6 reasons why your website needs a captcha form [updated for 2021]

[Updated for 2021]

It’s thought that as many as 200 million captcha tests are completed online every day. If you’ve not got a captcha test on your own website, here’s everything you need to know about them and how they can benefit your business or blog.

What is a captcha form?

The word captcha is actually an acronym that stands for ‘completely automated public Turing test to tell computers and humans apart’. Quite a mouthful isn’t it?

What this means, in a nutshell, is that a captcha test is a tool that helps to distinguish a human user from a computer user online.

Captcha tests are often added to websites to stop them from receiving spam through the likes of contact forms.

What do captcha forms look like?

The original form of captcha tests, invented in the late 1990s, took the form of a panel of obscured letters or numbers. The letters were obscured by blurring, stretching or warping. It would then be the internet user’s task to identify these letters and type them into a separate area of the form. If they interpreted the letters correctly, they passed the test.

Since the nineties, other forms of captcha tests have emerged. Sometimes, users will be shown an image with a grid over the top. They’ll then be asked to identify all areas of that grid that contain a certain feature – such as a street sign or a part of a parked car. Users can also be asked to pick out specific words from a piece of text. This text is usually presented as a scanned page from a book or other publication.

Some captchas are presented as simple sums, such as 4+1, as well. Plus, audio captchas exist for people with vision impairments.

Most recently, Google started offering a captcha service called reCAPTCHA. The tech behind this test is a little bit more inquisitive than the that behind the original captchas.

reCAPTCHA recognises that people can sometimes feel like they’re wasting their time filling in a captcha form. So, when a user arrives at a web page reCAPTCHA analyses the behaviour of that user to see how human-like it is.

If the reCAPTCHA service deems the behaviour to be pretty life-like, it won’t serve up a complete captcha test. It will only ask the user to tick a box to confirm ‘I am not a robot’. If there’s anything robotic about the way the user interacts with a page, however, they’ll be asked to solve a more complicated captcha test.

How do captcha tests work?

At present, computer programmes lack the sophistication that humans have when it comes to processing visual data. Human minds are hard-wired to pick up on patterns in everything they see. People often see patterns where they are none – such as a face in the moon or the outline of Elvis on a burnt bit of toast. This phenomenon is called pareidolia.

Computers, meanwhile, can be programmed to recognise letters and numbers. However, they stop recognising them when they are obscured or distorted too much.

What are the benefits of a captcha form?

Essentially captchas deter hackers from abusing online services because they block robot software from submitting fake or nefarious online requests.

Captcha tests can be used to…

• Protect the integrity of online polls by stopping hackers using robots to send in repeated false responses.
• Stop brute force attacks on online accounts in which hackers repeatedly try to log-in using hundreds of different passwords.
• Prevent hackers from signing up for multiple email accounts that they’ll then go on to use for nefarious purposes.
• Stop cyber criminals spamming blogs or news content pages with dodgy comments and links to other websites.
• Prevent ticket touts from using robots to bulk buy tickets for shows and gigs.
• To make online shopping more secure.

How have organisations suffered as a result of not having a captcha form?

There are a few case studies of organisations and businesses who have suffered as a result of not having captcha forms on their websites. One of the earliest cases dates back to the late nineties when social news website Slashdot published a poll asking visitors to vote for the best computer science graduate course in the USA.

Students from two universities – Carnegie Mellon and MIT – used automated programs to vote repeatedly for their respective schools, and the poll became skewed and useless.

More damagingly, in 2013 big supermarket brand Target suffered from a data breach that affected 70 million people.

Commenting on the breach, Rocket Digital reported: “When Target hired a security company to investigate, one of the leading theories was that the breach was caused by malicious email – specifically a phishing email that went after their customer base.

“They had a vendor portal that did not have a captcha or any kind of human verification in place, so a bot was able to get into the system and start transmitting data back to people who weren’t supposed to have it.

Criticisms of captcha forms [new content]

A number of criticisms have been levelled at captcha forms over the years.

The first criticism is that captcha forms detract from the user experience on a website. They’ve been called annoying and, in some cases, users may decide they are so frustrating that they’d rather leave the site they’re on entirely, rather than complete the captcha.

The second big criticism of captcha forms is that they’re not very accessible. The lion’s share of captcha forms require the user to be able to see.

Audio alternatives to captchas are available but one study by the National Federation for the Blind found that blind people were only able to complete these audio captchas 46 per cent of the time.

More recently, Google’s reCAPTCHA technology has been attacked for consuming too much data. In April 2020 big security brand Cloudflare announced that it would be moving from using Google’s reCAPTCHA to using hCaptcha saying:

“hCaptcha don't sell personal data; they collect only minimum necessary personal data and they are transparent in describing the info they collect and how they use and/or disclose it.”

On top of this, cyber criminals are starting to use captcha forms themselves. Digital technology magazine Ars Technica recently reported:

“Microsoft recently spotted an attack group distributing a malicious Excel document on a site requiring users to complete a CAPTCHA, most likely in an attempt to thwart automated detection by good guys.”

How do I add a captcha form to my website?

If your website is based on WordPress, you can add a captcha plugin to your site.

There are lots of options in the WordPress plugin directory, but you’ll want to choose one that has been updated recently and has a decent amount of active installations – like reCaptcha by BestWebSoft.

For other websites, you might need a little bit of tech experience, in the form of HTML knowledge, to add a captcha to your website.

If your business has its own web development team then they can do it easily and quickly in-house, or you can contact your web designer to complete the task for you.

Google offers developers detailed instructions on how to install a reCAPTCHA, for free, on its help pages. hCaptcha also features a developer guide on its site.

The future of captcha? [new content]

As bots become more sophisticated, captchas will need to keep up.

Industry commentators suggest that an element of gamification may need to be added to captchas of the future – although this doesn’t solve the accessibility issue. Other experts suggest that captchas may eventually be replaced altogether with biometric checks – such as quick eye scans.

Need more protection for your website?

Check out our Sucuri website security product. With prices starting at just £4.99 a month, it polices websites for malware and purges any it detects. Find out more on our Security Pages.