Captcha: good or bad security solution?


CAPTCHA, which stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”, was devised in an attempt to confirm that a visit to a site has been made by a human being and not by a program.

What’s a captcha for?

They are mainly used to validate access or registration.

On the Internet, there are robots that constantly scan different web pages to identify resources. We call them ” crawlers ” or ” spiders “. Most of the time, they are used legitimately, for example by search engines or archiving systems.

But sometimes, they are hijacked to carry out malicious actions. One of these actions is to use the forms present on websites (registration, contact, etc.). The aim may be to find loopholes or simply to create mass accounts, which can then be exploited for spam campaigns.

Captcha was created to limit these practices. They require human validation, which limits the impact of crawlers.

They have evolved considerably in terms of complexity. Initially, captchas took the form of checkboxes or simple text to be copied, but increasingly sophisticated robots have been adapted to fill in these validations. So now we have images, distorted text or objects to identify, possibly several times, to validate the captcha.

There are even invisible captchas, which analyze the user’s actions on a page, right down to the movement of the mouse, to identify whether the user is human or not.

Can a captcha be fooled?

The answer is obvious: Yes.

As we said earlier, robots are constantly evolving, with new techniques enabling programs to better recognize the characters and objects present in the images displayed by captcha. They quickly take new protections into account and mimic the behavior expected by the latest captchas. What’s more, like all computer programs, they have their flaws and limitations. They therefore require regular monitoring, analysis and updating, which is sometimes lacking.

Finally, “captcha farms” have been identified. These are real factories, located mainly in developing countries, where labor costs are lowest. Teams of human workers fill in the captcha manually, for a small fee. Sources are obviously unclear, but we’re talking about costs in the range of $1 to $5 per 1,000 validated captchas.

And without even mentioning those farms that industrialize the process, a hacker or spammer can perfectly well validate a small number of captchas manually, if it enables the validation of a sensitive access.

Is the captcha a bad security solution?

The captcha and its evolutions are not bad solutions, but they should only be one of the building blocks in securing your systems. Relying solely on validation to confirm access is a mistake. It offers a false sense of security which, as we’ve seen, can be easily circumvented. It is only justified if it forms part of a set of measures that work together to validate a procedure. If it is the centerpiece, or even the only security system, it can only be a weakness in the cybersecurity chain.

At Altospam, we use captcha, particularly on our websites, but we limit their use and only use them in very specific, identified cases. In addition to our many and varied safety measures, we believe that this use is also appropriate. What’s more, we pay particular attention to the versions and capabilities of the solutions we use, so that they comply with accessibility standards and never block legitimate validations, while ensuring maximum security.

As you know, email is the 1st vector in a cyber attack, so it’s important to secure your email flows. At Altospam, thousands of customers have placed their trust in us over the past 20 years. Just as we have done with our customers, we are always ready to study your issues and needs to protect your structure against hackers and thus better secure your data.

To find out more about Altospam’s email protection solution, request a test or book a demo with a cybersecurity expert.

Test Altospam’s solutions!

Thousands of companies, CTOs, CIOs, CISOs and IT managers already trust us to protect their e-mail against phishing, spear phishing, ransomware, …