A CAPTCHA is a test that helps a website tell whether a visitor is likely to be a human or an automated program. This matters because bots can create fake accounts, scrape data, spam comments, guess passwords, and overload services. CAPTCHA systems add a small challenge or risk check before allowing an action, such as logging in or submitting a form.
The goal is to block many automated attacks while keeping the task quick for real users.
Key Facts
- CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart.
- A basic decision rule is allow if score >= threshold and challenge if score < threshold.
- False positive rate = human users blocked / total human users.
- False negative rate = bots allowed / total bot attempts.
- Total error rate = false positives + false negatives, when both are counted as fractions of all attempts.
- CAPTCHAs often use image recognition, distorted text, behavior signals, device signals, or risk scores.
Vocabulary
- CAPTCHA
- A CAPTCHA is an automated test used by websites to distinguish likely human users from automated bots.
- Bot
- A bot is a software program that performs actions automatically, often much faster than a human.
- Challenge
- A challenge is the task given to a user, such as selecting images or typing distorted text, before access is granted.
- Risk score
- A risk score is a numerical estimate of how likely a visitor is to be a bot based on signals such as behavior and device data.
- False positive
- A false positive happens when a real human is incorrectly treated as a bot.
Common Mistakes to Avoid
- Thinking CAPTCHA proves someone is human with 100 percent certainty is wrong because it only estimates likelihood using a challenge or score.
- Assuming harder CAPTCHAs are always better is wrong because they can block or frustrate real users, especially people with disabilities or slow connections.
- Ignoring false positives is wrong because a security system that blocks many real users can harm access and trust even if it stops bots.
- Treating CAPTCHA as the only security layer is wrong because attackers can use machine learning, human solving services, or stolen accounts to bypass it.
Practice Questions
- 1 A website receives 10,000 login attempts in one hour. If 2,500 are bots and the CAPTCHA blocks 92 percent of bot attempts, how many bot attempts are stopped?
- 2 A CAPTCHA system challenges 1,200 real users and incorrectly blocks 36 of them. What is the false positive rate as a percent?
- 3 A site lowers its CAPTCHA threshold so fewer visitors see a challenge. Explain one benefit and one security risk of this change.