This would (0) require Javascript (as reCAPTCHA does—but worse, IIRC this also requires asm.js/webasm which I disable even when enabling JS), and (1) have a drastically disparate impact on those using fast computers versus slow computers/netbooks/mobile devices.  It is also questionable whether it would answer the threat being staved off by the CAPTCHA.  Admittedly, it would work better against what I suspect the threat to be, rather than against spam.

Vod, do you know the actual purpose of the CAPTCHA?  Everybody seems to assume that it’s there to keep out spambots.[1]  My first hunch is that theymos has a problem with bruteforcing of luser passwords, resulting in stolen accounts.  You may perhaps know for certain, not as a matter of assumptions or speculation.

I would understand if theymos desires that such information not be disclosed.  But I ask because I have wanted to suggest some alternative solutions; and it’s difficult to know whether my ideas are even worth mentioning.

---

1. This common assumption simply does not make sense to me.  An account farmer could easily use human labour (self or others) to log bots into a large numbers of accounts with “stay logged in” checked, then let them stay logged in to make unlimited spam/nonsense/copypaste posts.  It would be trivial; all the bots would need to do is to keep their cookies.  I know this because I myself now stay logged in, on a credential apparently set to expire in the year 2023.  I have not filled out the CAPTCHA since 10 December.  Whereas a password bruteforcer would indeed be stymied by the CAPTCHA.  A bruteforcer would also be slowed down by a POW.  A spambot could complete the POW once, then stay logged in for years or until permabanned.