Passwordle (opens in new tab)

(rsk0315.github.io)

956 pointssnthueoa4y ago249 comments

249 comments

127 comments · 50 top-level

moritonal4y ago· 18 in thread

There is like... four people I know I could send this to who'd laugh, it's so niche. Yet I also laughed out loud when I got how conventionally impossible it is.

VikingCoder4y ago

Winners never quit. And quitters never win.

But those who never win AND never quit are idiots.

jonnycomputer4y ago

That's because winners know when not to play.

2 more replies

SMAAART4y ago

this is deep.

mlyle4y ago

Is it?

6 guesses and I have 14 hex digits (56 bits) of the hash, along with knowing the population counts for all the numbers. This is enough to run a password cracker and determine the plaintext if it's a readily guessed password.

Sure, it breaks conventional use of rainbow tables, etc, but...

edit: Eh, 14 characters. OK, that's pretty resistant to anything other than debugging.

residualmind4y ago

How does that help you when any of your inputs' digest is not related to any other's, not even knowing the target length of the original message? what am i missing?

3 more replies

acchow4y ago

This isn’t how Sha works

2 more replies

eganist4y ago

I ended up crossposting it to the few security rooms I'm in for quick laughs

But for what it's worth, this also serves as a great initial CTF-type introduction to how debuggers work in web browsers.

jerf4y ago

If the debugger is open, Passwordle automatically breaks the execution right where the answer is determined.

Now that's service.

1 more reply

cco4y ago

As someone that works at an authentication API company, there are _dozens_ of us who found this hilarious.

> Yet I also laughed out loud when I got how conventionally impossible it is. Maybe give it a whirl with https://sha256algorithm.com/? haha

scbrg4y ago

It's not impossible. I hear Bruce Schneier got the correct hash on the first try.

https://www.schneierfacts.com/

(Sorry for the very HN:ish post, but I feel it's somewhat in the spirit of this story)

ben_w4y ago

Hah!

I don’t get this one, though: https://www.schneierfacts.com/facts/694

Searching for the number gets me Mill’s Constant, but I don’t get the connection to sugar or why it would be repeated.

1 more reply

masswerk4y ago

Well, it made me laugh. Thanks, that's what the Internet is for! (Namely, amusing content about the technicalities of the Internet.)

antirez4y ago

You can easily guess the right sha256 just using random strings and overlapping correct characters and then you can run a dictionary attack on it, or a brute force one if it's not too long.

MattPalmer10864y ago

You get a SHA256 hash of each guess. The hints you get on each guess are useless to help you with the next guess.

1 more reply

nmz4y ago

Well, go ahead, we're waiting.

LeoNatan254y ago

I laughed. It’s excellent, and great fit for the crowd here.

jacobkg4y ago

I laughed so hard

JAlexoid4y ago

Oh wow! You have a lot of friends!... (unironic self deprecating voice)

moltenguardian4y ago· 8 in thread

Someone more capable than I should make the final form of this: No green or yellow feedback is provided, but only the timing information used to calculate it. If cryptographers are serious about side-channel attacks, why not show off the danger using no-information Wordle?

(edit: Absurdle was taken)

brainfish4y ago

An Absurdle exists[1], but instead of giving no hints it is adversarial, e.g. changing the secret word to dodge your guesses.

[1] https://qntm.org/files/absurdle/absurdle.html

pvity4y ago

If you like this, you might like Quantum Childminding too: https://www.puzzlescript.net/play.html?p=f7712f978d624c66f1f...

It's about looking after Schrodinger's daughter; similar to the above, she appears only if you prove she cannot be anywhere else.

I like this game a lot, especially how it's easy to understand & fun to play with.

1 more reply

bradrn4y ago

Thanks for highlighting this — I’ve been waiting for something else by QNTM! I’ll note he has done this sort of thing before, in the form of HATETRIS [https://qntm.org/hatetris].

SamPatt4y ago

That's actually quite fun!

dane-pgp4y ago

Given that speed/timing is important, and the rules are designed to impede your progress, how about calling it Hurdle?

p4bl04y ago

Absurdle already exists: https://qntm.org/files/absurdle/absurdle.html ;)

Narishma4y ago

They should name it something else as absurdle is already taken.

https://qntm.org/files/absurdle/absurdle.html

mleonhard4y ago

Timing of SHA-256 reveals only the length of the input.

raesene94y ago· 8 in thread

nice, though I'm very disappointed the answer wasn't hunter2

MichaelVangard4y ago

I don’t get it? Why would the answer be *******?

TonyTrapp4y ago

Because that would be hunter2 hilarious. I'd laugh my hunter2 ass off!

2 more replies

wayne-li24y ago

Wait, you can’t see it either?

torgard4y ago

Yeah same. From the source code, the answer is a random 14-character string, generated on load:

    function randomPassword() {
        let letters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
        let digits = '0123456789';
        let punctuation = '!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~';
        let s = letters.repeat(7) + digits.repeat(4) + punctuation.repeat(3);
        let length = 14;
        let res = Array.from({length}, (() => s[randomInt(s.length)])).join('');
        debugger; // どうぞ
        return res;
    }

DonHopkins4y ago

I wish it accepted a given password from a url query parameter, so this url would work:

https://rsk0315.github.io/playground/passwordle.html?passwor...

Or the way bikeshed.com lets you configure the color with the domain name, like:

https://bisque.bikeshed.com/

Then they could monetize it by selling gullible suckers NFTs of urls pointing to Passwordle games of their passwords.

1 more reply

boothby4y ago

I treated this the same way I started when solving absurdle, wordle, and hurdle: find the database, get crackin' on a decision tree. But, after estimating 1.2e17 possible passwords in the "database," it only feels fair to accept the invitation to use the debugger.

zwayhowder4y ago

Literally my first guess.

abdusco4y ago

I tried in these classics in vain:

- hunter2

- password

- correcthorsebatterystaple

politelemon4y ago· 7 in thread

Password is randomized on each load. Author has conveniently left a debugger statement in the code.

core-utility4y ago

Part of me wishes the author just took common passwords from rockyou.txt so that they're at least guessable. Though random really does add to the absurdity.

jpeter4y ago

Or use a new password every day like worle. So you have a community effort to guess it

2 more replies

NoboruWataya4y ago

My first try was "hunter2", then I gave up.

ugjka4y ago

It's OK, the goal is to find a collision

TYMorningCoffee4y ago

I did not know about the debugger statement until I read your comment: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Refe... . Thank you.

aerovistae4y ago

Massively useful! I also recently learned you can right click a line of code in the chrome debugger to add a logpoint - i.e. "log the value of this expression when you reach this point in the code" - so I don't have to manually add console.log statements. Basically the reverse of discovering the debugger statement!

4 more replies

xeromal4y ago

It's pretty powerful. I oftentimes struggle to get VS code to pick up a breakpoint when debugging serverless node functions, but the debugger statement usually gets it working.

travisgriggs4y ago· 7 in thread

They cynical side of me notes what a great phish this could be. People are inclined to enter passwords they regularly use just to see the visualization of their favorite passwords. With a little logging -> send home, you'd be harvesting passwords left and right.

grp0004y ago

Would the type of people amused by this have that weakness though?

hbn4y ago

It's hosted on Github Pages which is just static file serving. And thanks to CORS restrictions I don't think you could phone home.

Unless there's a workaround I'm not thinking of.

jamespwilliams4y ago

GitHub pages are served with Access-Control-Allow-Origin: *, so the SOP doesn’t apply.

They also don’t set a CSP header, which opens up the opportunity to exfiltrate data by other means, e.g having the browser load an image on your.site/$password.jpg.

1 more reply

Sohcahtoa824y ago

The CORS policy is set by the server receiving the request, not the page/server sending it.

heartbeats4y ago

Can't you embed off-site images?

thebruce87m4y ago

Well damn, I’ll have to change Hunter2 everywhere now.

peanut_worm4y ago

is a password very useful without any other identifier though?

1 more reply

burke4y ago· 6 in thread

This would be kind of fun to write a solver for. You'd burn the first few guesses to get some positional constraints, then filter a rainbow table down to viable guesses. I'm not sure you'd be able to get a very good success rate in just 10 possible guesses though.

FabHK4y ago

It could work theoretically (the password contains around 90 bits, and from each row you can glean, dunno, some 64 bits of info (64 characters that can be yellow, gray or green, so 101 bits, but there are constraints on that - very unlikely that all characters are gray, for example)).

In practice, I don't think it's computationally feasible. You can't keep all 2^90 = 10^27 possible solutions around in memory. Bitcoin does 200 EH/s, so 2e20 hashes/s. So the entire bitcoin mining network would have to work for 2 months (5e6 seconds) or so - don't see how you can meaningfully reduce the work (it would indicate a flaw in SHA256, no?).

runnerup4y ago

To me it seems like the password is 14 bytes, because they're 14 characters (112 bits). How do you get 90 bits?

It also uses 96 possible characters for each digit. Just storing the 96^14 different passwords without even adding their corresponding SHA hashes would require 5646 yottabytes. Which is more than 4 orders of magnitude larger than all the world's digital storage capacity combined together.

1 more reply

tetha4y ago

If you can casually write an algorithm to break a modern cryptographic hash in 10 guesses... I would like to know. Because then I have to decide if I want to be a very good friend of you, once you get rich, or if I want to stay as far away from you as possible once the state intelligence agencies come after you.

phire4y ago

It's not a cryptographic break.

It's simply a regular password cracking algorithm, but with instead of knowing the full hash, you only know a partial hash.

It should be viable, even without rainbow tables. That's why plain, unsalted sha256 is very unsafe for password storage.

1 more reply

onionisafruit4y ago

If passwordle had a list of all possible solutions like wordle does, this would be doable.

jfk134y ago

If it had a list of all possible solutions, it'd take quite a bit more bandwidth to load...

boothby4y ago· 4 in thread

Got it in one "guess." Apparently どうぞ means "here you are." Makes me think the brick was deliberately left in the door for folks who look for such things.

koolba4y ago

My first guess was "friend", a la the Doors of Durin.

http://tolkiengateway.net/wiki/Doors_of_Durin

yreg4y ago

It should be mellon.

Bad_CRC4y ago

“The Four Most-Used Passwords Are Love, Sex, Secret, and God”

1 more reply

Auracle4y ago

I tried hunter2

1 more reply

teatoli4y ago· 4 in thread

What exactly is this showing ?

barbazoo4y ago

It's a clone of the popular wordle game where you have to guess a word, except here, you have to guess a password but instead of telling you which characters of the password are correct it tells you which characters of the corresponding SHA-256 hash are, which makes this pretty much impossible to solve as the whole point of a hash are that small changes in the input (such as a different character in the password) results in big changes in the hash.

samwillis4y ago

> pretty much impossible to solve

Literal understatement of all time…

1 more reply

__s4y ago

You can make a rainbow table of the possible passwords & converge pretty quickly

Don't hash passwords. Use pbkdf2 or some better alternative (I suggest pbkdf2 because it's widely implemented)

1 more reply

dskloet4y ago

It's Wordle but it hashes your guess before applying hints.

dorianmariefr4y ago· 3 in thread

passWORDLE 1/1064 0 ⬜0 https://rsk0315.github.io/playground/passwordle.html

on Chrome, open Dev Tools and type `res` to get the password :)

Thorentis4y ago

Gee, I'm so glad somebody posted this so that I can cheat on a game that is not competitive and that I'm playing voluntarily and that has no bragging rights because of how niche it is.

IncRnd4y ago

Yes, but the point is to show that each password produces a sha256 not correlated to the sha256 of other passwords. That people actually tried to guess this way shows that not everyone is aware of the sha256's purpose.

KerryJones4y ago

Not defined for me

TremendousJudge4y ago· 3 in thread

literally made me laugh out loud, well done

delaaxe4y ago

Me too but this can never be sold right

core-utility4y ago

What, Wired Magazine won't buy this for $3 Million?

1 more reply

ziml774y ago

Same here! I love the absurdity of this one given the nature of cryptographic hash functions.

samwillis4y ago· 3 in thread

My wife was looking at me when I opened this.

“What are you grinning at?”

I just locked my phone and put it face down on the table…

jdthedisciple4y ago

Why would you do that xD - I'd have explained it to her instead, doing what you did I'm not sure I'd be happy about as wifey ...

qzw4y ago

You see, if he does that when it’s perfectly innocent, then his wife would be conditioned to ignore the behavior in the future. So when he’s truly up to no good at some point, he won’t be doing anything different than “normal”. The man is probably some kind of criminal mastermind.

samwillis4y ago

Ha! Quite true, maybe poor attempt at humour stopping the story there.

I actually did explain after that ellipsis, her response:

“That’s niche!”

She is also well aware of what hashing is.

marginalia_nu4y ago· 2 in thread

I've tried 123456, password, and secret, and I'm all out of ideas.

takeda4y ago

hint: it needs to be 14 characters

remram4y ago

So password123456 then?

CGamesPlay4y ago· 1 in thread

Wordle has a "hard mode" where guesses aren't accepted unless they reuse hints previously given. This is clearly missing from this adaptation.

stevewodil4y ago

0/10 literally unplayable.

drtz4y ago· 1 in thread

No bcrypt?

drdaeman4y ago

Should've been Argon2id

daneel_w4y ago· 1 in thread

There's something interesting to note in the visualized gradient distribution after guessing some common English words: https://i.imgur.com/hDSBaYw.png

eganist4y ago

That's a consequence of certain characters not reappearing in the hash as compared to the hash of the actual password.

This would become more apparent if this traded in sha512s instead.

dezmou4y ago· 1 in thread

do I gain a bitcoin if I win ?

Anunayj4y ago

well if you manage to break sha256, sure you do ;)

ledoge4y ago

Also see dwordle, where you have to guess a function pointer: https://twitter.com/zhuowei/status/1482175505185095682

c0nsumer4y ago

Thinking about this a bit deeper, it's a pretty good system for explaining a bunch of technologies to others (those mentoring, etc). There's the reason why it's not possible to win via the front door, how basic client side JS apps are put together, basics of using debugging tools...

Drew_4y ago

This is begging for a hard mode option

moscovium4y ago

I laughed. I can't wait for this to be used as a problem on some CS final.

judofyr4y ago

Plain SAH256? Come on, use a salt please!

core-utility4y ago

Hard mode: Password + Salt

rabuse4y ago

Solved mine in Firefox, using the JS debugger, and viewing the scope of the randomPassword function. "nSQXy3Qwl3E<qV". All your wordle are belong to me!

hbn4y ago

I won*!

*grabbed the expected hash from judgeEvent(), then made hash() return it

edit: I see from other comments he actually pre-loaded randomPassword() with a debugger statement. Oh well!

circa4y ago

I feel like Kramer with the moviefone number. "why don't you just tell me..."

quantumite4y ago

This is hilarious, I love it! I've already shared it half a dozen times...LOL!

umvi4y ago

You could do a version of this with a two-way function like base64 and it would still be possible but very difficult without programmatic guessing.

d--b4y ago

Just checked the source, I am so sad that the answer is actually random. Couldn't read the comments in Japanese though

1 more reply

MailNerd4y ago

Please do not use SHA256 for storing passwords, use Argon2

;)

Kluny4y ago

It's not hunter2, correcthorsebatterystaple, password123, swordfish, or my gmail password. Anyone got it?

davidfactorial4y ago

Oh my goodness this is the out loudest I have laughed at a tech thing in a long time. Cheers to you :)

gfody4y ago

this would be a good variant for Grant Sanderson to point his information theoretical solver at as a way to educate us on how/why sha256 leaks information that might be leveraged to crack a password, why to salt our hashes, etc.

srinathkrishna4y ago

At least let people change the hash function to MD5 to give them a chance! :D

agys4y ago

More or less how PoW works…

srinathkrishna4y ago

I was expecting the hash to be MD5 to at least give people a chance! :D

o4b4y ago

I have not laughed like this for weeks. Well done OP.

wbecher4y ago

passWORDLE X/10 5 46 ⬜13 5 46 ⬜13 1 44 ⬜19 4 46 ⬜14 5 42 ⬜17 3 42 ⬜19 6 44 ⬜14 0 45 ⬜19 5 41 ⬜18 3 43 ⬜18

IMAYousaf4y ago

I will successfully solve this one day.

dschulz4y ago

the wordle craze is getting out of hand

pjerem4y ago

Well, that’s not "dolphins".

skilled4y ago

What the hell.

syngrog664y ago

brilliant. now someone do this for Bitcoin/Ethereum address private keys

(asking for a friend. cough)

girafffe_i4y ago

Incredible. Lol'd pretty hard.

twopsix4y ago

Seems kinda impossible to do, lel

nathias4y ago

maybe wordle is just a frontend for a human powered distributed dictionary attack

susrev4y ago

This is great fun. Thank you.

aspyct4y ago

Aaah this hurts my brain

testelastic4y ago

this is insanely funny

testelastic4y ago

This is insanely funny

manceraio4y ago

This is a masterpiece.

j / k navigate · click thread line to collapse

249 comments

127 comments · 50 top-level

moritonal4y ago· 18 in thread

There is like... four people I know I could send this to who'd laugh, it's so niche. Yet I also laughed out loud when I got how conventionally impossible it is.

VikingCoder4y ago

Winners never quit. And quitters never win.

But those who never win AND never quit are idiots.

jonnycomputer4y ago

That's because winners know when not to play.

2 more replies

SMAAART4y ago

this is deep.

mlyle4y ago

Is it?

Sure, it breaks conventional use of rainbow tables, etc, but...

edit: Eh, 14 characters. OK, that's pretty resistant to anything other than debugging.

residualmind4y ago

How does that help you when any of your inputs' digest is not related to any other's, not even knowing the target length of the original message? what am i missing?

3 more replies

acchow4y ago

This isn’t how Sha works

2 more replies

eganist4y ago

I ended up crossposting it to the few security rooms I'm in for quick laughs

But for what it's worth, this also serves as a great initial CTF-type introduction to how debuggers work in web browsers.

jerf4y ago

If the debugger is open, Passwordle automatically breaks the execution right where the answer is determined.

Now that's service.

1 more reply

cco4y ago

As someone that works at an authentication API company, there are _dozens_ of us who found this hilarious.

> Yet I also laughed out loud when I got how conventionally impossible it is. Maybe give it a whirl with https://sha256algorithm.com/? haha

scbrg4y ago

It's not impossible. I hear Bruce Schneier got the correct hash on the first try.

https://www.schneierfacts.com/

(Sorry for the very HN:ish post, but I feel it's somewhat in the spirit of this story)

ben_w4y ago

Hah!

I don’t get this one, though: https://www.schneierfacts.com/facts/694

Searching for the number gets me Mill’s Constant, but I don’t get the connection to sugar or why it would be repeated.

1 more reply

masswerk4y ago

Well, it made me laugh. Thanks, that's what the Internet is for! (Namely, amusing content about the technicalities of the Internet.)

antirez4y ago

You can easily guess the right sha256 just using random strings and overlapping correct characters and then you can run a dictionary attack on it, or a brute force one if it's not too long.

MattPalmer10864y ago

You get a SHA256 hash of each guess. The hints you get on each guess are useless to help you with the next guess.

1 more reply

nmz4y ago

Well, go ahead, we're waiting.

LeoNatan254y ago

I laughed. It’s excellent, and great fit for the crowd here.

jacobkg4y ago

I laughed so hard

JAlexoid4y ago

Oh wow! You have a lot of friends!... (unironic self deprecating voice)

moltenguardian4y ago· 8 in thread

(edit: Absurdle was taken)

brainfish4y ago

An Absurdle exists[1], but instead of giving no hints it is adversarial, e.g. changing the secret word to dodge your guesses.

[1] https://qntm.org/files/absurdle/absurdle.html

pvity4y ago

If you like this, you might like Quantum Childminding too: https://www.puzzlescript.net/play.html?p=f7712f978d624c66f1f...

It's about looking after Schrodinger's daughter; similar to the above, she appears only if you prove she cannot be anywhere else.

I like this game a lot, especially how it's easy to understand & fun to play with.

1 more reply

bradrn4y ago

Thanks for highlighting this — I’ve been waiting for something else by QNTM! I’ll note he has done this sort of thing before, in the form of HATETRIS [https://qntm.org/hatetris].

SamPatt4y ago

That's actually quite fun!

dane-pgp4y ago

Given that speed/timing is important, and the rules are designed to impede your progress, how about calling it Hurdle?

p4bl04y ago

Absurdle already exists: https://qntm.org/files/absurdle/absurdle.html ;)

Narishma4y ago

They should name it something else as absurdle is already taken.

https://qntm.org/files/absurdle/absurdle.html

mleonhard4y ago

Timing of SHA-256 reveals only the length of the input.

raesene94y ago· 8 in thread

nice, though I'm very disappointed the answer wasn't hunter2

MichaelVangard4y ago

I don’t get it? Why would the answer be *******?

TonyTrapp4y ago

Because that would be hunter2 hilarious. I'd laugh my hunter2 ass off!

2 more replies

wayne-li24y ago

Wait, you can’t see it either?

torgard4y ago

Yeah same. From the source code, the answer is a random 14-character string, generated on load:

    function randomPassword() {
        let letters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
        let digits = '0123456789';
        let punctuation = '!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~';
        let s = letters.repeat(7) + digits.repeat(4) + punctuation.repeat(3);
        let length = 14;
        let res = Array.from({length}, (() => s[randomInt(s.length)])).join('');
        debugger; // どうぞ
        return res;
    }

DonHopkins4y ago

I wish it accepted a given password from a url query parameter, so this url would work:

https://rsk0315.github.io/playground/passwordle.html?passwor...

Or the way bikeshed.com lets you configure the color with the domain name, like:

https://bisque.bikeshed.com/

Then they could monetize it by selling gullible suckers NFTs of urls pointing to Passwordle games of their passwords.

1 more reply

boothby4y ago

zwayhowder4y ago

Literally my first guess.

abdusco4y ago

I tried in these classics in vain:

- hunter2

- password

- correcthorsebatterystaple

politelemon4y ago· 7 in thread

Password is randomized on each load. Author has conveniently left a debugger statement in the code.

core-utility4y ago

Part of me wishes the author just took common passwords from rockyou.txt so that they're at least guessable. Though random really does add to the absurdity.

jpeter4y ago

Or use a new password every day like worle. So you have a community effort to guess it

2 more replies

NoboruWataya4y ago

My first try was "hunter2", then I gave up.

ugjka4y ago

It's OK, the goal is to find a collision

TYMorningCoffee4y ago

I did not know about the debugger statement until I read your comment: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Refe... . Thank you.

aerovistae4y ago

4 more replies

xeromal4y ago

It's pretty powerful. I oftentimes struggle to get VS code to pick up a breakpoint when debugging serverless node functions, but the debugger statement usually gets it working.

travisgriggs4y ago· 7 in thread

grp0004y ago

Would the type of people amused by this have that weakness though?

hbn4y ago

It's hosted on Github Pages which is just static file serving. And thanks to CORS restrictions I don't think you could phone home.

Unless there's a workaround I'm not thinking of.

jamespwilliams4y ago

GitHub pages are served with Access-Control-Allow-Origin: *, so the SOP doesn’t apply.

They also don’t set a CSP header, which opens up the opportunity to exfiltrate data by other means, e.g having the browser load an image on your.site/$password.jpg.

1 more reply

Sohcahtoa824y ago

The CORS policy is set by the server receiving the request, not the page/server sending it.

heartbeats4y ago

Can't you embed off-site images?

thebruce87m4y ago

Well damn, I’ll have to change Hunter2 everywhere now.

peanut_worm4y ago

is a password very useful without any other identifier though?

1 more reply

burke4y ago· 6 in thread

FabHK4y ago

runnerup4y ago

To me it seems like the password is 14 bytes, because they're 14 characters (112 bits). How do you get 90 bits?

1 more reply

tetha4y ago

phire4y ago

It's not a cryptographic break.

It's simply a regular password cracking algorithm, but with instead of knowing the full hash, you only know a partial hash.

It should be viable, even without rainbow tables. That's why plain, unsalted sha256 is very unsafe for password storage.

1 more reply

onionisafruit4y ago

If passwordle had a list of all possible solutions like wordle does, this would be doable.

jfk134y ago

If it had a list of all possible solutions, it'd take quite a bit more bandwidth to load...

boothby4y ago· 4 in thread

Got it in one "guess." Apparently どうぞ means "here you are." Makes me think the brick was deliberately left in the door for folks who look for such things.

koolba4y ago

My first guess was "friend", a la the Doors of Durin.

http://tolkiengateway.net/wiki/Doors_of_Durin

yreg4y ago

It should be mellon.

Bad_CRC4y ago

“The Four Most-Used Passwords Are Love, Sex, Secret, and God”

1 more reply

Auracle4y ago

I tried hunter2

1 more reply

teatoli4y ago· 4 in thread

What exactly is this showing ?

barbazoo4y ago

samwillis4y ago

> pretty much impossible to solve

Literal understatement of all time…

1 more reply

__s4y ago

You can make a rainbow table of the possible passwords & converge pretty quickly

Don't hash passwords. Use pbkdf2 or some better alternative (I suggest pbkdf2 because it's widely implemented)

1 more reply

dskloet4y ago

It's Wordle but it hashes your guess before applying hints.

dorianmariefr4y ago· 3 in thread

passWORDLE 1/1064 0 ⬜0 https://rsk0315.github.io/playground/passwordle.html

on Chrome, open Dev Tools and type `res` to get the password :)

Thorentis4y ago

Gee, I'm so glad somebody posted this so that I can cheat on a game that is not competitive and that I'm playing voluntarily and that has no bragging rights because of how niche it is.

IncRnd4y ago

KerryJones4y ago

Not defined for me

TremendousJudge4y ago· 3 in thread

literally made me laugh out loud, well done

delaaxe4y ago

Me too but this can never be sold right

core-utility4y ago

What, Wired Magazine won't buy this for $3 Million?

1 more reply

ziml774y ago

Same here! I love the absurdity of this one given the nature of cryptographic hash functions.

samwillis4y ago· 3 in thread

My wife was looking at me when I opened this.

“What are you grinning at?”

I just locked my phone and put it face down on the table…

jdthedisciple4y ago

Why would you do that xD - I'd have explained it to her instead, doing what you did I'm not sure I'd be happy about as wifey ...

qzw4y ago

samwillis4y ago

Ha! Quite true, maybe poor attempt at humour stopping the story there.

I actually did explain after that ellipsis, her response:

“That’s niche!”

She is also well aware of what hashing is.

marginalia_nu4y ago· 2 in thread

I've tried 123456, password, and secret, and I'm all out of ideas.

takeda4y ago

hint: it needs to be 14 characters

remram4y ago

So password123456 then?

CGamesPlay4y ago· 1 in thread

Wordle has a "hard mode" where guesses aren't accepted unless they reuse hints previously given. This is clearly missing from this adaptation.

stevewodil4y ago

0/10 literally unplayable.

drtz4y ago· 1 in thread

No bcrypt?

drdaeman4y ago

Should've been Argon2id

daneel_w4y ago· 1 in thread

There's something interesting to note in the visualized gradient distribution after guessing some common English words: https://i.imgur.com/hDSBaYw.png

eganist4y ago

That's a consequence of certain characters not reappearing in the hash as compared to the hash of the actual password.

This would become more apparent if this traded in sha512s instead.

dezmou4y ago· 1 in thread

do I gain a bitcoin if I win ?

Anunayj4y ago

well if you manage to break sha256, sure you do ;)

ledoge4y ago

Also see dwordle, where you have to guess a function pointer: https://twitter.com/zhuowei/status/1482175505185095682

c0nsumer4y ago

Drew_4y ago

This is begging for a hard mode option

moscovium4y ago

I laughed. I can't wait for this to be used as a problem on some CS final.

judofyr4y ago

Plain SAH256? Come on, use a salt please!

core-utility4y ago

Hard mode: Password + Salt

rabuse4y ago

Solved mine in Firefox, using the JS debugger, and viewing the scope of the randomPassword function. "nSQXy3Qwl3E<qV". All your wordle are belong to me!

hbn4y ago

I won*!

*grabbed the expected hash from judgeEvent(), then made hash() return it

edit: I see from other comments he actually pre-loaded randomPassword() with a debugger statement. Oh well!

circa4y ago

I feel like Kramer with the moviefone number. "why don't you just tell me..."

quantumite4y ago

This is hilarious, I love it! I've already shared it half a dozen times...LOL!

umvi4y ago

You could do a version of this with a two-way function like base64 and it would still be possible but very difficult without programmatic guessing.

d--b4y ago

Just checked the source, I am so sad that the answer is actually random. Couldn't read the comments in Japanese though