Proof-of-Work CAPTCHA

Proof-of-Work CAPTCHA shifts the cost of solving from a human (clicking images) to the visitor's CPU (running a hash function). The server generates a challenge that requires finding a hash with specific properties (such as a SHA-256 hash starting with a certain number of zero bits). The browser tries random nonces until it finds one that matches, then submits the answer with the form. A modern phone solves a 200,000-iteration challenge in 300-500ms. A human submitting a form once doesn't notice the delay. A bot trying to submit thousands of forms per second has to pay that CPU cost on every attempt, which makes the spam economically unattractive. Major Proof-of-Work CAPTCHAs in 2026: Friendly Captcha, ALTCHA, mCaptcha. Each tunes the difficulty differently. Friendly Captcha auto-scales based on abuse signals from its global network. ALTCHA uses a fixed difficulty configured per site. mCaptcha increases difficulty under load, designed for application-layer DDoS mitigation. The trade-off: Proof-of-Work doesn't stop a single determined attacker willing to pay CPU cost. It stops scale. If you face one persistent attacker, you need a different layer (rate limiting, behavioral scoring, manual review). For the spam-at-scale problem that affects most public forms, Proof-of-Work is the cleanest privacy-friendly solution.