Areas of application of Captcha

For what purposes are CAPTCHAs used?

CAPTCHAs are used in various areas and are primarily used to increase cybersecurity and data protection. The best-known application of CAPTCHAs is the blocking of automated form entries by bots. CAPTCHAs are used in the following areas of application, for example, to protect them from harmful attacks or misuse.

Data manipulation

  • Reduction of comment spam
  • Filtering of email spam for contact forms
  • Preventing bot-based manipulation of online surveys and maintaining survey accuracy
  • Preventing automated fake registrations (web registration) or restricting registration for services, e.g. to generate fake leads
  • Prevention of fake click numbers
  • Prevention of automated blog entries

Data theft

  • Preventing the collection of user data (phishing)
  • Protecting confidential information on websites
  • Preventing brute force attacks, e.g. to hack passwords
  • Preventing the distribution of links to phishing websites to infect end devices with malicious viruses and bot worms
  • Prevention of Sybil attacks - creation of false identities


  • Preventing illegal logins to multiple accounts on one website
  • Mitigation of dictionary attacks
  • Prevention of ticket scalping - illegal, mass collection of tickets for profitable resale

Hint: Bad Bot, Good Bot

Not all bots are used to cause damage. Many bots are there to perform useful tasks automatically. These benevolent bots are designed to make life easier for humans. 

Application example - Login forms

A login form often has no CAPTCHA. Protection is therefore often provided via the server and user side. As a result, the server must keep track of password hacking attempts, for example, and the user should use a more complex password.

A captcha can slow down possible attempts and very probably make them unusable. This can be illustrated with an example calculation for brute force attacks.

For example, a login mask can be protected with ALAN Captcha. Let's assume that the complexity of the cryptographic puzzle is set to around 5 seconds per request. This means that solving a task takes about 5 seconds. Therefore, an attacker can only test a username and password combination with a single client every 5 seconds. If the attack stays at 10 seconds per form submission, an attacker could only test 1,576,800 passwords per year or 4320 per day - that's pretty slow and not very promising.