Captcha is a method of security for a website, usually found on a registration form or on a login screen when dealing with forgotten passwords, or even on a website’s “Comments” section.
It’s used to prevent malicious automated software from spamming the website and being able to perform the registration process and is also used to prevent automated software from performing brute force attacks on a password field. It is used in an attempt to force a real life user to perform the actions on the site.
There are many different types of Captcha functions. The most common usually contains an image of some distorted characters, with a free text field below the image for the user to input the characters, before the form can be submitted.
Another type of Captcha method might be that images or colours are displayed. The user is asked to select click on a specific image or a colour in order to be able to progress with the submission of the web form.
When testing a Captcha function, there are various areas that need to be taken into account:
Below are some examples on where to focus your testing in these areas when testing Captcha…
- Captcha must be difficult for bots (automated malicious software) but must remain easy for humans. It should not take multiple attempts for a human to be able to read the distorted text.
- If the distorted text has been entered correctly, but a validation problem occurs on another field on the form, the user should not be expected to enter the Captcha text again. This would be very frustrating for any user.
- Information should be available to the user for details such as the Captcha text being case-sensitive or not which would help the user to be able to complete the field with less trouble.
- Some Captcha functions also offer an Audio output for the distorted text. The button icon must be clearly identifiable and the Audio output must be clear and concise as to what the text is.
- Keyboard strokes should also be functional on the Captcha field. Users should be able to tab onto and off of the Captcha text field like they are able to do on any other field on the form, and use the enter key to progress, etc.
- There may be other accessibility rules for certain Captcha functions, for example: if a colour selection Captcha is in use, then you’d need to take colour-blindness into account for users who are colour blind.
- There may be localization requirements that do not use the English alphabet characters… For example: Arabic, Chinese, Greek, Hindi, Hebrew, Hungarian and Japanese to name a few.
- The Captcha image must not be able to be read by OCR software at all. If OCR software were able to read the Captcha image characters, then the Captcha will not offer much protection at all against malicious attacks.
- If text is being used in the Captcha image (as opposed to an image), the Captcha image should use random characters, in a random order, with random spaces and should also be adequately distorted and possibly have some pixel speckling too. If the same layout is used (e.g. 3 characters then 3 numbers always in this format), then it only makes it easier for attempting hackers.
- The main function of the Captcha is for security, but it should not hinder the users of the system. The functionality of the form that the Captcha image is on should not be hindered in any way.
- The Captcha should display appropriate validation messages to the user: if the field has been left blank, or if the incorrect code has been entered in the field (or if there is any other validation rules such as caps sensitivity, etc).
- “Refresh image” button: the button should be clearly labelled. It needs to refresh the form to display a new image in the Captcha, but any values entered already into fields on the form need to remain in those fields when the “refresh image” button is clicked, the text field should not allow the previous Captcha image code to be used to progress the form, etc.
- The “Audio” button: the “Audio” button should read the code out loud and clear and should be understandable.