A better choice would be a memory hard PoW (that's still instantly verifiable), where the performance gap between consumer and custom hardware
can be limited to one or two orders of magnitude.
Good point, current verification of password hashes takes as long as generating the hash. I seem to remember that there was a technique to avoid this, but it wasn't usable for passwords or something. Do you happen to have a pointer for what algorithm has this property?
Asymmetric PoW algorithms, such as Cuckoo Cycle [1] or the poorly named Equihash [2] (which is not a hash function) do not lend themselves to password hashing, since a given problem instance can have 0 or 1 or many solutions.
Then you can trade-off processing power within reason. Modern websites are so heavy, it's not unusual to need a gigabyte of memory to use some of the heavier webpages. Using some megabytes (150MB I'd consider an upper bound of where the advantage will have leveled off for the coming years) is not typically impossible, and even 4KB is a lot better than no memory hardness at all.
