Messages

What you're making there is a cryptogram which is a puzzle used alongside newspaper crosswords.

For either of those nonsense strings, a simple online cryptogram solver (http://rumkin.com/tools/cipher/cryptogram-solver.php) will generate the two words you chose along with the hundreds of other words that fit. With a larger sample, it would start to find words there which didn't allow for other words in the string to be created, rule those keys out and continue until it had the only viable key. Unless you have a way to preserve your intended word choice, your method would mask the intended message from your recipient, defeating the purpose.

It's not impossible to attack, but it's less likely and their FAQ does a good job of enumerating the risks and offering solutions.
I can remember random strings pretty well, so know most of my hashpasswords, so for me it's more a matter of using a totally unique password on every service.

The sophistication of the attack that would be needed to find a hash collision, where two strings turn into the same hash, are so excessive IMO as to render flying to my house and stealing my computer while I'm on it a more likely approach for anyone who wants to force me to like their page.

That's a less sophisticated attack than the one that would betray my master password, which is less likely.

The more paranoid of us can read hashapass's source every time, or host it and check it's hash regularly for tampering, because it *is* possible that someone hack hashapass and change the source temporarily. Which may be what you meant, LMNO?

Doesn't that make hashapass.com a single point of failure?  The security there must be airtight.

They're not storing anything, just hosting javascript which securely hashes your password, using the parameter like "facebook" as a salt to influence the result. You can take their code and read it, host it yourself, make a command line tool which will always give the same results, if you like.

EDIT: This is the code for the bookmarklet http://pastebin.com/gwWstQka
Most of that is formatting a little UI for usability. I just have an offline version saved on my phone and because I'm becoming decreasingly paranoid, I have the master password weakly encrypted so I don't have to type my 50 char password every time. Just open the app, type "facebook", login. Makes my phone a point of failure for all of my logins, if people figure out what that button does, but if I lose the phone I disable it remotely anyway.

It's not for everyone, but I use hashapass.com which will take a word like "facebook" and master password I use everywhere like "horsebatterystaple" and give me a password with a combination of numbers, symbols and different cases. If I forget that password, I go to hashapass and enter "facebook", "horsebatterystaple" and it uses the same math to crunch those together and give me "dL;t8sDG" again.

If the service I'm using sucks at security, and HAXORS get my password, it only works for facebook and there is no way for them to turn it back into "horsebatterystaple" and figure out my password anywhere else.

Source: http://www.lostateminor.com/2014/02/03/artist-creates-sculptures-made-hundreds-discarded-toy-parts/

Most importantly. How many words are in this string? More than one? How are spaces handled?

But I remain confident that on a 256 key scale the brute force method would be ineffective.

What does this mean to you and how does it apply to what you've made here?

It sounds as though you've got a substitution cipher and I can't tell where the complex math comes in. Did you use a complex process to decide which letter turned into which symbol, because that complexity isn't going to translate forward into the complexity of cracking, it's still a matter of rotating the meaning of each character until readable text is produced.

Are you willing to discuss the process of encipherment so it can be examined in more depth? If that explanation breaks the encryption, I'm afraid you'll have trouble profiting from the scheme.

Missed opportunity in changing the rhyme on "Theirs not to reason why, theirs but to occupy".

"The charge of the light brigade" is just begging for a modern re-write really.

Half a block, half a block
half a block onward,
All in the valley of cops,
Rode the 200
Forward the hipsters!
Charge for the cuffs he said
Into the valley of cops
Rode the 200

'Forward, the hipsters!'
With audience unmoved.
For each among them knew
  That all was spectacle:
Theirs not to battle lethal,
Theirs not to wake the sheeple,
Their purpose was more deceitful:
Into the valley of cops
  Rode the Forgettable

Cannon to right of them,
Cannon to left of them,
Cannon in front of them
  Police line impregnable;
Backed by only Tweeps and bloggers,
Rode ignorant cannon fodder,
Into the jaws of Death,
Against the fatcat robbers,
  Rode the Forgettable

Rais'd their fists into the sky
Rais'd all their slogans high,
Flailing at the coppers there,
Charging an army with
  All the world skeptical:
Plunged in the teary-smoke
Thro' the line they finally broke;
Hipster and Stoner
Reel'd from the baton-stroke
Captur'd and regrettable.
The occupation intact, but not
Not the Forgettable

Surely "rode the 99 percent"?

Here's some stuff on what I was saying earlier, about security by obscurity and secret encryption processes not being reliable or desirable.

http://www.networkcomputing.com/data-protection/just-say-no-to-proprietary-cryptographic/229502394
https://www.schneier.com/essay-028.html
https://www.owasp.org/index.php/Guide_to_Cryptography#How_to_determine_if_you_are_vulnerable

Mathematically sound cryptography remains secure even if the process is known, so long as the key is not.

Is it going to say "this is the plaintext" or similar? Because I can make assumptions about which characters are chaff and make it say "to be carried" or "you will not" or similar.

Paes, remember that this was originally meant for a password, not a message.

In which case, it's irrelevant if a hacker can guess the original password, they just need to find out the sequence of characters.

If they're brute forcing it by trying every possible character, but if you could reverse engineer any of the rules you could make minor modifications to existing dictionary attacks to speed up the process.

It seems to me, JBookup, like you may be underestimating how quickly a computer can try all permutations of the string which keep the order intact and systematically remove groups of characters, then see if any words fit into the pattern presented.

Do you know if, while attempting to decipher this, the answer will be obvious?

So the random chaff you've thrown in doesn't have legitimate uses in the legend? If ^ is a random symbol, it never corresponds to a letter?