Cracking Passwords: A Real-Life Brainteaser

[Pi]

Here's a real-life brainteaser for you!

I have a large number of passwords nowadays, many of which I very rarely use so I can't remember them myself. I don't like to use a software password manager, so I keep them all written in a text file on my pc - all encrypted of course. The code I use is fairly simple though, just something I thought up in 10 seconds, and I was slightly disturbed to see how quickly a mate of mine guessed the principle it was based on, although he didn't crack it completely.

I'm interested to know how quickly it can be cracked with a moderate amount of effort from an intelligent non-expert. So here's a sample of my password file - go to it! The first person to crack them wins respect and a pat on the back.

NB: Obviously, I'm not telling you what these passwords are for, or what the usernames to go with them are. They don't include passwords for accounts where you will be able to get credit card details, access my email etc, and they don't include my physicsforums.com password - they're just the boring accounts which I'd be willing to risk losing

ttg]jy]h
t;i]u#frkdi]i
10132634042
48518963
6899774619
[;iz/yfv/s
,q][.'ty]#0
46195739
.u9p2cqz.p Note slightly extended code due to non-standard characters
']uv[w;;ksyq
qtfc]a['l
ggyhyw]c#yng
iy.eggyhyw]c
khf'g\fw
m]uhfv[r/
4943749598633936
[[k#twgttu/d (clue: hthy) capitals at beginnings of lines
q'mv+'fie!
v0uy3c6
/;hxfgyq title capitalisation
nrqth'ir.w
/;buf#he

 

[graphic7]

Are these simply hashes or individual, unencrypted passwords?

Edit: I guess if they are encrypted then, we are simply looking at some hashes for an unknown cypher.

I don't understand what exactly you are wanting. Are you wanting us to decrypt the hashes and give you the cyphertext for each of the hashes? If so, it's computationally infeasible for anyone here. We don't know the cypher method first of all, which increases the work factor significantly. Sounds like you're wanting us to do something illegal.

 

[Pi]

They're encrypted passwords, all encrypted in the same way. One thing I should probably have mentioned is that you'll know when you get them right, because at least some of them will contain English words.

 

[graphic7]

How do we know these passwords are actually your's and not a shadowed-passwd file you ripped off someone's system? If I were to engage in this, I could be an accessory to breaking a law.

 

[NateTG]

How do we know these passwords are actually your's and not a shadowed-passwd file you ripped off someone's system? If I were to engage in this, I could be an accessory to breaking a law.

Because if it's a shadow file, then we'll never crack the code. I'm guessing it's some sort of keyboard cypher.

 

[graphic7]

If it is, that still doesn't answer the legality issue of this. But like you said, if it were a shadow file, we couldn't crack it. For the most part that's true, but it could have been "shadowed" with DES or MD4 for example which in certain cases can be exploited (most likely not by us).

 

[Pi]

Yes, I'm asking for the cyphertext. I know that would be an ill-posed problem
if I was just asking you to guess some arbitrary function, but here's some
additional info: I encrypted the passwords in a very lazy way without using a
computer or any modern cryptography techniques, and once you know the code it's
easy to read them without a computer. The encrypted passwords retain a lot of
the structure of the originals. The unencrypted text is notes to myself about
the passwords - I've given it to you as if you found the file on my
computer.

This isn't a question about factorising enormous numbers or getting a
supercomputer to ruminate on the problem for hours. The way to do it is to use
a bit of psychology, look for whatever patterns you can see, and try a few
things out. Maybe it's still not possible, in which case I'll be reassured, but
I reckon it's only about 1 order of magnitude harder than decoding puzzles you
see in children's puzzle books.

As to it being illegal.. you don't believe they're really my passwords? :) Fair enough. I've set up a physicsforums account called "Pie" with the password
nh]rheh;o
Once you log into that, it will prove I know the code myself.

 

[graphic7]

Well, I guess you've validated yourself. Cryptography laws are rather harsh in the United States, and I wouldn't want to be subject to that jurisdiction ;) . I'm going to fiddle around with it.

 

[Pi]

Well, I guess you've validated yourself. Cryptography laws are rather harsh in the United States, and I wouldn't want to be subject to that jurisdiction ;) .

Understandable! I should've anticipated that but it honestly didn't occur to me

 

[chroot]

It's obviously not a shadow password file. Also, I should mention some terminology: Pi has given us the ciphertext, and is asking us to find the corresponding plaintext.

- Warren

 

[Gokul43201]

Wow ! You use 16 letter passwords ?!

 

[chronon]

Wow ! You use 16 letter passwords ?!

I have the feeling that the passwords themselves are only half the length of the encoded form.

One thing that I find puzzling is that Pi seems to be using passwords which contain recognizable words and then using his code to create encoded versions to store. Wouldn't it make more sense to store the recognizable words and use the code to generate the passwords themselves?

 

[K.J.Healey]

When you say you DONT need a computer to solve it, do you mean I could sit down with a pencil and paper and solve it? Or do character numbers count? (in which case i don't remember what "]" number is)

 

[Pi]

One thing that I find puzzling is that Pi seems to be using passwords which contain recognizable words and then using his code to create encoded versions to store. Wouldn't it make more sense to store the recognizable words and use the code to generate the passwords themselves?

Hey, not a bad idea! Maybe I'll start doing that, except I'd then end up typing my passwords slowly all the time.

When you say you DONT need a computer to solve it, do you mean I could sit down with a pencil and paper and solve it?

Once you know the code, there's no need for a computer at all. While you're still trying to find it, it might help to just get a computer to try a large number of possible codes, if you've been lucky enough to include the right code amongst your set, or you might waste more time writing the program than you'd spend trying things manually, I'm not sure.

Anyway, it looks like it's harder to crack than I feared, nice to know!
My friend who I thought came worryingly close had an unfair advantage, so I'll give you the clue he had: whenever I'm decoding these things I have to stare at my keyboard a lot, then look back to the screen, and then back to the keyboard... so I guess it's not *quite* true that you can decode it entirely without a computer, you need the keyboard at least!

 

[K.J.Healey]

yea, i knew it was going to be a keyboard layout code. Which of the passwords have real words in them?