Hashwall

Hashwall is a web library to implement spam and rate limiting (what you'd use a CAPTCHA for) by using proof of work instead.

Basically, a user's computer has to solve a hash-based math puzzle of configurable difficulty and submit the proof to your server. You can tune the difficulty to make the math puzzle take more time, and therefore make it costly for spammers to abuse your service.

Why?

Traditional hard-to-read text CAPTCHAs no longer work, and Google's ReCAPTCHA is a dubious thing to force on users. This is a pretty simple alternative.

Won't this impact mobile users?

Probably. Phones have decent single-threaded performance these days, though. This may still burn battery and make them run hot.

Won't users get bored waiting?

Some of them. If your users aren't really interested enough in what you're trying to protect to wait a few minutes for it, then this probably isn't a good solution for you.

How does it work?

The hash computation (SHA-256) is done in WebAssembly for performance. Basically, given a target T, the client must find a number N such that hash(N,T) starts with difficulty (D) 0's. To show consistent progress to the user, we use a number of repetitions to effectively chain the hash, with part of the end of hash(N,T) becoming the new target.

Is this cryptographically secure?

This is an experimental project, so not likely. I think the general idea is sound (various cryptocurrencies and hashcash use the same basic idea), but cryptography is pretty difficult.

No effort has been made to make this ASIC or GPU resistant.

But how do I verify the hash on the server?

You may need to write that part yourself, but it should be fairly easy. Here's an example implementation for Node.

Contributions are welcome. See here.

Try It

Difficulty:

Note that the amount of time hashwall takes doubles with every increment of difficulty.

Repetitions:

Time taken is proportional to number of repetitions.

🔒 Locked!
🔓 Unlocked!