The internet has a bot problem, and it's had it for a long time. One solution is the "Completely Automated Public Turing test to tell Computers and Humans Apart" or CAPTCHA. You know, those little tests you have to do sometimes to open a site or complete a transaction.

At first, CAPTCHAs only took a second to solve, and then we moved on with our lives. Today, however, they have me doubting that I'm human at all.

A Brief History of CAPTCHAs

There's always been a need to obscure plain language from prying eyes. Think of a thieves' cant like Cockney Rhyming Slang or later so-called "leetspeak" where hackers and later other nerdy internet users obscured words by replacing some of the letters with numbers. Even today, users on TikTok and other similar platforms use terms like "unalived" in the (mistaken) belief that this will help them avoid being shadowbanned.

With automated web crawlers and other "bots" going about their business on the web, sites needed a way of stopping these software agents from proceeding past certain points. Perhaps this was to stop bots from buying up items for scalping purposes, or maybe the webmaster didn't want Google crawling and indexing certain pages.

Captcha Screen Cloudflare One More Step

Whatever the reason, the first CAPTCHAs were simple distortions of a text code or password. A human can easily read this, but early OCR (Optical Character Recognition) could not. A simple solution to the problem, and it was solved forever and was never an issue again—yeah right.

CAPTCHA Hell: Why They’re So Hard NowA captcha that shows a skull with warning signs around it.

The thing is, the darn bots keep advancing. In the past few years, AI vision systems and other AI solutions that interlink with computer vision have jumped ahead a huge distance. If I put an old-style CAPTCHA into ChatGPT, it not only solves it instantly, but rather cheekily asks if I want to learn about these "old" methods to block bots.

ChatGPT solving an old-style CAPTCHA with ease.

The same thing happens when I put in one of those grid-based tests, or any visual test. It's why these CAPTCHAs have now progressed to include logic puzzles and mental rotation tests usually only found in IQ tests.

While bot creators probably can't afford to send thousands of API calls to advanced models like ChatGPT just to break through CAPTCHA challenges, the cost of doing so is going down, and you can certainly do it for high-value data you want to scrape. Besides, much less sophisticated AI models are already beating these CAPTCHAs, since they only have to be trained to do a narrow set of tasks to be successful.

You’re the Product, Not the Customer

The real irony here is that it's partially the CAPTCHAs themselves and the data we provided while solved them that made such bots possible in the first place. For a long time, every time you solved a CAPTCHA you were training an AI vision model of some sort.

This is one of the reasons older-style CAPTCHAs are still around, the data they generate is worth money, so even if you don't really care about bots reading your site, you can still make a little something from the CAPTCHA while keeping the dumbest of the AI spam out.

Alternatives That Actually Make Sense

The Recaptcha "I'm not a robot" box

You may have noticed that these days when you click the "I am not a robot" box, it just lets you through. That seems counterintuitive, because couldn't a bot now just click the box and pass?

Well, that's the clever bit—this actually works to block bots. These new CAPTCHAs, in response to the tests becoming too ridiculous and elaborate, look at other signs that you're human. It's actually the stuff that happens before you click that box that determines whether you're a bot or not. How you move your mouse, how you scroll the page, the cadence of your typing, and the unique combination of it all is something a bot would find hard to imitate, though I suppose it's just a matter of time.

There's also the practice of device fingerprinting, where your computer's unique attributes (or the combination thereof) help detect suspicious behavior. In fact, you probably see fewer CAPTCHAs because of this. It's also why you tend to see more CAPTCHA challenges when you use a VPN. Lots of bots are sharing those same IP addresses and so you end up tripping the alarm that triggers additional verification.

nordvpn logo NordVPN
NordVPN
Logging policy
No-log policy
Mobile app
Android and iOS

NordVPN is a well-known VPN option that is easy to use and compatible with a variety of devices.

Number Of Servers
164
Free Trial
30 days
Encryption
DES, RSA, AES
Supported platforms
Windows, MacOS, Linux, Chrome, Firefox, Edge, Android TV, Apple TV, Android, iOS
Devices allowed
Up to 10
See plans at NordVPN

Maybe the Bots Deserve to Win

As CAPTCHAs have grown harder for humans and easier for bots, the original promise of the technology looks increasingly shaky. If the cost of keeping bots out is making real users miserable, it’s worth asking whether CAPTCHAs still have a place at all.

There are better tools available today, and in many cases, sites that rely heavily on CAPTCHAs are doing so out of habit rather than necessity. Until the web fully embraces those alternatives, though, we’ll all be stuck proving we know what a bicycle looks like—over and over again.