I like the idea, but upon pondering, I think it could be made better by imitating other dark patterns:<p>1. Ask for a username, only offer "OK"<p>2. Upon OK: Wait 2-3s while showing an ajax spinner, then add another box to the DOM, asking for an "e-mail"<p>3. Rinse and repeat with first name + last name; then company name; country (pick from a list of ~50 widely known country names, sorted by median age of the population - remove the IPs country of origin, so they have to pick "other" and enter it manually)<p>4. Tell the user the username doesn't match the expected format and offer to add a random "#1234" for them - upon doing so, back to square one (except their username is now "#1234" and not "scamoverlord#1234"). make sure to flush the other info as well.<p>5.1. Tell them you're sending a verification mail (you don't). Offer them to resent it after 30s.<p>5.2. Upon "try again", tell them first to check their mail address, and lock the "try again" for another 10s.<p>5.3. Now, after another 30s, tell them there must be an error with the mail gateway (there is no mail gateway) and offer them to continue; the verification mail is queued and will be sent later (-> you're sooo super userfriendly!).<p>6. Now the user/victim easily spent 90s to enter "valid" details and must be quite invested. Show a re-captcha style captcha before asking for password (after sending an email and possibly spamming someone? yeah, maybe put that before the fake mail verification, I came up with that in the wrong order).<p>7. the "checking if you're human" should fail after 3-4s (spammers are used to that).<p>8. Then the first of the 9 captcha images should pop up afer 1-2s initial "loading time", the other ones after another .5 - 2s, each.<p>9. Let the first one or two captchas fail no matter what (two if they're fast, one if they're already spending a lot of time there - plausible if you're handpick terms + images for which foreign speaker often don't know the exact meaning; like "barnacles", "melange", "cabin", "truck", or showing differnt styles buses and asking for "tram").<p>10. Three times the charm: Accept any answer, as long as the "user" spent more than 4s on it (use a simple term with obvious images to make it plausible, like "birds" or "cars").<p>11. finally get started with the password. Let them do four or six levels.<p>12. What's that, the the captcha timed out and/or too many bad password tries? Are you sure you're not a bot? Well, do it again! (maybe let them only fail once to keep them hooked)<p>13. Oh no, the password field has been reset after the captcha was solved. At least you now know how to do a rule-abiding password. So let them do all the levels.<p>14. If they're really persistent, fake a "oh no, your tab crashed, reload?" screen for their browser.<p>Uuuuh, I think I put that on my infinite todo list.<p>PS: Have them write "a few words" about their business. Make sure to garble copy/paste (e.g. reverse word order or just reset length counter to 0, increase decrease from there and do a proper recount on submit). On submit, verify the input for a few seconds and claim that it's either to short or too long (if they wrote >500 chars, say it should be 200-400, if they wrote <500 chars, ask for 600-800). And remember to keep the char counter broken (update only after not typing for 2s, making the input field not readable for another second while "counting"). Bonus points if a WYSIWYG editor widget is used, which of course takes 5 to 10s to load; or have a "worker" at Amazon Mechanical Turk review it (only takes 30 to 90s).<p>PPS, for balls of steel: Add a second act by only enforcing the first few levels. Then, upon login, tell them they need to change their password. Maybe also tell them if they install your "super special" security extension, they can use weaker password rules. If they stupid enough to really install it, let it send a "X-Block-Me: I am a scammer" header along with every http/s request.