Latest Developments
RicheyWeb
​Bespoke, No Joke.

Examples

Algorithm Options Explained for HashCash

HashCash CAPTCHA for Joomla: Algorithm Options Explained for Site Owners

The Captcha - HashCash plugin (v5.4.1+) for Joomla provides five hashing algorithms to power its invisible proof-of-work (PoW) system. This privacy-focused tool blocks bots and spam on forms such as contact pages, registrations, and comments. It avoids visible puzzles or third-party trackers. The plugin runs computations in the user's browser using JavaScript and the Web Crypto API. Humans experience smooth interactions. Automated attacks face high costs.

The system builds on Adam Back's 1997 HashCash idea, adapted for 2025 threats. It creates a unique challenge each time a form loads. The browser repeats hashes until the result meets the difficulty target, such as a set number of leading zero bits. The server checks the solution instantly on submission. Algorithms vary in speed, security, and resistance to GPU-based bots. This gives site owners flexible options.

Difficulty settings range from 1 (light) to 4 (heavy). They increase the challenge for any algorithm. Begin with low difficulty and adjust based on spam levels. All algorithms require a secure context (HTTPS or localhost). They follow GDPR and e-Privacy rules by skipping cookies and data sharing.

Core Comparison Table

Algorithm Output Size Security Focus Relative Speed (User Device) GPU Resistance Best Use Case
SHA-256 256 bits Basic collision resistance Fastest (~<1s at Diff 3) Low Everyday forms, high traffic
SHA-384 384 bits Enhanced collision resistance Fast (~1s at Diff 3) Low Moderate-risk sites
SHA-512 512 bits Maximum raw hashing security Moderate (~1.5s at Diff 3) Low High-value, low-traffic forms
PBKDF2 Variable Sequential iteration hardness Slower (1-3s at Diff 3) Medium Botnet-targeted sites
PBKDF2+64KB Loop Variable Memory-hard GPU deterrence Slowest (2-4s at Diff 3) High Advanced threat environments

*Performance estimates apply to mid-range devices (for example, iPhone 14 or mid-tier Android). Test on your site. Use "delayed calculation" to start PoW only when users interact with the form. This reduces idle CPU use.

Detailed Algorithm Breakdown

1. SHA-256 - The Speed Leader for Wide Use

Technical Profile: 256-bit digest. Offers ~2¹²⁸ collision resistance. Runs simple iterative hashing loops (1,024 to 65,536 attempts at Diff 1 to 4).

Utility & Value: This default option suits owners who want smooth user experience. Desktops finish in microseconds. Mobile delays stay under 1 second. It fits high-traffic sites where bounce rates matter. Bots struggle at scale. GPU farms can parallelize it, however.

Pros for Owners:

  • Works in all modern browsers. Adds no server load.
  • Simple setup. Use with Diff 2 for 90% spam drop and no user impact.

Cons: Weak against parallel attacks.

When to Choose: Blogs, online shops, or forms with light spam (such as comments).

2. SHA-384 - Balanced Step Up for Daily Security

Technical Profile: 384-bit digest (truncated SHA-512). Delivers ~2¹⁹² resistance. Follows SHA-256 loop style but processes larger outputs for slight extra compute per hash.

Utility & Value: It boosts protection while keeping speed. Ideal for sites with sensitive data like newsletters or inquiries. It raises brute-force costs for mid-level bots. Solve times stay under 1 second. Owners gain compliance points (for example, PCI-DSS) without user friction.

Pros for Owners:

  • About 25% slower than SHA-256 but still quick. Server checks are fast.
  • Prepares for future attacks on shorter hashes.

Cons: Remains open to GPU attacks. Offers no big jump over SHA-256 for simple threats.

When to Choose: Registration or login forms. Or regulated fields (such as finance or health).

3. SHA-512 - Powerhouse for Raw Strength

Technical Profile: 512-bit digest. Provides ~2²⁵⁶ resistance. Requires more cycles per iteration due to size. Scales PoW with difficulty.

Utility & Value: Owners battling credential stuffing or fake accounts benefit most. It forces bots into hours of work at Diff 4. Overkill for most sites. Excels in low-volume, high-stakes cases. Server verification takes one pass.

Pros for Owners:

  • Top pure-hash security. Stops headless browser scripts.
  • Set it for admin forms without wide effects.

Cons: 40-60% slower on budget devices (up to 2-3 second delays). GPUs can parallelize it.

When to Choose: Internal tools, donation pages, or sites under attack.

4. PBKDF2 - Chain Defense Against Scaled Bots

Technical Profile: Chains HMAC-SHA-256 with set iterations (10,000+). Stresses time over raw hashing. Each step depends on the last, blocking parallelism.

Utility & Value: It favors endurance over speed. Users solve in 1-3 seconds. GPU bots need minutes per form. Owners of spam-heavy sites (such as lead generation) value its ability to ruin bulk attacks. Difficulty tunes iterations for fine control.

Pros for Owners:

  • Medium GPU resistance from chaining. Stays invisible and privacy-safe.
  • Works with "bot abuse detection" to trap suspects in endless loops.

Cons: Adds visible (but acceptable) delays on old hardware.

When to Choose: Forums, job boards, or sites with steady low-effort spam.

5. PBKDF2+64KB Memory Loop - The GPU Violator

Technical Profile: Adds a 64KB memory buffer loop to PBKDF2 per iteration. Creates bandwidth and memory bottlenecks. GPU solve times reach 8-18 seconds. Users finish in 2-4 seconds.

Utility & Value: This elite option counters 2025 botnets. It turns attacker hardware strengths into weaknesses. Owners in competitive areas (such as crypto or marketplaces) cut spam by 95% or more. Difficulty scales the defense. It serves as a strong long-term solution.

Pros for Owners:

  • Best resistance to parallel or farm attacks. Fits modern JS engines.
  • Supports layered security (for example, with Tor blocking).

Cons: Highest user impact. Test well. Skip on mobile-first sites.

When to Choose: E-commerce checkouts, premium signups, or intense bot battles.

Tuning Tips: Algorithm + Difficulty Pairings

 
 
Security Goal Recommended Combo Expected Spam Reduction
Basic Protection SHA-256 + Diff 2 70-80%
Standard Defense SHA-384 + Diff 3 85-90%
Advanced Bot Blocking SHA-512 + Diff 4 90-95%
GPU-Resistant PBKDF2 + Diff 3 92-97%
Maximum Deterrence PBKDF2+64KB + Diff 4 95-99%
 

Pro Advice: Check Joomla logs. Raise difficulty first for easy gains. Then switch algorithms. Turn on "punish" for detected bots. No external services mean zero extra costs.

Practical Configuration Examples

Standard Blog / Small Business Site

  • Algorithm: SHA-256
  • Difficulty: 2
  • Extras: Delayed calc + DNS blacklist
  • Why?: Preserves fast loads. Handles comment spam with ease.

E-Commerce / Lead Gen Hub

  • Algorithm: PBKDF2
  • Difficulty: 3
  • Extras: Tor block + abuse detection
  • Why?: Stops signup farms. Keeps real customers happy.

High-Security Enterprise

  • Algorithm: PBKDF2+64KB Loop
  • Difficulty: 4
  • Extras: All filters on
  • Why?: Builds a fortress. Accepts minor delays for safety.

Why is this software free?

I’m ditching the freemium game and giving this software to the Joomla crowd for free. It’s a nod to “Jumla”—Swahili for “all together”—because fragmentation sucks, and I’d rather focus on innovation and paid gigs. Use it, build with it, and if you need custom work, I’m super into that.

What's The Catch?

There isn’t one! I’m all about building tools that empower the Joomla community and spark creativity. This software’s free because I’d rather see it in your hands - fueling awesome projects. If you really feel like paying something, I’d appreciate a review in the Joomla Extension Directory—your feedback means a lot!

Related Articles

Copyright © 2025 RicheyWeb. All Rights Reserved.