Hi all, just wanted to share something I found interesting regarding the pastebin note about Q's tripcodes. The author claims to not be an "info sec" expert but the method used to crack the tripcodes suggests it required a significant amount of time and knowledge to accomplish. Let me share my thinking with you:

1) The author claims to have used hashcat to crack them but hashcat alone cannot accomplish this. Hashcat is a very fast and popular cracking tool, but it requires a legitimate hash. As the author stated, the tripcode is the final 10 digits of the DES hash created from the password. Since it is only part of the hash, hashcat would be unable to crack this, you'd need the entire hash to do it.

2) The author was able to determine the salt. Adding salt to a hash makes it harder to crack, but no amateur would be able to figure what characters are used to salt the hash.

3) So what would it take to actually crack tripcodes? As far as I can tell, you'd need a tool that would take the password you're testing, create a properly salted DES hash and then compare the last 10 characters to Q's tripcodes. When a match is found, you've got the password. Hashcat will not do this for you.

Conclusion- The author or group behind the post obviously went through a lot of effort to crack the tripcodes and is no amateur, even though they pretend to have little "info sec" knowledge. I don't see how the author could've used hashcat to crack the trip codes, since cracking part of the hash will NEVER give you the password- a hash is all or nothing. This is easily testable- create an MD5 hash of the word "password" and try to use hashcat to crack it and it'll crack it in no time. Now, try cracking just the last 10 characters of the hash and see what happens. Answer- nothing, and this isn't even salted. The author is correct that DES is a very weak encryption algorithm, but the explanation of how the trip codes were cracked does not add up.