You know that feeling. You’re just trying to log in to pay your water bill, and suddenly you’re tasked with identifying every single crosswalk in a grainy photo of a bleak intersection in Minsk. You click three. The system pauses, judges you, and then politely asks you to find the traffic lights.
But here is the worst part: It’s useless.
In late 2024, a team at ETH Zurich proved that modern vision models (like YOLO) can solve those image puzzles with 100% accuracy. 100%. A literal robot is now better at proving it’s not a robot than you are.
The "Dead Internet Theory" isn't a theory anymore; it's a server log. According to Imperva, 51% of web traffic is now bots. We are the minority. We are the ghosts in our own machine.
The "Human Cadence" Hypothesis
I have a theory. Humans are messy biological engines. We are constrained by physics, muscle memory, and the speed of our nervous system.
When you type a furious comment on Reddit, you don't hit keys at a perfect 150ms metronome beat.
- You hold the
Shiftkey down slightly too long. - You "rollover" from
TtoHfaster than you move fromPtoQ. - You hesitate before typing a big word like "bureaucracy."
Bots? Bots are clean. Even when they try to fake it with Math.random(), they tend to be statistically perfect. They don't get tired. They don't have fingers that get tangled.
So I built a little library called isHumanCadence. It’s not a firewall; it’s a vibe check.
How It Works (Without Boring You)
The library (GitHub link for the curious) attaches a listener to your input field. It doesn't care what you type (I don't want your passwords, thanks). It only cares how you type it.
It looks for the "fingerprint" of biology:
- Dwell Time: How long do you mash the key down?
- Flight Time: How fast do your fingers fly between keys?
- Entropy: Is your rhythm chaotic enough to be human?
If you type like a machine gun (zero variance), you get a score of 0.0.
If you stumble, pause, and overlap your keys like a clumsy meat-sack, you get a 1.0.
The "Dead Zone" (Hysteresis)
Here is a cool engineering problem I ran into: Flickering.
A user types "Hello" (Human!), then pauses to sip coffee (Bot?), then types "World" (Human!). If I just showed the raw score, the UI would strobe like a rave.
So I added a Schmitt Trigger.
Think of it like a thermostat. The system doesn't label you a "Bot" until you really act like one (score drops below 0.35). And it doesn't give you the "Human" badge until you really earn it (score hits 0.70). The middle ground is just "Unknown."
It makes the detection feel stable, not jittery.
The Code (Yes, it’s this simple)
I wanted this thing to be drop-dead simple to use. No API keys. No backend servers. Just pure, client-side JavaScript.
The "Reality Check" (Don't @ Me)
Look, I’m not delusional. This isn't a silver bullet.
Client-side security is inherently trustless. If the browser can measure it, a determined hacker can spoof it. And yes, "Generative Keystrokes" are coming AI agents trained on millions of hours of human typing to learn exactly how to "stumble" like us.
We are in an arms race. I build a 10ft wall, they build an 11ft ladder.
But right now? This little library raises the cost of attack. It forces a bot to do more than just element.value = "Buy Crypto". It forces them to perform.
Let's Build a Filter
The web is drowning in noise. If we want to keep a space for actual human connection, we need better filters. We need to move away from "Proof of Identity" (scanning your face) and toward "Proof of Humanity" (verifying your rhythm).
This is a Proof of Concept. It’s buggy. It’s experimental. It might block your grandma if she types too perfectly.
But it’s open source, and I want you to break it.
👉 Star the Repo (or roast my code)