How do CAPTCHAs Work?

Table of Contents

Introduction

Have you ever wondered what CAPTCHA stands for? It sounds a lot like what it does: “capture” whether a human or machine is trying to access an online service. But, actually, it’s an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart.”

What does Turing have to do with solving puzzles like identifying stretched letters or clicking on certain images? Alan Turing, who gained mainstream recognition through the movie The Imitation Game (which I highly recommend), developed his Turing test to see if it was possible to make the activities of a computer indistinguishable from that of a human.

CAPTCHAs flip the concept and try to catch differences. These tests appear on websites from time to time asking you to prove you’re a human—and not a bot—before you gain access to information or a service. Sounds like a great way to manage bot activity, right? It is, but there are also challenges with CAPTCHAs.

In this blog, we’ll discuss common uses for CAPTCHAs, their pros and cons, as well as some alternatives. We’ll also explore the relationship between CAPTCHAs and cyber threats, including DDoS attacks, and how to mitigate risk.

What are CAPTCHAs used for?

As our lives moved online, organizations began using CAPTCHAs to prevent fraud and abuse. For example:

Limiting registrations for services

CAPTCHAs can prevent bots from spamming registration systems to create fake accounts that waste service resources and create opportunities for fraud.

Guarding against suspicious transactions

Ticketing systems use CAPTCHAs to prevent scalpers from buying huge volumes of tickets and reselling them illegally and at inflated prices.

Protecting online poll accuracy

CAPTCHAs can help ensure that votes are entered by humans and protect the integrity of results.

Stopping bogus comments and product reviews

Vendors and review services use CAPTCHAs to prevent bots from spamming review sites and message boards with a flood of bogus comments.

Defending against brute-force attacks

CAPTCHAs that are disabled after a fixed number of unsuccessful login attempts can be a barrier to threat actors that try to break into accounts by using bots to guess passwords.

How do CAPTCHAs Work?

When you go to a website to access a service or application, CAPTCHAs present a test or puzzle that is easy for humans to complete, but difficult for bots. The test may be to identify all the images with cars in them, or to enter a combination of letters and numbers that are blurry on the screen. Correct responses are sent back to the website for verification. Using advanced algorithms, the organization can validate if the response was provided by a human or a bot and deny access to an application or service if the respondent is suspected to be a bot.

Common Types of CAPTCHAs

There are several types of CAPTCHAs with the most common types being:

  • Text-based CAPTCHAs include a series of letters, numbers, or a combination that have been distorted, rotated or obscured in some way that makes it difficult for a computer to decipher but easy for humans.
  • Image-based CAPTCHAs display an image or a series of images that contain a specific object. Users need to identify the object in the image or identify which images contain the object. For computers, solving these tests requires advanced image recognition software. Upping the level of difficulty, image-based CAPTCHAs sometimes require rearranging pieces of an image to solve a puzzle, or rotating images in a certain direction.
  • Audio CAPTCHAs are particularly helpful for visually impaired users. In this case, users are asked to listen to a series of letters, numbers, or words and enter them into a text box.
  • Math or word problem CAPTCHAs are more intricate; requiring users to solve a math problem, answer a trivia question, or type the missing word in a sentence to prove they are human.
  • Social media sign-in options ask the user to input their Facebook, Google, or LinkedIn profile information, for example, instead of solving a puzzle. This is often easier for the user to complete than a test and assumes that a bot doesn’t have a social media account.

Benefits of CAPTCHAs

There are many advantages to using CAPTCHAs, including:

Preserving Integrity of Services

Being able to validate that actual humans—not bots—are casting votes, submitting reviews, and buying tickets, enables organizations to preserve the integrity of services and applications. It can also play a role in reducing online harassment and sabotage to brands.

Protecting Assets and Data

Preventing bots from accessing websites reduces opportunities for fraud, data breaches, and other malicious activity.

Maintaining Service Availability and Performance

Restricting bots from creating accounts, overloading systems with activity, or overwhelming network bandwidth, prevents waste and maintains service availability and performance.

Downsides to CAPTCHAs

CAPTCHAS have done a good job of protecting services and organizations from the negative impact of bots. However, they also have a downside, mostly related to the user experience.  

User frustration

How many times have you been presented with a CAPTCHA and when you input your response it’s rejected? Interrupting workflow to take a quiz once is disruptive enough. Do-overs quickly become frustrating and can leave users with a negative impression of the website or the business. In fact, some users abandon the website altogether.  

Accessibility issues

Text- and image-based CAPTCHAs can be extremely difficult if not impossible for visually impaired users to complete. Unfortunately, screen reader software that helps people who have sight loss use computers doesn’t have a strong success rate dealing with CAPTCHAs. Audio CAPTCHAs aren’t a great alternative – their poor quality can make it difficult for users to understand the recording.

Browser incompatibility

Some CAPTCHA types don’t support all browsers. Organizations need to do robust testing and make sure they have the broadest coverage possible or risk users giving up and going to another site.

CAPTCHA vs reCAPTCHA vs Alternatives

CAPTCHA technology continues to evolve to improve the user experience and increase the effectiveness against threat actors who have gotten better at training bots to solve CAPTCHAs. Next generation CAPTCHAs are referred to as reCAPTCHAs and some don’t require a test at all. You simply click on a box to select “I’m not a robot.”

Behind the scenes the reCAPTCHA is capturing the movement of the mouse and data about the computer. Humans have a level of unpredictability in their movement, whereas bots are more direct. The reCAPTCHA may also look at the cookies stored on the device, browser history, and the IP address to determine if the user is more likely a human. If it still isn’t sure, then it will default to one of the more traditional methods, but usually a reCAPTCHA can detect a bot with a high degree of certainty.  

You may feel like you’re encountering fewer CAPTCHA tests these days, and you’re right. AI-driven reCAPTCHAs are the next evolution. Totally based on user behavior, these reCAPTCHAs continuously track user behavior until a determination is made. If it is unclear, the user may be asked to complete a multifactor authentication process before being able to log into an account. As this technology continues to be refined, AI-based methods will likely replace traditional tests.

Some organizations are moving away from CAPTCHAs altogether. Instead, they’re relying on two-factor authentication – such as a password and a code sent to the user’s phone or email – to provide access.

CAPTCHAs and DDoS Attacks

The evolution of CAPTCHA to more sophisticated methods is a good thing because adversaries are increasingly taking advantage of traditional CAPTCHAs in novel ways to infiltrate organizations through services and applications and launch more sophisticated DDoS attacks.

Threat actors are using AI to solve CAPTCHAs and launch DDoS attacks against enterprises. After passing a CAPTCHA test, users typically get a grace period of 5-10 minutes where their traffic isn’t rechecked. That’s plenty of time for a threat actor to bring down a network with a volumetric DDoS attack, or setup operations to launch a series of smaller attacks that slip under the radar but still disrupt availability and performance.

Threat actors are also using fake CAPTCHAs that ask for keystrokes instead of clicking on images. The keystrokes trigger malware to download onto the user’s system so the attacker can steal credentials and sensitive data, take control of the user’s system remotely, and compromise an organization’s network. With these capabilities threat actors can recruit more systems into DDoS botnets. They can also launch multi-vector DDoS attacks where they exfiltrate data, hold it for ransom, and threaten a DDoS attack if their demands aren’t met. Corero’s 2025 Threat Intelligence Report explores the strategic shifts in DDoS tactics in greater depth.

Mitigating DDoS Attacks via CAPTCHAs

To mitigate DDoS attacks that take advantage of CAPTCHAs, organizations should use a combination of best practices and technology, including:

Employee Education

Educate employees on the dangers of fake CAPTCHAs and DDoS attacks and how to avoid falling for traps like phishing emails that often are used to lure them into using fake CAPTCHAs.

CAPTCHA Alternatives

Consider moving to CAPTCHA alternatives that don’t use the typical prompts that threat actors are co-opting, including text-based, image-based and clicking on “I’m not a robot” boxes. Instead, consider solutions that offer AI-based behavioral techniques and institute multi-factor authentication as standard policy to access accounts.

Network Monitoring Capabilities

Continuous monitoring can help detect and respond to CAPTCHA abuse. With an understanding of your baseline traffic, it can sort the good from the bad accurately, and alert you to anomalous behavior so you can mitigate.  

Advanced DDoS Protection for Attacks via CAPTCHAs

As DDoS attacks become more sophisticated, organizations need holistic Layer 3 through Layer 7 protection. Many anti-DDoS solutions don’t innately help combat CAPTCHA abuse because they focus on attacks at Layer 3 of the OSI model. They don’t include traffic and behavior analysis to detect multi-vector attacks that operate all the way up to Layer 7 (the application layer), where attacks that compromise CAPTCHAs unfold. 

Beyond traditional DDoS protection, an advanced DDoS protection solution will mitigate the gamut of DDoS attacks, from Layer 3 through Layer 7. To defend against emerging threats such as CAPTCHA abuse, capabilities should include behavior analysis to trigger sophisticated application defense and Zero Trust admission control to stop modern multi-vector attacks.

Providing additional resiliency, the most effective solutions allow you to maintain uninterrupted service availability even in the midst of a DDoS attack. When coupled with AI-assisted threat intelligence that continually learns from new data and adapts in real time, these solutions can also react instantly to protect against follow-on malicious activity including data leakage, ransomware attacks, and other threats to your operations.

Conclusion

As our lives increasingly moved online, organizations started to use CAPTCHAs to prevent fraud and abuse. These tests or puzzles are easy for humans to complete, but difficult for bots and include text- and image-based tests, audio tests, math or word problems and even social media sign-in options. CAPTCHAs have been successful in preserving the integrity of services, protecting assets and data, and maintaining service availability and performance.

However, as threat actors have become more savvy at passing CAPTCHA tests and user frustration and accessibility issues proliferated, organizations have started to turn to alternatives. AI-based methods and multifactor authentication are harder for threat actors to crack, while providing a more seamless user experience.

The evolution of CAPTCHA to more sophisticated methods is a good thing because adversaries are increasingly taking advantage of traditional CAPTCHAs to launch DDoS attacks. They are also creating fake CAPTCHAs to compromise users and data in order to launch multi-vector DDoS attacks against targeted organizations.

Best practices to mitigate DDoS attacks that leverage CAPTCHAs include educating employees on the dangers, deploying alternatives to CAPTCHA, and using network monitoring tools. However, when an organization is being targeted with a DDoS attack, the most effective technology to thwart threat actors is an advanced DDoS protection solution that provides uninterrupted service availability even in the midst of a DDoS attack. When coupled with behavior analysis and intelligence, you’re able to stay ahead of emerging and evolving threats and defend against follow-on malicious activity including data leakage, ransomware attacks, and other threats to your operations.

Visit our threat intelligence research center for more information on DDoS defense in depth.

Share the Post: