What does a Google reCaptcha actually do?

[UKSBD]

I have a form on a site which gets a lot of spam and junk

I added a Google reCAPTCHA to it, but what does this actually do?

from what I can see so far it just adds a tick box to confirm you are not a bot, how does this stop anything? or does it do more behind the scenes?

 

[Ethan39]

A lot of what it does is "proprietary" because, much like with SEO, if the details were public it becomes a lot easier to bypass.

My understanding is that it monitors the activity of the user to see if they are a bot or not.

Over the years, I've seen a lot of talk that the main way it does this is by monitoring mouse movements. Humans have no pattern to mouse movements, whereas bots almost always do (even if there's an element of randomness to the movement, there is still a "pattern").

If reCaptcha doesn't detect any strangeness in the way you interact with the checkbox, it will simply let you continue without doing anything further. If it does find problems it will stop the user from carrying on.

If the system isn't sure whether the user is a bot or a human, it has further checks (like clicking every square with a bike/bridge/traffic light etc etc.).

I'm sure there's more behind the scenes, probably even some details that are public or at least have good guesses, but the long and short of it is "It's an industry-recognised system for preventing bots from a reputable source".

 

[Kerwin]

I have a form on a site which gets a lot of spam and junk

I added a Google reCAPTCHA to it, but what does this actually do?

from what I can see so far it just adds a tick box to confirm you are not a bot, how does this stop anything? or does it do more behind the scenes?

It looks to see if the agent clicking on the button is a human or a bot.

For instance is the page loads and the button is instantly clicked then it will assume it is a bot as no human can click something instantly. There is normally say a 20 to 30 second delay before it gets clicks. It also uses data about IP addresses that have shown bot like behaviour or what network is connecting.

 

[fisicx]

I stopped using reCaptcha a while back because there are far better ways to block the bots.

1. A field hidden using CSS that request then to add the word 'yes'.
2. A script to check how quickly the form is completed.
3. A maths question (eg: 3 + 4 = ).

Far easier than trying to guess if something is bicycle or not and blocks all bots. Won't stop someone manually filling in the form but neither does reCapture. It also means less Google tracking takes place.

 

[Ozzy]

from what I can see so far it just adds a tick box to confirm you are not a bot, how does this stop anything? or does it do more behind the scenes?

First of all it switches on the users webcam and looks to see if the user is synthetic or organic. To verify it then takes a pulse reading via the keyboard button pulse sensors, and measures body temperature through the mouse thermo sensors.
All synthetic skin users with no pulse and a cold temperature are blocked as bots.

 

[fisicx]

All synthetic skin users with no pulse and a cold temperature are blocked as bots.

That's why the Mother-in-law has so many problems

 

[Small Business Ltd]

Have you looked at your Google reCAPTCHA account stats to see if it’s stopped anything? You can see if it’s stopped anything over the last 90 days. If it has, it’s doing something.

Note: Google Re-Capcha out of the box requires cookies and therefore requires a cookie banner / consent as it is not an essential cookie.

I use a number of CSS / scripts ranging from the person having to type “no copy and paste or right click” on the form, "What’s higher 1 or 10" and "type the name of this website". I also restrict people being able to add much content (200 characters or call us to discuss) and I do not allow hyperlinks in forms. If the person still reports spam, I know it’s someone human going through all this hassle to send the spam and there is not much more I can do, other than start adding “do not allow” certain words from being added. I manage to stop most spam using these types of actions.

For my wordpress websites, I also use the Plugin “WP Armour Honeypot Anti Spam”. It’s a nice plugin that also shows how much spam has been caught and stops Javascript from being added.