked users to click on it to verify they were humans. It worked at first, but over time, the bots outsmarted the test.
DEC worked with other scientists to turn that idea into a reverse Turing test — something that was easy for humans, but hard for machines. They eventually defeated the bots (for a little while, anyway) by using distorted characters on the screen.
In 1997, search engine AltaVista had a similar issue with bots overwhelming their submission form to add new websites to their library. The AltaVista team developed an automated system to generate an image of printed text randomly, which was distorted enough that optical character recognition software couldn’t read it.
They were victorious against the bots, with their system reducing the number of spam URLs by 95% within that first year. It also became the first time an automated system was known to be able to tell humans from machines.
What’s a Turing test?
The Turing test is named after Alan Turing, a British mathematician who wanted to be able to evaluate a machine’s ability to act intelligently (a precursor to our understanding of artificial intelligence).
Turing’s test is a way to see if a computer can act like a human. The tester (human) asks questions to both a computer and another human without knowing who is giving each response.
If the tester can’t tell the difference between the two, the machine is deemed to have passed the test.
CAPTCHAs rely on the idea of a reverse Turing test, where the machine tries to tell the difference between another machine (or bot) and a human.
How CAPTCHA got its name
Engineer and researcher Luis von Ahn and his team at Carnegie Mellon University worked on the idea of using a Turing test to defeat the bots by expanding on DEC’s and AltaVista’s work. They distorted random letters and numbers using software, then embedded it in the webpage, asking users if they were human by completing the simple test. They coined the term “CAPTCHA”, which stood for “Completely Automated Public Turing test to tell Computers and Humans Apart”.
The evolution of CAPTCHA
CAPTCHAs continued to evolve, from using just text, to images, to a combination of the two, and then even multiple images and text. Engineers and researchers at universities and companies used different types of CAPTCHA tests with varying levels of effectiveness.
The earliest version of CAPTCHA used distorted text, a combination of text and numbers, in tests. At the time, this was a big deal because it was easy for humans to figure out, but automated bots encountered significant difficulty.
In 2009, Google bought the CAPTCHA technology and created reCAPTCHA. reCAPTCHA was groundbreaking for a couple of reasons — it used new ways of testing people’s humanity, and it turned those tests into productive contributions to larger projects (essentially crowdsourcing work through millions of tiny tests).
The rise of reCAPTCHA
reCAPTCHA pushed the boundaries of automated testing and offered new options to website owners who wanted a more user-friendly process for visitors to prove their humanity. It also added auditory CAPTCHA options to increase accessibility.
More controversially, Google used reCAPTCHA as part of its digitization project.
They created a two-part CAPTCHA. The first part was like the original, but the second part used letters or whole words from text the machine was translating from old books and newspapers.
If a user passed the first part — proving their humanity — it also accepted their second contribution (the translation) as accurate.
In this way, Google outsourced the digitization of old books and newspapers with minimal labor costs.
As with anything on the internet, spammers and other bad actors eventually found ways to counter CAPTCHAs and other security features. With the use of increasingly smarter artificial intelligence (AI) options, bots were eventually able to figure out most CAPTCHAs with 99.8% accuracy, according to Google. In 2014, they announced the now infamous (and sometimes dreaded), “Are you a human?” checkbox as part of their reCAPTCHA improvements.
reCAPTCHA rose to the challenge and over the next several years grew in popularity among websites that used CAPTCHAs. In fact, of sites that use some sort of CAPTCHA, reCAPTCHA is used 90% of the time.
Types of reCAPTCHA
Today, websites can choose from two main versions of reCAPTCHA (v1 support was dropped in 2018).
reCAPTCHA v2
This version of reCAPTCHA has two primary options, one that includes the “I’m not a robot” checkbox and another with an invisible reCAPTCHA badge.
- reCAPTCHA v2 with the “I’m not a robot” checkbox. This version analyzes the user’s behavior on a page and makes an automated determination to tell if they’re a human. If the user passes, it will include the “I’m not a robot” checkbox alone.
If the user’s behavior is suspicious — indicating they may be a bot — they’ll need to complete a test (usually an image or puzzle challenge) before being given a chance to click to confirm they are, in fact, human.
- reCAPTCHA v2 with the invisible reCAPTCHA badge. This version uses a JavaScript API call to look at combined behavior for a user to determine if they’re human. If they pass, based on the algorithm, they are passed silently. Only users who fail will receive a challenge.
reCAPTCHA v3
This version is the newest and most subtle option for website owners. With it, visitors will rarely even know their humanity is being judged in the background. It uses a JavaScript API (like v2) but is more advanced. It scores users based on different actions they make in the browser or on the page.
Based on their score, users are silently approved (or failed with no regress, causing confusion). This version allows developers to customize the integration to meet their needs.
Different types of CAPTCHA (beyond reCAPTCHA)
Besides reCAPTCHA, there are other types of CAPTCHAs that websites harness to verify human users and prevent automated bots from abusing their services. Here are some of the most common ones:
Image-based CAPTCHA
These CAPTCHAs require users to find and select images that match a given category or query. For example, people may be asked to click on all the pictures that contain cars or animals.
These CAPTCHAs can be more user-friendly and accessible than text-based ones, but they may also pose challenges for visually impaired users. Moreover, image recognition algorithms can sometimes defeat these CAPTCHAs by using machine learning techniques
Logic-based CAPTCHA
These CAPTCHAs test users’ logical reasoning by asking them to solve simple puzzles or answer questions. For example, visitors may be asked to solve math problems, complete word games, or “find the odd one out”. These CAPTCHAs can be more engaging and fun than other types, but they may also exclude users with cognitive differences or who are not familiar with the language or culture of the website’s primary audience.
Audio-based CAPTCHA
These CAPTCHAs serve an audio clip that has a series of numbers or letters that users need to type in. These CAPTCHAs are designed to accommodate those who have difficulty seeing or interpreting text, but they may also be hard to hear or understand for users in noisy environments or who have hearing impairments. So, these audio CAPTCHA tests can cause more accessibility issues than they solve.
How do CAPTCHAs work to stop spam?
The whole purpose of CAPTCHAs is to root out automated programs or malicious bots so that they can’t spam or abuse websites and online services. For example, CAPTCHAs can prevent bots from creating fake accounts, sending unwanted messages, posting malicious links, filling out forms, or accessing and stealing restricted content.
So, while it can be annoying, requiring users to prove their humanity helps reduce the amount of spam and increase the performance of online platforms and the security of everyone involved.
CAPTCHAs rely on the assumption that human and machine intelligence have different capabilities and limitations. For instance, humans recognize different patterns than machines. Most humans can easily identify objects, faces, emotions, or voices in noisy or distorted inputs. On the other hand, machines can perform calculations, store information, and process data faster (and usually more accurately) than humans.
However, CAPTCHAs are not infallible. Remember, Google’s own research showed that AI could solve CAPTCHAs a vast majority of the time.
The inaccessibility of CAPTCHAs
CAPTCHAs are designed to prevent automated bots from accessing websites or services that require human verification. Unfortunately, they often prove inaccessible for humans. Who hasn’t selected all the traffic lights in each image only to be told they were wrong?
They also pose a significant barrier for those with different abilities, who may not be able to solve them due to visual, auditory, cognitive, or motor impairments.
CAPTCHAs are often inaccessible, even to real human users. For example:
- Users with visual impairments may not be able to see or read the distorted text or images that are sometimes used in CAPTCHAs.
- Those with color blindness may not be able to differentiate the foreground and background colors.
- People with dyslexia or other learning disabilities may not be able to decipher the scrambled letters or words.
- Visitors with hearing impairments may not be able to interpret the audio-based CAPTCHAs.
- Individuals with motor impairments may not be able to use a mouse or keyboard to select or type the correct answer.
- Users with low bandwidth or slow internet connection may not be able to load the CAPTCHA in time or at all.
- People who use screen readers or other alternative communication devices might not pass automatic CAPTCHAs since their activity online differs significantly from other users. E.G. they might use the tab key to skip to different areas on the page, ignore some elements entirely, or have the content read to them, which affects how they scroll through the web page.
These challenges can result in frustration, fatigue, and exclusion for users with disabilities. This severe impact on accessibility directly works against many organizations’ stated goals of inclusion. And from a purely business standpoint, it reduces the potential customer base for an organization’s product or service.
Other limitations of CAPTCHAs
An inconvenient user experience
CAPTCHAs interrupt user interaction and force visitors to perform tasks that aren’t related to their goals. This can annoy and frustrate people, especially if the CAPTCHAs are hard to solve, take too long, or appear repeatedly. CAPTCHAs can be confusing or unclear for users who are not familiar with the language or the content of the challenges.
Inadequate spam prevention
The whole point of using CAPTCHAs is to stop malicious bot activity. But research shows that CAPTCHAs don’t always work. And even when they do, they come with side effects businesses don’t like.
CAPTCHAs can be defeated by sophisticated bots that use computer vision, machine learning, or artificial intelligence to crack the challenges. Some newer AI tools, like GPT-v4, have even been used to solve CAPTCHA challenges.
reCAPTCHA v2, which relies on behavioral analysis and risk scores, can be fooled by bots that mimic human actions and mouse movements. Additionally, there are online services that offer to solve CAPTCHAs for a fee, either by using automated software or by employing low-paid human workers. These services can be used by spammers, hackers, or malicious actors to bypass CAPTCHAs and access restricted websites or resources.
Poor conversion rates and user engagement
CAPTCHAs can negatively impact the functionality and profitability of websites, especially when it comes to user registration, online transactions, or user-generated content. CAPTCHAs add a step, creating friction in the user journey. As a result, this can reduce the number of people who sign up, purchase, or comment.
Using CAPTCHAs not only reduces spam, but conversion rates, customer loyalty, and revenue, too.
A Stanford study found that conversions can drop by up to 40% with a CAPTCHA challenge.
So, if CAPTCHAs aren’t the best option, what is?
Akismet: a superior alternative to CAPTCHA technology
CAPTCHAs aren’t always effective at stopping bots — their primary job — and negatively impact engagement and conversions from real humans. So, are there other options?
Akismet is a simple-to-implement solution to handle not only spam comments, but spam form submissions, and even spam user registrations.
Since its launch in 2005, Akismet has blocked over 500 billion pieces of spam. It uses machine learning technology that has a 99.99% accuracy rate in identifying spam. It’s also constantly learning from the more than one hundred million sites that use its service.
How Akismet works
Akismet works behind the scenes, without requiring any input or action from the user. It automatically filters out spam and bot comments, trackbacks, pingbacks, contact form submissions, and other unwanted content.
It does all of this by comparing each submission to its massive database of known spam patterns and behaviors, continuously being refined by a network of over 100 million sites.
These anti-spam activities happen on the cloud — meaning it doesn’t impact your site’s performance.
Akismet is popular for sites using WordPress and works with numerous plugins like Jetpack, Contact Form 7, Gravity Forms, and WooCommerce.
However, Akismet has an incredibly‑flexible API that also allows it to be integrated into any application
Akismet simply works. And even if the algorithm does make a mistake (it’s bound to happen 0.01% of the time) and accidentally flags a comment or contact form message as spam, website administrators can see it in the dashboard and immediately address the problem. So, it learns from any mistakes it makes.
Plus, if your business needs a custom solution, Akismet’s enterprise team stands ready to help.
Comparing Akismet and CAPTCHA
While Akismet and CAPTCHAs work very differently, it’s worth comparing a few important features:
- CAPTCHAs force visitors to prove they aren’t human, while Akismet works behind the scenes, requiring no input or action from the user.
- CAPTCHAs require people to complete a challenge, like identifying images or typing distorted text. Akismet doesn’t interrupt or annoy users with any extra steps.
- CAPTCHAs can reduce conversion rates and user satisfaction, as well as exclude visitors with disabilities or low bandwidth. Akismet doesn’t affect the accessibility or usability of the site.
- CAPTCHAs often make mistakes that website owners never even know about. Akismet, on the other hand, has a dashboard on the backend of the website where any mistakes can be seen and corrected. And it learns from any mistakes it makes.
CAPTCHA or Akismet — the choice is clear
You definitely need something to protect your site from spam. So, should you opt for CAPTCHAs’ proof of humanity tests or Akismet’s behind‑the‑scenes low‑friction solution?
CAPTCHAs are no longer the best way to protect your site from spam and bots. They annoy, exclude, and discourage visitors, making them less likely to engage with your content or services.
But Akismet stops many different kinds of spam with near perfect accuracy! And it doesn’t make users jump through hoops. The result is better engagement, higher conversion rates, and a healthier business and community.
Frequently asked questions
Want to know more about CAPTCHAs? We’ve got answers below.
What does CAPTCHA stand for?
CAPTCHA stands for “Completely Automated Public Turing Test to Tell Humans and Robots Apart.”
Who invented CAPTCHA?
Engineer and researcher Luis von Ahn and his team at Carnegie Mellon University are largely credited with advancing and naming CAPTCHA as we know it today. However, Digital Equipment Corporation (DEC) and AltaVista used more primitive versions in the years leading up to Luis Von Ahn’s work.
What are the most common use cases for CAPTCHA?
CAPTCHAs were most commonly used to stop automated bots from performing damaging functions, like flooding comments sections of websites with irrelevant or dangerous content.
What are the main advantages of CAPTCHA?
There are some clear advantages of CAPTCHA. It can be a somewhat effective way to stop spam comments on your site, comes from a trusted source (it’s a Google service), and is a completely free solution.
What are the main drawbacks of CAPTCHA?
CAPTCHAs are now too simple to detect most bots, as computers have learned to accurately solve the challenges they present. They also disrupt the user experience — causing humans to abandon legitimate efforts. Finally, they add weight to sites, potentially impacting performance.
What is the best alternative to CAPTCHA for spam prevention?
Akismet is, by far, the best alternative to CAPTCHA. Unlike CAPTCHA, it doesn’t require website visitors to take any action on your site to prove their humanity. This makes for an enhanced user experience, better accessibility, and higher conversion rates. At the same time, it’s incredibly accurate, with a 99.99% accuracy rate.
How many websites use Akismet for spam prevention?
Over 100 million websites, across platforms like WordPress, Drupal, phpBB3, and Joomla, use Akismet to stop all kinds of spam without detracting from the user experience.
Are there any case studies of companies that use Akismet?
Yes, absolutely! If you’re interested in reading more, find out how ConvertKit uses Akismet to protect the creator economy from spam. You can also read about how Smitten Kitchen protects their popular blog using Akismet.
Where can I learn more about Akismet?
You’ll find a full list of Akismet features on their site. Most website owners can choose a plan and get started from the pricing page. Representatives for enterprise organizations can learn more about advanced solutions here.
Akismet