March 31, 2026
CAPTCHA or Boss Fight?
Show HN: Cerno – CAPTCHA that targets LLM reasoning, not human biology
A rage‑inducing maze to prove you’re human—users call it the Dark Souls of logins
TLDR: Cerno is an open‑source CAPTCHA that makes you trace mazes while measuring your movements to block bots. The community exploded with frustration over difficulty and accessibility—especially on phones, trackpads, and assistive devices—fueling a debate over clever security versus basic inclusivity and the need for alternative verification options.
Cerno is a new open‑source “are you human?” test that makes you trace a tiny maze while it studies your mouse moves and timing, tossing in color‑word tricks and cryptographic checks. It’s meant to catch bots and chatbots, not people. But the internet saw the demo and screamed: this is a boss fight. One early commenter called it “rage bait,” warning it’s near‑impossible on phones. Another said assistive tech like trackballs and screen readers would fail, raising big accessibility red flags. Several users reported getting rejected over and over—too slow, too fast, too wobbly—while one lamented they couldn’t pass even with a mouse. The vibe: less “prove you’re human,” more “prove you’re a surgeon.”
The devs tout fancy steps—proof‑of‑work puzzles, maze physics, and even a “Stroop” trick (when the word “Red” is colored blue to trip you up). It’s all open source with a TypeScript kit, and you can peek at the code on GitHub or try the docs. But the thread turned into a meme factory: “Dark Souls login,” “git gud to sign in,” and “mouse driver’s license required.” Some admit it’s a clever anti‑bot idea—but the loudest chorus wants alternative paths for people on mobile, older users, and anyone with different dexterity. Accessibility vs security: fight!
Key Points
- •Cerno is an open-source, maze-based human verification system that relies on motor-control analysis rather than hardware.
- •Its pipeline includes adaptive SHA-256 proof-of-work, deterministic maze generation via the Growing Tree algorithm with a seeded PRNG, and trustless server validation.
- •Behavioral metrics (12 features from pointer events) are scored per maze, and Stroop probes add color-word interference at decision points.
- •ECDSA P-256 signature binding ties an ephemeral keypair to the challenge, and EMA-based reputation tracks behavioral consistency across sessions.
- •Integration is provided via a TypeScript SDK with @cernosh/react and @cernosh/server packages, plus example code and a GitHub repository.