Fight spam and bots in Web applications with CAPTCHAs

CAPTCHA is used to discern humans from computers to make sure someone (and not automated software or a bot) is really using the Web application. Here are implementations for use within your applications.


Differentiating between a human user and a computer is a common task for Web applications. The need for such differentiation is due to spam and automated software or bots. One approach to testing for a human user is CAPTCHA, which makes a user type what they see in an image to use some functionality in a Web application.

What is a CAPTCHA?

CAPTCHA is an acronym for the rather lengthy phrase "Completely Automated Public Turing test to tell Computers and Humans Apart." A CAPTCHA is a program that generates an image of letters and numbers that can be passed by most humans but not current computer systems. The user types the characters into a corresponding text box to pass the test. It provides simple yet practical security for various areas of a Web application.

Why use CAPTCHA?

The main goal of CAPTCHA is preventing automated software or bots from performing certain actions on a site. Sure, the automated code may access the site, but you don't want it posting comments (spam), creating user accounts, or placing orders. There are a variety of situations targeted by CAPTCHA, which include the following:

  • Site registration: A site can limit access to its registration system or page by using CAPTCHA as a gate to accessing it.
  • Comments: Sites that allow comments often have generated content that is obviously not entered by a user. For instance, sites such as Blogger use CAPTCHA to control access to posting comments.
  • Polls: CAPTCHA can help maintain the integrity of a poll by letting only humans participate.
  • Passwords: A common way to attack a site is via a dictionary attack where brunt force is applied to a password field in an attempt to guess it. CAPTCHA can be used to control access to the password field, thus leaving bots in the cold.


CAPTCHA has been around for some time, so there are various implementations for use within your applications.

If you want to write your own code for using CAPTCHA in an application, the CAPTCHA project site provides a set of guidelines, which instructs you on how to make it accessible and secure the image and script. Here is a good example using ASP.NET.


A main drawback and an initial complaint regarding CAPTCHA is the inaccessibility of such images to users with visual impairments. Some systems gain accessibility by offering a spoken version of the image text via an audio file. When using a technology like CAPTCHA, functionality to recognize users with disabilities as human is necessary. The W3C offers a great paper on the issues of accessibility in a technology like CAPTCHA.

Not bulletproof

CAPTCHA provides a security solution based on artificial intelligence, but it is not a perfect solution. It offers an easy way to thwart most attacks, but a determined programmer may be able to develop code to break through such a hurdle to gain access to site features. For instance, a recent ZDNet story describes how spammers attacked Microsoft's CAPTCHA — again.

Programmers are persistent, so OCR software may be used to identify the text in an image and pass through the CAPTCHA gate. To counter such moves, new approaches to CAPTCHA are being developed, which include distorting images in a way that makes them unreadable by OCR software. It is a never-ending battle that goes back and forth because spammers are determined to circumvent the system.

Another way around a security mechanism like CAPTCHA is via social engineering. There have been many reports of sites offering free porn to users who key in the solution to a CAPTCHA, which is then used elsewhere to access a site. This is one example of employing humans to crack the code.

Developers continue to push technology to thwart attacks; one example is BaffleText, which offers an improved CAPTCHA.


A Web application is a funny beast — you want users to visit and use the site, but you only want a certain type of user. For one thing, automated code or bots are usually not welcome — especially with certain areas of a site like collection information. This is where a security technology like CAPTCHA is used to discern humans from computers to make sure someone is really using the application.

Have you used the CAPTCHA technology in your applications? If so, did you create your own solution or use a free or commercial offering? Has using the technology been successful in keeping unwanted users away?

Tony Patton began his professional career as an application developer earning Java, VB, Lotus, and XML certifications to bolster his knowledge.


Get weekly development tips in your inbox Keep your developer skills sharp by signing up for TechRepublic's free Web Developer newsletter, delivered each Tuesday. Automatically subscribe today!


Tony Patton has worn many hats over his 15+ years in the IT industry while witnessing many technologies come and go. He currently focuses on .NET and Web Development while trying to grasp the many facets of supporting such technologies in a productio...

Editor's Picks