CAPTCHA codes are designed to determine whether a form was submitted by a human being rather than an automated process. CAPTCHA stands for Complete Automated Public Turing test to tell Computer and Humans Apart, It is probably one of those acronyms in which the acronym preceded the words that make it up. It was coined in 2000 by Luis von Ahn, Manuel Blum, Nicholas J. Hopper and John Langford.
Before the advent of CAPTCHA mechanisms, webmasters would only require a username and a password. A valid user would enter the correct credentials and make it to the page for logged in users, while an invalid set of credentials would keep the person stuck on the login page.
Someone wanting to gain illegal access to a web portal could do so in one of three ways:
- The amateur way by physically sitting in front of a computer and entering the login details, clicking the submit button and waiting (hoping) that the eureka page comes up. He would repeat the process if an invalid login message comes up.
- The professional way by building a program which would read usernames and passwords from a list, fill in the form automatically and mechanically hit the submit button. The script would then analyze the resulting page to determine if the last combination resulted in a positive or a negative outcome.
- The guru way by having not one but an army of computers (mostly hijacked) running the program that mechanically submit credentials to the targeted website.
A hacker’s success depends on the number of attempts he can achieve in a given period of time. By automating the hack attack and by adding more computers concurrently attempting different combinations of usernames and passwords, the hacker would increase his chances of causing that electronic drawbridge to come down. Hackers are usually armed with massive lists of frequently used usernames and frequently used passwords and would simply submit a combination of both. Some lists contain username / password combinations that have been successfully used to break into someone’s web account. It is incredible how many people use easy to decipher usernames and passwords and, to make matters worse, retain the combination unaltered across all the sites they log into.
By adding a CAPTCHA code to your website, you would essentially be adding an element that makes an automated attack impossible. Since CAPTCHA codes cannot be processed mechanically, all automated attacks would fail and the restricted content is safe from illegal access. Before implementing a CAPTCHA mechanism in your web page, check that the particular implementation has not been compromised. For example, the EZ-Gimpy algorithm was an early type of CAPTCHA that worked by selecting a random word, distorting the letters and then placing them on a noisy background. This type of CAPTCHA was eventually cracked. This means that automated solutions to convert the distorted image back to the letters it represented exist.
There is very little reason for not implementing a CAPTCHA in your web pages. There are free solutions that are simple to implement. People have adapted CAPTCHA code solutions to work with many different development environments. There are even CAPTCHA solutions that can even be plugged into static (HTML) pages.
By implementing CAPTCHA codes in your web site you are not only protecting your restricted content but you are even helping people who have registered on your site from having their account broken into because of their weak password or because they use the same username / password combo across all the sites they are registered with.