I got tired of watching our login endpoint get hammered by bots. Credential stuffing, brute force, the usual nonsense. Rate limiting helps, but it's blunt — one script kiddie from a datacenter and suddenly your whole office can't log in because they're all on the same IP. That's why I built a Keycloak extension that does PoW (proof of work) challenges. Sounds complicated, but it's actually pretty elegant: make bots solve a math problem before they get to the password field. Real users barely notice. Attackers' ROI goes to zero ( not literally ;-) ). The interesting part? I went with Argon2id as the default algorithm, not SHA-256. That decision deserves explaining because it's not what most people think of when they hear "PoW." The Problem With Just SHA-256 Everyone knows SHA-256 PoW. Bitcoin uses it. It's simple: find a nonce where SHA256(data + nonce) has N leading zero bits. Done. But here's the thing: SHA-256 is cheap to parallelize.…