Many people think that if they implement a "super secret hash function", their password hashes will be more secure. This is a research attempt to try to disprove that.
How This Works
I have created "secret" algorithms. Ranging from trivial to quite difficult. You have all the data you need, except the algorithm itself (there is no secret key or anything).
For each algorithm, I have provided you with 4 password/salt combinations, and the resulting hashes.
Your Mission, Should You Choose To Accept It
Your mission is to try to deduce the algorithm used to produce the hash.
To prove that you have the correct algorithm, produce a new hash using the following credentials:
Password
Salt
foo
barbarbarbarbarbarbarbarbarbarba
Enter that hash into the "Hash guess" input field. If it is correct, the box will go green, and the result will be logged.
Results
The challenge is over. You can continue to try to guess the algorithms (the JS portion will work), but the results section will be shut down, as the research is concluded. The results below were frozen as soon as someone found all 15 hashes.
Number Of Correct Algorithms
Number Of People With At Least That Many Correct
1
245
2
103
3
66
4
36
5
28
6
22
7
14
8
11
9
10
10
9
11
7
12
6
13
4
14
4
15
1
Winners
There are 2 classes of "winners" in this result set. Due to a server-misconfiguration, all 15 algorithms were exposed, leading to the winner of all 15 being the first person to find that misconfiguration. And that person is:
Matthias Glaub - First found "misconfiguration" which allowed all 15 hashes to be verified.
The other class of "winners" are those who found 14 algorithms without "tricks". In no particular order:
As it turns out, Kerckhoff's Principle holds true. Every single one of the "secret" hash algorithms, some of which were quite odd, fell. Many hashes fell on the first day. Some took a week. But all fell in one way or another.
So next time someone tells you that you should "make it more secure by tweaking the algorithm so they don't know what to expect", show them this site.
Stats
You:
{{guesses.correct}} / {{guesses.total}}
Best:
{{guesses.best}} / {{guesses.total}}
Average:
{{guesses.average}} / {{guesses.total}}
Number Of Users:
{{guesses.users}}
FAQ
How Are You Confirming?
We are doing a double confirm on the hash. First, we generate the hash (server side, sorry), then we hash it with a public key using sha256 (which is available to JS in the source). Then, we generate a hash with a private key that doesn't leave the server. When you enter a guess, the browser hashes the guess with the public key (seriously, just read the source), and if it matches, considers you to have found the hash. Then, the server re-verifies with the secret key. If both match, it's considered a valid guess and the result is saved.
What are you storing with the results?
Nothing. I generate a unique token which is stored as a cookie for each user. This does nothing but allows me to de-duplicate your submissions. All that's actually saved is a flag indicating which hashes you've successfully found. Nothing else.
Why bother?
Why not?
I Finished!!!
Awesome!!! Send me an email (me - at - ircmaxell - dot - com) with your id (sid in the cookie), and I'll immortalize you on the page forever (or until I decide to take it down).
Where are the answers?!?!?1
They are not here. Perhaps I will post them one day. Perhaps I may blog about them. But not today :-)
