I was surprised that Q didn't go with the !!! Trips as they are better than the !! ones; I.e. !!! are more consistent with current day password security. So !! Is is better than !, but not as much as you'd hope.
I have to assume Q knows this, but I'm not sure what to make of it. Unless Q's using it to guage is opponents.
I think it's more about deciding to crack than ability. You should be able to crack a regular trip for around $10,000 or less of AWS time. Or there are DES cracking machines that can be bought/rented to do it. So while it costs money, it's not nation state or GS level money by any stretch.
Salt is the least of the problem. ! And !! use DES as the underlying hash algo. !!! uses sha256. Yes you need the salt, but that's not even half the problem - and in reality you crack both at the same time anyway.
IIRC !! Has a board specific salt, which exposes CM and possibly BO in the same way - the mitigating factor being that the algo is weaker.
OTOH, it may just be a way of making the enemy spend more money. With cracks of this type it is usually more expensive to crack the first ones, the later ones get cheaper. So up the ante and 1)slow them down a bit as they adjust and 2) make them spend more money.
So it literally may be a money counterattack.
Even sha256, when used for password hashing has its weaknesses, which is why NIST recommends things like PBKDF2, scrypt, and bcrypt (I think there's one more but it eluded me for the moment).
And if Q is using a simplistic password that shows up in one of the myriad of comped passwords (which have 100's of millions of them these days), or a short one with simple alphanum chars, a cracked sha256 trip is still not necessarily indicative of scary tech.
I doubt the C_A would be interested in cracking the trip. What does cracking the trip allow you to do? Allows you to claim to be, or have been Q.
So who would get value from cracking the trip? Losers like Posobiec, or other pretender posers.
>Does cracking the trips give any insight into cracking boards that Q controls?
I would presume that the authorization tokens Q uses to authenticate his own boards are considerably more secure, though I haven't looked at that code in the 8ch source to know what weaknesses there might be. But I'd think it safe to say he's not using passwords like Matlock. In short, I'd be stunned it the passwords Q uses for trip codes would give any insight into his board ownership creds.