CAPTCHA: people versus computers
On some websites, you may have noticed that you cannot continue to perform any actions or place an order until you solve a set of incomprehensible letters and images. After you carefully examine some wavy lines, decipher the written words and enter the correct phrase (words or numbers) into the empty field, you can continue your actions on the site. This process is intended so that the site can verify that in fact you are person browsing the site.
This test is called CAPTCHA(Completely Automated Public Turing Test to Tell Humans and Computers Apart), and it is used everywhere on the Internet. The ticketing website Ticketmaster is a great example of the use of CAPTCHA: without such a test, a “robot” could potentially buy millions of tickets to a concert or event, and then resell them at a higher price.
Of course, being required to figure out an incomprehensibly written combination of letters and numbers every time we want to do something is a little annoying. And this requires additional time. Every time you need to pass a CAPTCHA test, you waste approximately 10 seconds of your life. This is why CAPTCHA has earned a bad reputation among Internet users, despite the fact that it was created precisely to keep us safe.
CAPTCHA prevents cyber criminals
Louis Von Ahn, one of the creators of CAPTCHA, continues to develop this test within the framework of Google, its new developer. This project has been revived in reCAPTCHA, an extension of the Captcha test that takes words from scanned pages of old books (those words are harder for a computer to recognize). While protecting our safety, the project simultaneously helps “ digitize texts, image annotations, and build datasets for machine learning“... now at least these 10 precious seconds are used for something more worthwhile.
It's great that we help digitize books, but when it comes to Internet security, is CAPTCHA effective?
Google CAPTCHA can be bypassed too easily
A trio of researchers from Columbia University (New York) proved how easy it is to bypass some CAPTCHAs. Such programs make it much more difficult for hackers to use programmed bots to automatically and en masse collect email addresses, which are then used for spam campaigns. But they are not completely reliable. Such processes can be automated, and as a result, computers will be able to pass reCAPTCHA tests as efficiently as you and I.
How many years has Habr existed - for so many years, posts about the next captcha regularly appear on it - be it a picture generation script, a new captcha idea with cats, and the like. The most recent example of a person not quite understanding how a captcha should work (see the text of the post and the latest comments), but at the same time sharing his misconceptions with the community. One gets the feeling that captcha is like this terra incognita for most developers - both for those who simply screw it onto the next form in the hope that it will work out of the box, and for those who come up with captchas like those in which you need to select a picture with a cat from several photos.
The article contains useful information for those who use captcha on their server, instead of relying on a third-party service like reCaptcha.
And for starters - if you think that such a captcha check will work:
if($_POST["captcha"] == $_SESSION["captcha"]) return true; (case example)
then you are deeply mistaken.
Captcha
By its definition, captcha is an automated public Turing test (a test that can be passed by a person, but not by a computer). In the article I will consider the properties of captcha using the example of its most common type - text in a picture, although almost everything written is equally applicable to any type of captcha.Two main properties of captcha
Any captcha must have two properties, without which it will not work:Resistance to recognition- a property that protects captcha from being recognized by an algorithm - for example, a text recognition system. It guarantees that a person can read the text in a picture, but a computer cannot.
Anti-example: the standard captcha of the phpBB 2.x forums did not have this property - due to the relative ease of recognition, scripts appeared that spammed all the forums, forcing webmasters to change the captcha to a more resistant one.
Guess Resistant- a captcha property that does not allow you to guess its value in a small number of attempts (less than 1000). If the set of possible captcha values is small, it will not be difficult for the program to guess it by selection instead of recognition.
Anti-example: arithmetic captcha like “1+2” (searching numbers from 1 to 20 will soon give a result).
Anti-example: choose from several pictures the one that shows a cat.
Captcha check
The value for verification should be stored on the server, and not transmitted along with the image to the browser. To match the visitor and the correct captcha value, you must use a certain key that is transmitted along with the captcha (session ID, captcha number, etc.)Anti-example: if you pass the captcha itself and the value for checking it (including the encrypted one), then a person only needs to recognize such a captcha once and then use the combination “answer” - “value for verification” in his script (via the link at the beginning of the post such a case)
Before checking the answer, you need to make sure that it is not empty. Otherwise, an attacker can, without loading the picture or deleting the current session identifier, pass an empty value and pass the captcha, because two empty strings will be compared (in PHP, a non-existent value is equal to an empty string).
Anti-example: the code I already mentioned if($_POST["captcha"] == $_SESSION["captcha"]) return true;
Moreover, this code was written by an experienced programmer.
After verification, the saved captcha value must be deleted. If you do not do this, the attacker will be able to use this value again an unlimited number of times. Yes, when the page with the form is updated, the captcha is also updated (either when generating the form or when generating the image), but the script may not load the form again (it should be mentioned that this is not relevant if the site uses one-time csrf tokens for forms).
Anti-example: a hypothetical login form in which it is enough to enter the captcha correctly once, and then select the password using a script, avoiding regenerating the captcha on the server.
Bulletproof captcha
Overkill protection. If your captcha is resistant to recognition, but not very resistant to brute force (for example, you only need to read 3-4 digits), it is advisable to limit the number of incorrect answers “from one ip” / “for one login” / etc. Such restrictions must be checked BEFORE checking the captcha itself (that is, even in the case of a correctly entered captcha, if there is a restriction, it should not be considered passed) otherwise it will not prevent brute force.DoS protection. When generating a captcha on your server, you need to understand that this is a convenient vector for carrying out DoS attacks (which, unlike DDoS, can be carried out by any schoolchild). For protection, you can limit the number of captcha generation for one ip, by caching captchas, etc.
Protection against recognition. If you choose a captcha, or suddenly plan to write it yourself, it is advisable to understand which captcha is more protected from recognition. There are ready-made universal captcha recognition scripts that work on the OCR principle, and if spammers are interested in your site, there is a risk that they will use/write a script specifically for your captcha. The latter truth applies more to sites at the Yandex or VK level, but it is advisable to provide an option with protection against banal OCR.
Anti-gate protection. Formally speaking, captcha as a Turing test is not obliged to protect you from anti-gates, since in this case it will be recognized by a person. From a practical point of view, this issue is very relevant and it is necessary to defend ourselves somehow.
There is not and cannot be a “gold standard” (because in this case anti-gates will implement its support), so you are free to supplement the captcha with any tricks to make its recognition through the anti-gate impossible. For example:
- non-standard captcha (assembling a puzzle, rotating an image, clicking on an area in a photo, etc.);
- Cyrillic captcha is the simplest solution, but has a number of disadvantages: it is only suitable for projects with a Russian-speaking audience, there are anti-gates that support the Cyrillic alphabet;
- use of a virtual keyboard next to the captcha to enter non-standard characters or shapes (may be inconvenient for mobile users);
Usability
Do not ask to enter a captcha if you are already convinced that this is a person. Here, however, you need to be careful that the form cannot be used by the script an unlimited number of times after a person has entered the captcha once.Example: registration form. If I register somewhere and forgot to enter the “postal code” field, but entered the captcha correctly, there is no need to show me a new one. Spend 10 minutes trying to save somewhere that a living person is currently trying to fill out this particular form.
To facilitate human recognition: do not use both letters and numbers in the captcha, do not use upper and lowercase letters at the same time, exclude similar characters.
Refusal to use captcha
The best captcha is no captcha. Where you can refuse to use it, this must be done. You may have to implement additional limits and checks for this, but your users will thank you.But here you have to be very careful. For example: a registration form without captcha, with an email field to which an activation letter is sent. Without additional security measures, such a form may be filled with “left” addresses, and your site will be blacklisted by postal services. In this case, you can do without captcha, but only if you have another line of protection, such as an IP limit.
To some, the information in this topic will seem obvious, but if I had not encountered examples of misunderstanding of these simple principles in life, including among experienced fellow developers, I would not have wasted time writing this text.
Every Internet user would like to be aware of all the events and definitions that exist in this virtual space. Knowing the basic definitions, you can easily perform a variety of functions on the Internet and not be scared by every window that pops up. Let's find out what a captcha is and why it is needed during registration.
In order to understand this concept, we need to know its definition, that is, what the word in question is and what it means.
Captcha is called a test type check, generated and also automatic, which checks who the user is, whether he is a computer or a real person.
This check looks like a window in which, at the bottom, there is a distorted image of some numbers and letters, above which there is an empty line where you need to enter this image, having first deciphered it.
Captcha functions
So, we were able to find out and explain in detail what a captcha is, now let’s move on to the question - why is it needed, what is it used for, and can entering a captcha generate income? The fact is that many probably wondered why such a verification test is needed, because it can, on the contrary, reject users from any action.
If you are a user social network VKontakte, you have probably encountered the fact that if you perform certain actions too quickly and often, that is, in a row, for example, comment on 20 photos in a row or like 50 pictures, you will have to enter a captcha, because the system may suspect you of that you are not a real user, but a programmed robot, that is, a program that does certain actions automatically.
When you enter the captcha, you prove to the system that you are not a robot, because robots cannot recognize and draw pictures, and this behavior of yours is just a desire to comment on a lot of photos.
It turns out that captcha is really a forced measure to protect the system from spam, attacks by automatic programs, and increased load.
Despite its purpose, captcha may not always help, because for each lock, sooner or later, you can find the right key, which means this protection system for the resource in question can be hacked.
Register>>>
Hacking the resource protection system
As it turned out, ninety percent of the drawings and images that are issued for entering captcha by the security program can be solved by automatic neural networks. To do this, it is enough to enter several hundred examples manually so that the program can automatically enter such distorted images, without human intervention. We have already found out what a captcha is, so let’s move on to how such programs are trained and make it possible to hack a security program.
Usually, for a low fee, such examples can be prepared by mercenaries who make money by entering captchas all day long; it is they who provide several hundred examples for automating the program in question.
Today there are a number of services on the Internet that, for a fee, will provide you with hacking this security system, that is, recognizing any captcha automatically.
Watch the video - Earn money on captcha. How to make money by entering captcha:
Earn money online by entering captcha All you need is to correctly enter the text from the image (captcha).
You get paid for every captcha you enter.
Register>>>
Types of captcha
To the question what is a captcha, you can answer that it is a picture that need to be recognized and entered, not a completely accurate concept, definition, because it can also be a drawing that needs to be rotated correctly. For example, a duck will be drawn lying on its side. You will need to rotate it so that the picture has a logical appearance, that is, put the duck on its feet. After this action, the computer will make sure that you are a living user and not a robot.
Such a variety of captchas is necessary because there are programs that we discussed above that crack security captchas. This kind of captcha will reliably protect the resource from banners.
There is also a mathematical captcha, this is when the window displays an example that needs to be solved, such a solution, if it is correct. This confirms that you are not a robot, but an ordinary user of the resource. There are very simple examples, such as 1+1, and there are also quite complex ones, involving several actions, it depends on which program you are performing certain actions in or which site you are visiting.
Hello, dear readers of the blog site! Another concept that almost all Internet users encounter sooner or later and which I would like to introduce you to is captcha. I think that many, when registering or logging in to websites (and not only) already had to fill out an additional column.
To successfully complete the process, you usually need to enter numbers, letters or even whole words, depicted in the picture immediately offered, in most cases in a distorted form (using blur, applying various types of effects, etc.).
Such unique puzzles can be anything. For example, it is likely that you will be asked to enter the result of a simple arithmetic operation or to arrange images in a certain order by dragging and dropping.
What is captcha and types of this protection against automated spam
All these ingenious tasks and tests that require the performance of actions inherent to a person are created, of course, for a reason, but pursue a specific goal. Which one? This will be discussed below in this publication.
So, let's try to make things clear right away. The Russian-language word “captcha” comes from the complex English abbreviation CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), which in full translation into Russian means “a fully automated public Turing test to recognize computers and people.”
Why was this test designed? The fact is that among them there are not entirely (or even not at all) legal ones, an important part of which is the sending of spam (), which is a real disaster for users of the World Wide Web.
In order to get rich, spammers use all available means to the fullest. For this purpose, they register en masse on various resources, including forums and social networks. For example, in RuNet the VKontakte site is especially popular in this regard (and details about this social network).
However, you can’t find much out of this manually, as you understand. Therefore, representatives of this contingent use software with all their might and use it to set up automatic spam sending. And this is a completely different calico. After all, the program (robot) can work without sleep or rest, and therefore has an undeniable advantage.
This is how an avalanche of spam messages hits users. This method is especially annoying for those who use the Internet professionally, for example, webmasters.
Owners of websites (existing on the Internet) know firsthand how spammers’ products can irritate and unsettle. By the way, at the end of the article I will advise you, in my opinion, the most optimal anti-spam tool at the moment that you can use on your website.
Therefore, it is quite logical that a protective tool appeared in the form of a Turing test called captcha (sooner or later this had to happen), the noble goal of which is to burn out unpunished spam activity in the bud with a hot iron.
Of course, there are positive changes as a result of using CAPTCHA, however, the result is not as rosy as one might expect. Life does not stand still, and therefore there are constantly messages about the development of new software that can bypass any captcha. Demand creates supply, because spammers are not going to give up and abandon their “gold mine”.
In contrast, the mechanisms of various forms of CAPTCHA are also being improved, which we will discuss below. This reminds me of the confrontation between weapons of attack and defense, which has been going on for several centuries.
For example, in response to the use of spears, axes and arrows, armor was invented, armor was invented against projectiles, and then an armor-piercing projectile, and so on. Our world generally develops largely due to the struggle of opposites.
What types of captcha are there?
Well, okay, let’s leave philosophical maxims for now and get down to business. So, we have established what a CAPTCHA is, which serves as a very effective tool against automated spam. But how effective is it? Much depends on the professionalism and qualifications of web developers, as well as the software algorithms they use.
After all, the very essence of captcha is to make it as difficult as possible for the machine to perform a test that an ordinary person should be able to easily pass. Unfortunately, such an ideal ratio is difficult to achieve over a long period of time due to the existing eternal confrontation mentioned above.
Very often, users spit, forced to go through a captcha that is sometimes difficult to solve. Guess what an ordinary user will do when they see something like this:
That's right, he will leave such a resource, since there is always an alternative on the Internet. Thus, when using these types of CAPTCHA, the website owners themselves suffer, as conversion rates decrease, traffic drops, and potential subscribers and clients are lost.
So, knowing what this anti-spam protection is used for, we can formulate the basic conditions that should form the basis for creating perfect captcha(the ideal, as we know, is unattainable in real life, but we must strive for it):
- developing a test that any person could cope with in a minimum period of time, and would be absolutely inaccessible to a bot;
- minimizing any data entry;
- taking into account the interests of users with physical disabilities (for example, implementing audio support for the visually impaired).
You can easily assess for yourself which captchas you have encountered on the Internet best satisfy the above characteristics. Well, now it’s time to get acquainted with the main and most popular types of tests today, implemented in one or another captcha:
1. Entering text in the form of letters, numbers, words or phrases:
The problem with this type is that text characters that are too distorted will make it difficult for them to enter not only for bots, but also for mere mortals like you and me.
2. Actions with images. For example, choosing suitable pictures (pictures) from several proposed ones that would meet certain criteria. Let's say, to solve the captcha given as an example below, you should select all the images where grass is present:
This type of input is more complex for programs because it involves image analysis. And this represents a serious obstacle for them, although recently anti-captcha developers have taken a step forward to eliminate this shortcoming.
This also includes compiling a complete image from disparate parts, which is the inherent human ability for logical and analytical thinking. By moving the details to the right places with the mouse, we get the desired picture (in this case, a human face):
Again, solving such a problem is not an insurmountable obstacle for a living user, but it still takes away precious time, which has always been worth its weight in gold.
3. Application arithmetic or mathematical operations to enter CAPTCHA:
here again it is important not to overdo it and not force the user to “wrinkle his brain” to no avail, as in the example shown in the fifth screenshot above.
4. ReCAPTCHA. This type of Turing test is more attractive to a wide range of users, since it takes into account the interests of people with disabilities (see the list of conditions for achieving the “ideal captcha” located a few paragraphs above), offering, along with a visual option, audio reproduction of the text located in the picture:
ReCAPTCHA is quite reliable and has a high degree of protection against spammers, so it has long been used on many large web resources, including the Google registration page. True, the example above is not entirely successful, since in this form the text depicted is too distorted and is difficult for an ordinary person to reproduce.
Then you have to either select another picture using the update button (circular arrow), or use voice (audio) playback (loudspeaker icon).
In this form, of course, the captcha is more attractive and does not cause obvious rejection.
Along with the leader of the world search, it is worth mentioning Yandex, which is its main competitor in the Russian Internet () and also uses original protection against spammers (YaCAPTCHA), where a code word or a simple set of letters can be offered in Cyrillic:
Naturally, the types of captchas I have given here are only a small part of their entire diversity. Moreover, I classified them according to those characteristics that show variability. You can do the same yourself by identifying other fundamental characteristics by which classification can be made.
For those who prefer video materials to text information, you can watch a very popular video about various types of captcha:
");">
Entering a captcha and assessing the possibilities of bypassing it
So, we have established what captcha means. This is nothing more than a fairly effective means of protection against automated spam. And if you see a sentence like “enter the captcha” in front of you, then you must solve a simple puzzle, the solution of which confirms that you are a living person, thereby ensuring access to the system.
The secret is that RuNet users often visit foreign sites, where CAPTCHA can also be found in one form or another. Therefore, it would be useful to provide a translation of some expressions that may appear in messages accompanying the completion of the code.
For example, on some resources, if you enter characters incorrectly and the resulting error, it is likely that you will see something like this:
"Captcha test failed" translated from English into Russian means “captcha test failed.” The following expressions may also be present (their translation into Russian is on the right side):
- “CAPTCHA error please try again” - error entering captcha, please try again;
- “please complete the CAPTCHA correctly” - please fill out the captcha correctly.
In this case, you just need to try again.
Next comes the question: how to bypass the captcha or even remove it, and also what needs to be done for this? I will say right away that it will not be possible to do this completely. I already mentioned in today’s article that there is a continuous struggle between the creators of software capable of recognizing complex characters, and, in fact, the authors of various kinds of software tests.
At this stage, no one has achieved a decisive advantage, however, in the future, I think, the existing parity will remain with some changes in one direction or another. This is explained by the interest of both parties (both the owners of Internet resources, seeking to protect themselves from bombardment of spam messages, and spammers, who do not want to miss out on a profitable means of enrichment).
Therefore, spam, of course, passes, especially when using the most modern paid software. But the effectiveness of even the best automatic programs is far from one hundred percent, which is also evidenced by the fact that online services (anti-captcha) are thriving, where captchas are recognized by real people, naturally, for a fee.
In this case, efficiency tends to maximum for obvious reasons. However, if you have a need for mass captcha recognition, you should be prepared for the fact that you will part with part of your hard-earned money. You have to pay for everything in this life.
On the other hand, you can make money on such services if you register as an employee. The most popular and, perhaps, . The money you will receive there will not be very big, it is rather an additional source of income.
It must be borne in mind that this work does not require any special skills or knowledge; anyone who has a simple Internet connection can do it. And unskilled labor is not highly valued by default. But if you don’t like it, you can always quit this idea.
The optimal solution for websites is installing reCAPTCHA
Well, at the end of the publication, I cannot help but touch upon the issue of using the most effective captcha on my website or blog. After all, all webmasters know firsthand the “charm” of communicating with spammers.
Perhaps, it was at this stage that a rather productive remedy appeared in the form of latest version of reCAPTCHA(mentioned just above), which is already used by major world services, including, of course, Google. The difference from the old version is that the user only needs to check the box opposite the inscription “I am not a robot”:
I have also installed reCAPTCHA on some of my online projects. This antispam tool is not yet available on the site for the simple reason that I am generally satisfied with the work, which is suitable for my comment structure.
But you can easily install reCAPTCHA, for example, on your WordPress blog in order to filter the same comments with the noble goal of making life easier for your visitors. In conclusion, another super video
How to enter captcha
There are 2 options for solving the captcha problem:
First option- when Instagram asks you to confirm your account (or captcha), you need to log into your Instagram account through the mobile application, you may be asked: This is me, if there is no question when logging in, then you need to use the second solution to the problem
Second option- You need to confirm your account in the Accounts section.
1. Select your instagram account (in the Accounts section).
2. Click on Contact Technical Support, then/or immediately Reconnect.
3. Select the method of receiving the code, via phone number or email.
4. Enter the received code.
Video tutorial on how to enter a captcha on an Instagram account.
If you have any questions, you can always contact us via Online Chat on the website instaplus.me, we will always help you and provide high-quality, qualified assistance to resolve your problem.
Happy promotion!
Was this article helpful? Yes No
Post a reviewUnfortunately, we were unable to help you resolve the problem. Your feedback will allow us to improve this article.
Articles on the topic
Home SolutionsWe use cookies to improve your experience on Freshdesk.
You can find out more about why and how we use cookies here, and the types of cookies here: Privacy Policy. If you do not want to use cookies, you can also disable them completely. However, please note that Freshdesk uses cookies frequently, so if they are disabled, some areas of Freshdesk may not function properly.
We also hope that you agree to the ways in which we use cookies and the related information in our Privacy Policy, unless you choose to disable cookies in your browser entirely.
