Some of you when you see the word CAPTCHA might know what it refers to, others may not. If I show you a picture of one, then there's a good chance you'll know what I'm talking about. Here's one from a very popular web site (Yahoo):
Yes, they're those interesting combinations of letters and numbers that web sites ask you to provide before you press the SUBMIT button to either create an account, order tickets online, or execute some other important online transaction. CAPTCHA stands for "Completely Automated Public Turing test to tell Computers and Humans Apart" and it's designed to make sure that real people are executing a transaction and not some computer program that's been designed by a hacker or spammer.
CAPTCHAs, unfortunately, are under siege. The hackers are starting to create more and more sophisticated programs to get around the simplest of them and expectations are that soon, the letter-and-number-combo variety of CAPTCHAs will be obsolete.
New kinds of CAPTCHAs are being created to "raise the bar" in this escalating arms race. These involve the user identifying one of many images, for example: "in the 5 pictures above, click on the one that has a banana in it" or asking a question that involves some amount of processing, "add the first 2 numbers, subtract the third number, and enter the answer here". You can read more about the interesting ways that people are trying to improve CAPTCHAs here.
All very interesting, but why is this important to me, you might ask? Well, if you have forms on your web site that are available to the public and they execute an important transaction or involve sending an e-mail, and you're not using a CAPTCHA to protect it, you may be vulnerable to both spammers and hackers. And if you are using a CAPTCHA to protect your website, but it's one of these early letter-and-combo varieties, you may also be at risk.
Here's an example... Many public web sites have stopped displaying e-mail addresses as a way for consumers to contact the company because they've found out that spammers harvest these addresses and then target them for spam. In their place, businesses have learned to use Contact Us forms instead. But what many companies don't know or haven't learned is that these Contact Us forms can be used to send spam. And lots of it, especially if the program behind the form sends a confirmation e-mail back to the "person" who's supposedly filled the form in. And that's where a CAPTCHA can be helpful. Adding it to the Contact Us form gives you reasonable assurance that a human is actually filling in the form and not an automated spam trawler.
So check out your web site. If you've got a Contact Us form that generates e-mail, or an important transaction that you only want a real person to execute, then you should be considering the use of a CAPTCHA.
