Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Here is an idea I thought of for a captcha. Render your webpage and form and include a hidden "password" field. Use a javascript hashing algorithm to hash the password on the client browser (preferably a very slow one that uses a lot of CPU). When you submit the form check the calculated hash the client did with a pre-calculated hash on the server. If they don't match reject the form. You can pre-generate a list of password/hash combinations to avoid slowing down your servers. Could it work?



It would certainly help in some cases, and act as a delay in some others. It pretty much wouldn't stop a targeted attack since they quite probably don't really care about how much CPU use each request is using, and you literally have to publish the code to generate the hash, so it makes it pretty easy to reverse engineer.


Its not reverse engineer-able. Its basically "proof-of-work" as in all participants know the algorithm, you just make attackers spend CPU time to use your site which would slow them down or cost money.


It could work... If you want to set minimal system requirements to visit your website.

It will also annoy users of password managers with auto-filling capabilities. "password" is normally used for actual passwords.

Besides, nothing stops the attacker from replacing your code with a faster implementation.


There are password hashing algorithms out there (like bcrypt) that specifically take a long time to compute using the fastest method that we can think of.


I shouldn't have named it "password". The idea was all the form fields are hidden and the process is transparent to the user.


This sounds similar to the blockchain email spam prevention Hashcash.

https://en.m.wikipedia.org/wiki/Hashcash




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: