Your innocence proves nothing.

Main Menu

Hacks, Kludges & Other Such Tomfoolery

Started by Shibboleet The Annihilator, April 26, 2010, 02:12:45 PM

Previous topic - Next topic


Quote from: Pæs on February 13, 2014, 07:42:58 PM
It's not for everyone, but I use which will take a word like "facebook" and master password I use everywhere like "horsebatterystaple" and give me a password with a combination of numbers, symbols and different cases. If I forget that password, I go to hashapass and enter "facebook", "horsebatterystaple" and it uses the same math to crunch those together and give me "dL;t8sDG" again.

If the service I'm using sucks at security, and HAXORS get my password, it only works for facebook and there is no way for them to turn it back into "horsebatterystaple" and figure out my password anywhere else.

Nice find. Been meaning to update my passwords for forever. This will do nicely. Probably write my own, right enough, imagine if was an NSA shill :tinfoilhat:

I'm up to my arse in Brexit Numpties, but I want more.  Target-rich environments are the new sexy.
Not actually a meat product.
Ass-Kicking & Foot-Stomping Ancient Master of SHIT FUCK FUCK FUCK
Awful and Bent Behemothic Results of Last Night's Painful Squat.
High Altitude Haggis-Filled Sex Bucket From Beyond Time and Space.
Internet Monkey Person of Filthy and Immoral Pygmy-Porn Wart Contagion
Octomom Auxillary Heat Exchanger Repairman
walking the fine line line between genius and batshit fucking crazy

"computation is a pattern in the spacetime arrangement of particles, and it's not the particles but the pattern that really matters! Matter doesn't matter." -- Max Tegmark


Doesn't that make a single point of failure?  The security there must be airtight.


Quote from: LMNO, PhD (life continues) on February 13, 2014, 07:56:06 PM
Doesn't that make a single point of failure?  The security there must be airtight.

They're not storing anything, just hosting javascript which securely hashes your password, using the parameter like "facebook" as a salt to influence the result. You can take their code and read it, host it yourself, make a command line tool which will always give the same results, if you like.

EDIT: This is the code for the bookmarklet
Most of that is formatting a little UI for usability. I just have an offline version saved on my phone and because I'm becoming decreasingly paranoid, I have the master password weakly encrypted so I don't have to type my 50 char password every time. Just open the app, type "facebook", login. Makes my phone a point of failure for all of my logins, if people figure out what that button does, but if I lose the phone I disable it remotely anyway.


The sophistication of the attack that would be needed to find a hash collision, where two strings turn into the same hash, are so excessive IMO as to render flying to my house and stealing my computer while I'm on it a more likely approach for anyone who wants to force me to like their page.

That's a less sophisticated attack than the one that would betray my master password, which is less likely.

The more paranoid of us can read hashapass's source every time, or host it and check it's hash regularly for tampering, because it *is* possible that someone hack hashapass and change the source temporarily. Which may be what you meant, LMNO?


Let's chalk it up to me not fully understanding the process.  I think I have it now.


It's not impossible to attack, but it's less likely and their FAQ does a good job of enumerating the risks and offering solutions.
I can remember random strings pretty well, so know most of my hashpasswords, so for me it's more a matter of using a totally unique password on every service.


How effective would something like this be?

Bhijadrbo = adverbial = rbxtiavrf = encrypted


What you're making there is a cryptogram which is a puzzle used alongside newspaper crosswords.

For either of those nonsense strings, a simple online cryptogram solver ( will generate the two words you chose along with the hundreds of other words that fit. With a larger sample, it would start to find words there which didn't allow for other words in the string to be created, rule those keys out and continue until it had the only viable key. Unless you have a way to preserve your intended word choice, your method would mask the intended message from your recipient, defeating the purpose.


They would have the legend and know exactly what it translates to without using a program.


If there's a legend, what is the purpose of the intermediate steps?


To make it harder to decipher. You decipher once and get a noncoherent message that is readable but makes no sense.


Okay, but it doesn't do that. You seem to be talking about a form of

But when you're making a simple cipher, rather than an encryption scheme based on factoring large primes or similarly mathematically complex systems, "bhijadrbo" and "rbxtiavrf" are identical. They look like "123456718", the individual letters don't matter, there are eight unique symbols and one is reused, that's the pattern you're cracking. So your decipherment scheme adds complexity for the intended recipient but doesn't add any for a cracker.


Super easy no legend needed...



Quote from: JBookup on March 08, 2014, 07:04:28 PM
Super easy no legend needed...


Some kind of axial symmetry around the central character on the string,

831331247748569838838296247655247 Original
742556742692838838965847742133138 String reversed

111221505156331000133651505522111 differences between the two

Annnnd I'm out of time to look at that any further.
Sleepless nights at the chateau


I like how I say its super easy and you go and do something complicated. But I'm actually loving the idea of that and will probably make something that works like that. But as of right now it is really simple.