Home of internet privacy

Are you human or robot? How CAPTCHAs know

Every once in a while, a website wants you to prove that you are human with a quick test called a CAPTCHA. Pick out all the squares that have kittens. Move the puzzle piece to the right spot. Type the scribbled letters shown. Only then does a site allow you to proceed to view a webpage, make a purchase, or leave a comment.

CAPTCHA is an acronym for “completely automated public turing test to tell computers and humans apart.” Computer scientists came up with the simple tests in the 1990s. They are designed to be easy for humans to solve but difficult for computers, and they are still widely used today to prevent bots from spamming websites.

Inconvenient, hard to solve, and sometimes inaccurate

If you’ve encountered CAPTCHAs, chances are you’ve also failed a CAPTCHA. Not being able to prove your humanness is disheartening—but perhaps more common than you think.  In 2014, Google tested their machine-learning algorithm against humans in solving the most complex types of CAPTCHAs the company could dream up. Humans got through the tests at a laughable 33% pass rate, while Google’s machines passed 99.8% of the time.

Read more: Tinder will soon offer background checks on your matches

So on some level, CAPTCHAs are now more difficult for humans to solve than computers, raising questions about their relevance. Meanwhile, solving CAPTCHAs has become a side hustle for some. So yes, you can hire someone to figure out which images have awnings in them, or you can use our (semi-serious) tips below to prove that you’re indeed human.

Types of CAPTCHAs and tips to solve them

1. Confident ReCAPTCHA

The most popular form of CAPTCHA—and the subject of a thousand memes—these tests involve selecting photos based on given instructions. To get this right in one go, you’ll need to think like the crowd and click on photos you think everyone else is going to click on. No time for overthinking!

Effectiveness: With a purported success rate of 96%, we’d rate this as high. The images presented are subjective enough that bots aren’t currently equipped to identify. 

Tips to solve: Don’t overthink it. If you fail, you’ll get a new test that might be easier.

2. No CAPTCHA reCAPTCHA (or reCAPTCHA v2)

Introduced by Google in 2014, this test is simple to take: Just click on a box that says “I am not a robot.” The CAPTCHA then determines if the user is a human or a bot based on which part of the box was clicked. Bots will tend to click the box directly in the middle. If by some coincidence, a human manages to click directly in the center, a backup method of verification will be deployed where a user will have to type out a combination of numbers or letters. 

Effectiveness: High 

Tips to solve: Don’t click directly in the center of the box; it’s hard to get this wrong if you’re human.

3. Math problems or word tasks

For these CAPTCHAs, the challenges range from solving a simple arithmetic problem to typing out a specified word. Despite how easy they might seem to humans, these tests are surprisingly difficult for bots to solve.

Effectiveness: Medium. In particular, bots have become adept at solving the classic challenge of typing out a line of distorted text.

Tips to solve: Think of your favorite school teacher cheering you on. You can do it!

4. The honeypot CAPTCHA

Honeypots are hardcoded forms of CAPTCHA that only bots can see. These CAPTCHAs often appear as empty fields in a form. As a result, bots will automatically attempt to fill them in, which allows websites to easily reject any answers or forms when they’ve been submitted. 

Effectiveness: Medium; some bots are not fooled 

Tips to solve: N/A; humans don’t have to do anything

5. Timed forms

Another form of CAPTCHA involves timing how long it takes someone to fill out a form. Bots fill in forms almost instantaneously, so if you’re human, taking your time will prove it. 

Effectiveness: High

Tips to solve: Fill out forms at human speed (i.e., slow) and don’t use automation.

6. Social media sign-in

Quite possibly the securest form of CAPTCHA, social media logins require humans to sign into their Facebook, Instagram, or Google accounts to access websites. Since bots are not meant to have social media accounts, it’s pretty easy to ensure they won’t get past these tests. A major downside is that actual users might find it a hassle to log in with a separate account and might think twice about linking their personal information.

Effectiveness: High

Tips to solve: This one is as simple as having a social media account. You don’t even have to use your main, or active, account. Setting up an account specifically for social media sign-in could be a good way to bypass these CAPTCHAs quickly without compromising your privacy.

7. Invisible CAPTCHA (or reCAPTCHA v3)

According to Google, this works in the background to silently determine if a visitor to a site is human or a bot. This method doesn’t require any input on the user’s behalf and monitors how the activity is conducted on a site to issue a score between 0 and 1—where a score between 0 and 0.3 is considered a bot, and a score between 0.4 and 1.0 is deemed human. How does it work exactly? Nobody really knows as Google hasn’t opened it up to public scrutiny. We suppose from their perspective this makes sense as it keeps malicious actors one step behind.

Effectiveness: Unknown

Tips to solve: Be human. It has been found that visiting sites with a Google cookie installed on your browser increases your chances of being perceived as human.