How Do Those “I’m Not a Robot” Tests Work?

How does clicking a box verify your humanity?

If you’ve signed in to a new or existing Internet account, or set one up, you’ve probably had to check one of those boxes that says “I’m not a robot.” Some of them are a little more complicated, requiring you to identify storefronts, cars, or traffic lights in various images; some of them are as easy as clicking a single box. But all of them are basic enough that you’ve probably wondered, how they can possibly keep robots out?

What are those tests, exactly?

Calling them “‘I’m not a robot’ tests” is much more of a mouthful than their actual name: CAPTCHA. You’ve probably seen these letters, or else “reCAPTCHA,” accompanying some of those tests. “A HIP/CAPTCHA fundamentally is any mechanism by which a computer—more pedantically, software written by a programmer—can identify if it is interacting with a human being rather than another computer,” says Samuel Bucholtz, co-founder of Casaba Security. HIP is short for “Human Interactive Proof,” and while you’ll almost exclusively just hear “CAPTCHA,” those letters are short for “Completely Automated Public Turing Test to Tell Computers and Humans Apart.” CAPTCHA is definitely one of the tech terms you should know by now.

How do they work?

These tests, simple though they may seem, can thwart a computer’s attempt to hack a password. When a bot “tries” to hack a password, it’ll input thousands of potential password combinations. “Computers can repeat actions they are programmed to perform very rapidly; for example, trying every password from A to ZZZZZZ,” Bucholtz explains. “If you want to prevent a computer running automation software from trying to guess a user’s password by trying every combination, you can add a HIP/CAPTCHA that must be submitted with the password attempt.”

It basically boils down to the fact that computers are designed to do very complex tasks—but simple ones trip them up. “Computers are not good at solving problems that are trivial to people,” explains John Lloyd, chief technology officer of Casaba Security. “We can look at a grid of photos and quickly recognize cars, crosswalks, or traffic lights. The same task is a complex image recognition issue for a computer that requires a level of processing power unavailable to most people.” This flaw of computers is one of the cyber secrets hackers don’t want you to know.

How does CAPTCHA stop would-be cyberattacks?

The CAPTCHA basically halts a hacking computer in its tracks with its so-easy-it’s-hard task. “Since a CAPTCHA is designed in such a fashion as to be difficult or impossible to solve by the computer, the attacking computer is no longer able to submit guesses,” says Bucholtz.

When a user, human or not, attempts to fill out the CAPTCHA test, “the API then looks at the user’s cookies, location, and cached browser data before sending a score back to the web application,” Lloyd says. “A bot can’t simultaneously behave like a human and conduct the kind of tasks you would create a bot for in the first place. Since the information about the bot’s behavior is shared across sites, the bot gets thwarted once it gets recognized.”

CAPTCHA and phishing

Unfortunately, hacks that have been foiled by a CAPTCHA may not stop there. Bucholtz warns that “users have been tricked into solving a CAPTCHA for the computer to use as part of its attack against another CAPTCHA-protected system.” This usually manifests as phishing. If you’re not sure how phishing works, here’s how to avoid a phishing scam.

“A phishing site using a CAPTCHA would be the same as a phishing site using any other content to fool you,” Bucholtz explains. “The phishing site certainly could get you to solve a CAPTCHA that some other site the phishing site is trying to attack has asked to be solved.” So basically, if a computer can’t hack a CAPTCHA itself, it could instead automate an email in hopes of getting an unsuspecting human to click the CAPTCHA instead. As is the case with any email, you should verify the sender and avoid clicking any links (or anti-robot boxes!) until you’re sure the email is legitimate. Next, find out some common online scams you should be aware of—and how to avoid them.

Meghan Jones
Meghan Jones is a Staff Writer for RD.com who has been writing since before she could write. She graduated from Marist College with a Bachelor of Arts in English and has been writing for Reader's Digest since 2017. In spring 2017, her creative nonfiction piece "Anticipation" was published in Angles literary magazine. She is a proud Hufflepuff and member of Team Cap.