Sign in to save

Bookmark this page so you can find it later.

Sign in to save

Bookmark this page so you can find it later.

A CAPTCHA is a test that helps a website tell whether a visitor is likely to be a human or an automated program. This matters because bots can create fake accounts, scrape data, spam comments, guess passwords, and overload services. CAPTCHA systems add a small challenge or risk check before allowing an action, such as logging in or submitting a form.

The goal is to block many automated attacks while keeping the task quick for real users.

Key Facts

  • CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart.
  • A basic decision rule is allow if score >= threshold and challenge if score < threshold.
  • False positive rate = human users blocked / total human users.
  • False negative rate = bots allowed / total bot attempts.
  • Total error rate = false positives + false negatives, when both are counted as fractions of all attempts.
  • CAPTCHAs often use image recognition, distorted text, behavior signals, device signals, or risk scores.

Vocabulary

CAPTCHA
A CAPTCHA is an automated test used by websites to distinguish likely human users from automated bots.
Bot
A bot is a software program that performs actions automatically, often much faster than a human.
Challenge
A challenge is the task given to a user, such as selecting images or typing distorted text, before access is granted.
Risk score
A risk score is a numerical estimate of how likely a visitor is to be a bot based on signals such as behavior and device data.
False positive
A false positive happens when a real human is incorrectly treated as a bot.

Common Mistakes to Avoid

  • Thinking CAPTCHA proves someone is human with 100 percent certainty is wrong because it only estimates likelihood using a challenge or score.
  • Assuming harder CAPTCHAs are always better is wrong because they can block or frustrate real users, especially people with disabilities or slow connections.
  • Ignoring false positives is wrong because a security system that blocks many real users can harm access and trust even if it stops bots.
  • Treating CAPTCHA as the only security layer is wrong because attackers can use machine learning, human solving services, or stolen accounts to bypass it.

Practice Questions

  1. 1 A website receives 10,000 login attempts in one hour. If 2,500 are bots and the CAPTCHA blocks 92 percent of bot attempts, how many bot attempts are stopped?
  2. 2 A CAPTCHA system challenges 1,200 real users and incorrectly blocks 36 of them. What is the false positive rate as a percent?
  3. 3 A site lowers its CAPTCHA threshold so fewer visitors see a challenge. Explain one benefit and one security risk of this change.