CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a challenge-response mechanism that attempts to distinguish between human users and automated bots. It protects websites from spam, abuse, credential stuffing and other automated threats.
How CAPTCHA Works
CAPTCHAs present a challenge that is (in theory) easy for humans to solve but difficult for automated software:
- Image recognition — "Select all images containing traffic lights". Based on the assumption that computer vision struggles where humans succeed.
- Distorted text — Recognise and type warped letters and numbers.
- Math problems — Simple arithmetic solvable by humans instantly but requiring programmatic handling by bots.
- Invisible CAPTCHA (reCAPTCHA v3) — Analyses behaviour patterns in the background, assigning a risk score without any visible challenge.
Types of CAPTCHA
- Google reCAPTCHA v2 — The "I'm not a robot" checkbox. Falls back to image challenges for suspicious traffic.
- Google reCAPTCHA v3 — Invisible. Returns a score (0.0–1.0). The site decides the threshold for allowing/blocking actions.
- hCaptcha — Privacy-focused alternative to reCAPTCHA. Used by Cloudflare.
- Math CAPTCHA — Simple custom challenges. Less accessible but avoids third-party dependencies.
- Honeypot fields — Hidden form fields that humans leave empty but bots fill in.
Accessibility
CAPTCHAs are known to create barriers for users with visual impairments or cognitive disabilities. Audio alternatives and invisible CAPTCHAs reduce friction while maintaining protection.