• United States



Stuck in CAPTCHA Hell: When Security Disables

Mar 03, 20126 mins
Access ControlIdentity Management Solutions

It was just after 5 AM on a workday. I had my coffee, and I needed to quickly check my work email for status on a problem. Glancing through the list of new items, I was intrigued by an unexpected message from a LinkedIn group member who I respect. I wanted to leave a comment, so I clicked on the link.

But as I tried to logon to my LinkedIn account, a CAPTCHA popped up questioning my credentials.

“Darn, I hate when this happens,” I thought. “No worries, I’ve been through this security checkpoint before.”

I typed in the two different words with the fuzzy characters. “Is there a space between these or not?” Nope – got it wrong.”

Take 2

I got my glasses out and looked closer this time. Fortunately, you get to choose new images, if you think the one in front of you looks too weird. I hit the “refresh” button. Again, again and again. Finally, I liked about the fifth option. I typed in the two words. No dice.

I was mad at myself. “Wake up Lohrmann ….”

Take 3 & 4

I tried again. Calmly, I liked the first image this time. I carefully typed each word, slowly and deliberately. INCORRECT!  ….  What?

I got up walked into the kitchen and got another cup of coffee. I came back three minutes later and stared at the screen. Now I was getting a bit annoyed. I went through the “refresh” choice about six more times. OK, I can get this one right. I checked the “Caps Lock,” but it was NOT on.

I thought to myself, “I will try to type as if I’m acting in a kid’s play in slowwwww motion.” Here we go – I typed in each letter, one by one, very methodically. I went very, very, very slowly, making sure that each letter placed into the computer was exactly the way that I saw them on the screen. When I hit return, nope.

Failure Options

Now, I could hear the computer program talking to me: “Are you really Dan Lohrmann? I don’t think you are. In fact, I’m going to make the task of logging in even more difficult for you, because I don’t trust you. You’re probably a bad-guy hacker. You are an imposter!”

I tried all kinds of other options. I launched another browser session and tried logging on by just going to LinkedIn directly. I used my trusted helpful “Protection Suite” with my logon passwords kept safe by a famous vendor. I tried, you know, everything I could think of – etc, etc, etc. But I kept getting that stupid captcha bottleneck.

 I started questioning what was going on: “Was this sad situation because I was logging in at an unexpected hour and they weren’t going to let me onto the website until after 6 AM? Did I surprise them and fail the profile with my too-early activity? Is this like my credit card number showing-up in China?”

This “incident” was now escalating in my mind. “Let’s activate the command center – just kidding.”  But I was getting really, really annoyed. My thoughts were far from supportive of the security industry at this point.

Who created this stupid CAPTCHA-thing anyway? I looked it up.  I’ll send him a letter. Why are the images getting more and more difficult over the years? Why are there different fonts with all these crazy lines running through them that could be letters or just distractions. I think a computer program could figure this out easier than me – or maybe not.

I closed my eyes and pondered. Maybe this was a business opportunity? I did some Google searches. My mind raced: “Are there CAPTCHA alternatives? I really like LinkedIn, but how about a frequent flyer line for “online travelers” who are trusted? Can I sign up for some different authentication scheme? What about….”  

OK – back to the task at hand. This rabbit trail, is getting really bothersome, but “I WILL NOT BE DEFEATED! I WILL OVERCOME THE SECURITY OBSTACLES PLACED BEFORE ME at 5:15 AM!”

Wait It Out

You can stop the video and fast-forward at this point. The sad truth is that this process (and associated negative thoughts) went on, and on for about another 20 minutes. Yes, I was a glutton for punishment, and I don’t really know why. Still, I never successfully logged onto LinkedIn during that hour. My morning was unofficially a mess.

 I turned off my computer. Read a book, worked out, took a shower and ate breakfast. After more than an hour, I calmly approached my PC, turned it on and tried LinkedIn again.

It worked! Oh yeah No CAPTCHA, no waiting, no delay – I was in. I was set free!! Released from CAPTCHA hell!  CELEBRATION! Yes, I started singing in my head: “Celebrate good times come-on…”


That night after work, I looked back and laughed at myself. All that for trying to leave a helpful comment? I thought about the crazy sequence of events. “Could I ever have dreamed of this happening twenty years ago? I wanted justice. But this is a free service.  OK, we’re in the 21st century … I’ll write a blog … I’ll rant.  I’ll try to make lemonade out of this lemon. There must be others who’ve experienced the same things. Perhaps this happened for a good reason?

Getting more personal in my organizational psychotherapy:  “Do my customers see our government security services in the same way sometimes? Is this another example of security as a disabler?”  This was a reminder to me (and us) to walk a mile in their shoes. Eat our own virtual dog food. Admit failures. Move or remove cyber barriers to getting things done, if possible.

 I’m sure there is another side to this story. No doubt, CAPTCHA security works in most cases. If I let LinkedIn executives explain, they might tell me how I messed up. But that’s probably not worth the effort. (Unless they want to respond to this blog….) Nevertheless, I don’t think I’ll ever forget my morning in unexpected social networking logon misery.

Thoughts or stories? Ever been in CAPTCHA hell?


Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist and author. During his distinguished career, Dan has served global organizations in the public and private sectors in a variety of executive leadership capacities, including enterprise-wide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan State Government. Dan was named: "CSO of the Year," "Public Official of the Year," and a Computerworld "Premier 100 IT Leader." Dan is the co-author of the Wiley book, “Cyber Mayday and the Day After: A Leader’s Guide to Preparing, Managing and Recovering From Inevitable Business Disruptions.” Dan Lohrmann joined Presidio in November 2021 as an advisory CISO supporting mainly public sector clients. He formerly served as the Chief Strategist and Chief Security Officer for Security Mentor, Inc. Dan started his career at the National Security Agency (NSA). He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US / UK military facility. Lohrmann is on the advisory board for four university information assurance (IA) programs, including Norwich University, University of Detroit Mercy (UDM), Valparaiso University and Walsh College. Earlier in his career he authored two books - Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD For You: The Guide to Bring Your Own Device to Work. Mr. Lohrmann holds a Master's Degree in Computer Science (CS) from Johns Hopkins University in Baltimore, Maryland, and a Bachelor's Degree in CS from Valparaiso University in Indiana.

More from this author