What is Captcha?
CAPTCHA is the abbreviation for Completely Automatic Public Turing test to tell Computers and Humans Apart. Basically, CAPTCHA is used to distinguish between humans and bots so as to prevent DoS, DDoS or buffer overflow attacks since such attacks usually implement bots to send multiple requests. CAPTCHA is a random combination of alphabets, numbers and/or special characters that are visible to the user on the screen. Sometimes, CAPTCHA can also be in form of a set of images where the user has to select specific images showing some specific objects. When the user replicates the CAPTCHA as it is, or fulfils the condition specified in the CAPTCHA, then the user is considered to be a genuine human user and is allowed to submit the form or request.

Why is CAPTCHA important?
Implementation of CAPTCHA helps in preventing spam form submissions that may lead to DoS or Buffer Overflow attacks. Normally, forms on the pre-login pages such as 'create user form' do not require user authentication. However, these forms get stored on the server. Attackers take benefit of this fact and use a bot to submit multiple requests causing a Dos attack or a buffer overflow attack which may lead to the website getting slow or eventually getting crashed. In order to prevent such attacks, CAPTCHA is implemented on pre-login pages.

How to implement CAPTCHA?
Following points should be considered while implementing CAPTCHA:

  1. CAPTCHA should not be too complex or overly distorted. It should be user friendly so as to reduce the time required by the users to understand and complete it.
  2. It should have both client-side and server-side validation.
  3. Once a CAPTCHA is used, it should be deleted from the data base so as to prevent re-use of the same CAPTCHA.
  4. If the CAPTCHA is being passed through the form parameters, the value should be encrypted so as to prevent tampering of the CAPTCHA value.
  5. The values of CAPTCHA should not be repetitive.
  6. The values of CAPTCHA should not be guessable.