Tripcode
Encyclopedia
A tripcode is a means of telecommunication
authentication
that does not require registration. Tripcodes are most often used in 2channel
-style message boards or Futaba Channel
-style imageboard
s. A tripcode is a hashed password
by which a person can be identified by others.
A tripcode is the result of input to a cryptographic hash function
on the message board server, usually entered in the same field as the name. Using the common 2channel format,
Readers of the board can identify postings made by the same user by comparing tripcodes. If two people use the same user name, they can be told apart because they, presumably, don't know each other's passwords that generate the different tripcodes. This way, the names and passwords don't have to be stored in a database
. As many boards use the same algorithm, tripcodes are usually consistent.
Since this is merely a de facto standard
, actual implementations vary widely. Most noticeably, many implementations substitute various characters with their HTML entities. For example, 2channel translates <, >, and " to <, >, and ". Other implementations also replace other characters, e.g. & and '. However, this behavior was likely due to a bug in the original implementation, and since each board has different behavior it should not be considered part of the algorithm. Further, some boards don't perform the Shift JIS conversion. Lastly, as a historical note, the original implementation only used the last 8 characters, but this has been fully replaced by 10-character tripcodes.
stored on the server. As this salt is secret and site specific one cannot use a pre-computed preimage attack
such as rainbow table
s.
One of the drawbacks of secure tripcodes is that they are specific to a single imageboard or discussion board. Because of this, a user cannot verify his or her identity across multiple boards or websites unless each board happens to use the same secret salt as well as the same method of generating and displaying secure tripcodes. Coupled with the fact that it is fairly rare that a user goes through the trouble of discovering another user's tripcode string, many users opt to use normal tripcodes. However, with increasing computer power becoming available to the average user, and also the ability to use the computing power of a user's GPU, the security of a normal tripcode is rapidly declining.
Telecommunication
Telecommunication is the transmission of information over significant distances to communicate. In earlier times, telecommunications involved the use of visual signals, such as beacons, smoke signals, semaphore telegraphs, signal flags, and optical heliographs, or audio messages via coded...
authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
that does not require registration. Tripcodes are most often used in 2channel
2channel
is a Japanese textboard. In 2007 there were 2.5 million posts made every day. Launched in 1999, it has gained significant influence in Japanese society, comparable to that of traditional mass media such as television, radio, and magazines. As of 2008, the site generates revenue upwards of ¥100...
-style message boards or Futaba Channel
Futaba Channel
, or Futaba for short, is an internet forum in Japan. It is a popular Japanese imageboard dealing in otaku and underground culture.-Origin:Futaba Channel was set up on August 30, 2001, as a refuge for 2channel users when 2channel was in danger of shutting down...
-style imageboard
Imageboard
An imageboard or image board is a type of Internet forum that revolves around the posting of images. The first imageboards were created in Japan, and many English-language imageboards today are centered around Japanese culture...
s. A tripcode is a hashed password
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
by which a person can be identified by others.
A tripcode is the result of input to a cryptographic hash function
Cryptographic hash function
A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the hash value, such that an accidental or intentional change to the data will change the hash value...
on the message board server, usually entered in the same field as the name. Using the common 2channel format,
name#tripcode
when entered as a username becomes name!3GqYIJ3Obs
when displayed in the post. The !
is the separator between name and tripcode; on some boards it is replaced with ◆
.Readers of the board can identify postings made by the same user by comparing tripcodes. If two people use the same user name, they can be told apart because they, presumably, don't know each other's passwords that generate the different tripcodes. This way, the names and passwords don't have to be stored in a database
Database
A database is an organized collection of data for one or more purposes, usually in digital form. The data are typically organized to model relevant aspects of reality , in a way that supports processes requiring this information...
. As many boards use the same algorithm, tripcodes are usually consistent.
Description of the algorithm
The tripcode function works as follows:- Convert the input to Shift JIS.
- Generate the saltSalt (cryptography)In cryptography, a salt consists of random bits, creating one of the inputs to a one-way function. The other input is usually a password or passphrase. The output of the one-way function can be stored rather than the password, and still be used for authenticating users. The one-way function...
as follows:- Take the second and third characters of the string obtained by appending H.. to the end of the input.
- Replace any characters not between . and z with ..
- Replace any of the characters in :;<=>?@[\]^_` with the corresponding character from ABCDEFGabcdef.
- Call the crypt function with the input and salt.
- Return the last 10 characters. (compressional data harvest)
Since this is merely a de facto standard
De facto standard
A de facto standard is a custom, convention, product, or system that has achieved a dominant position by public acceptance or market forces...
, actual implementations vary widely. Most noticeably, many implementations substitute various characters with their HTML entities. For example, 2channel translates <, >, and " to <, >, and ". Other implementations also replace other characters, e.g. & and '. However, this behavior was likely due to a bug in the original implementation, and since each board has different behavior it should not be considered part of the algorithm. Further, some boards don't perform the Shift JIS conversion. Lastly, as a historical note, the original implementation only used the last 8 characters, but this has been fully replaced by 10-character tripcodes.
Secure tripcodes
Tripcodes are not a very secure authentication method. Since the keyspace of 2channel-style tripcodes is not very large (slightly larger than 256) some boards implement a secure tripcode along with normal tripcodes. In their case another hash is used that takes a second input (typically in the form ofname##securetripcode
or name#tripcode##securetripcode
) and uses a secret saltSalt (cryptography)
In cryptography, a salt consists of random bits, creating one of the inputs to a one-way function. The other input is usually a password or passphrase. The output of the one-way function can be stored rather than the password, and still be used for authenticating users. The one-way function...
stored on the server. As this salt is secret and site specific one cannot use a pre-computed preimage attack
Preimage attack
In cryptography, the preimage attack is a classification of attacks on hash functions for finding a message that has a specific hash value.There are two types of preimage attacks:...
such as rainbow table
Rainbow table
A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering the plaintext password, up to a certain length consisting of a limited set of characters. It is a form of time-memory tradeoff, using less...
s.
One of the drawbacks of secure tripcodes is that they are specific to a single imageboard or discussion board. Because of this, a user cannot verify his or her identity across multiple boards or websites unless each board happens to use the same secret salt as well as the same method of generating and displaying secure tripcodes. Coupled with the fact that it is fairly rare that a user goes through the trouble of discovering another user's tripcode string, many users opt to use normal tripcodes. However, with increasing computer power becoming available to the average user, and also the ability to use the computing power of a user's GPU, the security of a normal tripcode is rapidly declining.