What is HashCat? HashCat Logo

HashCat is an alternative "CAPTCHA", but relies on expensive CPU calculations instead of some poor soul having to decipher some horribly scanned book.

Use this with a pinch of salt, though. Spam bots are able to "solve" this, but will slow them down substantially. Don't put all your eggs in one basket :)

I haven't tested HashCat with Internet Explorer yet. Please report any bugs to me :)

How does it work?

HashCat works almost exactly like Hashcash, but, instead of verifying email verifies the request has come from a human.

Here's a step-by-step guide on the HashCat algorithm:

  1. The server generates a totally random string. This is embedded on the page through JavaScript.
  2. The user generates a random number and appends this to the string. This can be a number, or a string, or anything at all.
  3. The user hashes this using SHA-1 Or a more "intensive" hashing algorithm if required.
  4. If the first four bytes of the hash are zero, it submits the form. It also sends the random number. On average, to calculate this, an estimated 200 million calculations are required. This takes about 2-10 seconds on an average desktop.
  5. Server verifies by hashing and checking first four bytes. If they're all zero, the form is submitted. The session identifier should be reset.

Is it free to use?

Of course! The Internet would suck without free software. The JavaScript libriaries for HashCat are licensed under the MIT license. And the server-sided example scripts are completely public domain, mainly because they're so simple.

An added bonus is that you don't require the use of a third party server, like with reCAPTCHA (which could be a single point of failure). Another extra from this is it means Google can't spam your site!

This project makes use of tiny-sha1, with thanks to cloudgen.wong[at]gmail.com. This library is MIT licensed, but the code did not contain any copyright notice, so this shall serve as one.

Get the code!

Server Examples

HashCat only by default comes with a client, but here are some basic examples of how to use it.


Live Example

Perl (ngx_http_perl_module)

(This example uses the ngx_http_perl_module to validate whether or not a website visitor is a real person, before any FastCGI scripts are executed)

Live Example

Contribution of examples welcome! They literally just need to generate a random string and check the final hash.