In this article I’m explaining the generic concept of captcha in technical and non-technical terms, what are the possible threats of insecure captcha and how to make sure the captcha is secure enough.
CAPTCHA is defined as a Completely Automated Public Turing test. The main purpose of captcha is to distinguish automated requests from natural human behavior.
By using the visual ability of people to distinguish patterns in the images, we can distinguish humans from the computers and bad bots which are trying to flood our databases. Captcha should strong enough and should not be solvable by any OCR or image processing system. This will make us confident that even OCR or any other alternative image processing system will not be able to solve our captcha: i.e any automated bad bot won’t be able to “pretend” to be human.
The concept behind the captcha is that the server knows what is passed to the client, by saving the captcha in a session or database. The expected input is then embedded to a runtime generated image and passed to the client.
While the user sees the captcha and submits what he sees to the server in his consequent request, the server compares the user input with the stored expected input. In case they don’t match the captcha verification fails and the request is rejected.
By using this simple mechanism, gaining advantage of human image processing capabilities over most sophisticated image processing softwares, you will be able to provide the level of security required to protect your database and web assets of being misused.
In addition to captcha it would be useful to limit the number of requests expected from the client at a period of time to make it more difficult and time consuming for potential attackers to play around with your website.