Cap is a lightweight, modern open-source CAPTCHA alternative designed using SHA-256 proof-of-work.
It's:
- ⚡️ 250x smaller than hCaptcha
- 🔒️ Private
- 🌈 Fully customizable
- 🤖 PoW-based
- 🌳 Fully FOSS
- 💨 Invisible
Love this approach! 💡 Using SHA-256 proof-of-work as a CAPTCHA alternative is such a smart, elegant solution — especially in an era where user privacy and page speed really matter. 🔒⚡️
Curious how it performs in real-world bot scenarios — any benchmarks or early adopter feedback?
One question remains. So the PoW algo. Makes it prohibitive for bots to cheat the captcha. How much cost does it penalize bots with? is this CPU watts or? Like 0.1$ in computation?
And do you think this is the future of captcha? Mine some "bitcoins", to fight bots?
@tr3 It doesnt say anything about how much cost is incurred on the bots. Some transparency around this would be gold. Also Does it increase the difficulty of the challenge on repeated attempts? If not, may this be a future feature? The research paper you linked to describes a password cracking functionality. Is cap used for this purpose? That raises ethical dilemma, and End user legal dilemmas. Also how does it perform on mobile devices with limited computational resources and battery? Some transparency around this would also be great. Btw. I think this project is really cool! So that's why I'm curious. 😸 I also asked pplx regarding the research paper. And it echoed some of the questions: https://www.perplexity.ai/search/what-are-some-of-the-pros-and-uy_EbHZ1TsSlpMGSkFVTXw#0
I'm a bit concerned about it's effectiveness. Prove me wrong, I'd be happy if this works as good as the others.
First, this does not verify if I'm a human, but if I have enough computational resources. A similar system was developed (Hashcash) which is not really used in popular email clients. In my opinion, it works for Bitcoin for the same reason it didn't work work email: it doesn't verify if you're a human, it just verifies your computational resources.
This raises some questions. What if someone is browsing my site from an old computer? The verification will take a lot longer and possibly use all the resources that device has for minutes.
What happens to botnets? While tracking-based captchas have a chance to combat them, it doesn't really matter if hacker guy has to do some PoW on the botnet computers.
Thanks to Bitcoin, we also have really efficient sha256 ASICs - computers that only solve sha256, but they do it really efficiently. If a verification take 2 seconds on a CPU, then it will take milliseconds on an ASIC. So with just one ASIC, I'm able to essentially break any website.
Right now I think this captcha is MUCH better than not using any captcha - but I don't think it is better that the tracking based captchas. I'd be the happiest if this could work, so please prove me wrong if I didn't get it right. I also think it is really important to have experiments like this, I really support the direction.
botnets can't really solve the captcha in a reasonable amount of time since they're usually very low-powered devices such as security cameras or routers
250x smaller than hCaptcha is huge for web performance. Can we modify PoW parameters per use case, like stricter thresholds for login vs. comment forms?
Replies
SyncSignature
That looks great!
@neelptl2602 thank you!
Can anyone share how flexible the theme options are?
@robert_pim you can fully customize the widget using CSS variables
Elisi : AI-powered Goal Management App
Love this approach! 💡 Using SHA-256 proof-of-work as a CAPTCHA alternative is such a smart, elegant solution — especially in an era where user privacy and page speed really matter. 🔒⚡️
Curious how it performs in real-world bot scenarios — any benchmarks or early adopter feedback?
Awesome work, and congrats on the launch! 🚀
@williamrobertscott would love to know more about this @tr3 !
Great work BTW 🔥
@williamrobertscott @chamaru hi there, you can read more about PoW here: https://capjs.js.org/guide/effectiveness.html
and run a benchmark here: https://capjs.js.org/guide/benchmark.html
i'm still running this benchmark on a bunch of devices
Interesting! How does it work? How does it verify i'm a human?
@sentry_co it uses private, accessible proof-of-work. you can read more on the docs
@tr3 Very interesting! Forgive me! But I did not understand the problem and the solution here. So I asked perplexity. It came up with a pretty good answer: https://www.perplexity.ai/search/how-does-this-technology-work-GRfvnIltTXKObXZPQBvVaA#0 Maybe some content for your readme docs to make it more succinct?
One question remains. So the PoW algo. Makes it prohibitive for bots to cheat the captcha. How much cost does it penalize bots with? is this CPU watts or? Like 0.1$ in computation?
And do you think this is the future of captcha? Mine some "bitcoins", to fight bots?
@sentry_co hi there, you should read the effectiveness page, it explains much more in detail: https://capjs.js.org/guide/effectiveness.html
just like training AIs or mining bitcoin is expensive, so is solving a huge quantity of proof-of-work. i recommend checking https://www.researchgate.net/publication/374638786_Proof-of-Work_CAPTCHA_with_password_cracking_functionality
@tr3 It doesnt say anything about how much cost is incurred on the bots. Some transparency around this would be gold. Also Does it increase the difficulty of the challenge on repeated attempts? If not, may this be a future feature? The research paper you linked to describes a password cracking functionality. Is cap used for this purpose? That raises ethical dilemma, and End user legal dilemmas. Also how does it perform on mobile devices with limited computational resources and battery? Some transparency around this would also be great. Btw. I think this project is really cool! So that's why I'm curious. 😸 I also asked pplx regarding the research paper. And it echoed some of the questions: https://www.perplexity.ai/search/what-are-some-of-the-pros-and-uy_EbHZ1TsSlpMGSkFVTXw#0
really cool. upvoted
I'm a bit concerned about it's effectiveness. Prove me wrong, I'd be happy if this works as good as the others.
First, this does not verify if I'm a human, but if I have enough computational resources. A similar system was developed (Hashcash) which is not really used in popular email clients. In my opinion, it works for Bitcoin for the same reason it didn't work work email: it doesn't verify if you're a human, it just verifies your computational resources.
This raises some questions. What if someone is browsing my site from an old computer? The verification will take a lot longer and possibly use all the resources that device has for minutes.
What happens to botnets? While tracking-based captchas have a chance to combat them, it doesn't really matter if hacker guy has to do some PoW on the botnet computers.
Thanks to Bitcoin, we also have really efficient sha256 ASICs - computers that only solve sha256, but they do it really efficiently. If a verification take 2 seconds on a CPU, then it will take milliseconds on an ASIC. So with just one ASIC, I'm able to essentially break any website.
Right now I think this captcha is MUCH better than not using any captcha - but I don't think it is better that the tracking based captchas. I'd be the happiest if this could work, so please prove me wrong if I didn't get it right. I also think it is really important to have experiments like this, I really support the direction.
@dawe You should read more about PoW here: https://capjs.js.org/guide/effectiveness.html
botnets can't really solve the captcha in a reasonable amount of time since they're usually very low-powered devices such as security cameras or routers
it's not really that slow on old computers, you can test it yourself here: https://capjs.js.org/guide/benchmark.html
yes, the concern about sha256 ASICs is valid. i'm working on moving the captcha to blake3 or other algorithm
@tr3 Wow this is awesome, maybe RandomX could work too
This is great. I will use it on my next project as it seems really straightforward and easy to implement. Congrats for the launch & good luck!
@aeromaniax thanks!
Congrats on the launch, looks great!
kool
I like the lightweight and privacy-focused approach! 😄
Migma AI
We'll use this, looks so good and modern. Can we customize the style?
@migma yep! everything is customizable through css variables
250x smaller than hCaptcha is huge for web performance. Can we modify PoW parameters per use case, like stricter thresholds for login vs. comment forms?
@desmond_ren1 yes! you can fully adjust the difficulty
👏👏
Look's cool!