Thursday, April 7, 2016

Julie and I got engaged!

Days after celebrating our three year anniversary I proposed to my girlfriend Julie.  To answer some basic questions:

The ring was a simple custom solitaire with a filigree engraved into a palladium band.  Palladium isn't as popular as platinum because it lacks the name recognition, but it's a fantastic metal.

I proposed to Julie at a restaurant near us called Post and Beam.  It's a great place.  To add some personal flair I revealed the location and time in the form of a puzzle.  I didn't want to make it as simple as a pen-and-paper word substitution cipher so instead I thought I'd add a twist by making it something that couldn't be solved without the aid of a computer.  To do this I set up several fake email addresses and built a story around it.  Two of the addresses discussed plans that revealed the time and location of our dinner.  The other two contacted Julie to request her help breaking into one of the two email addresses.  I supplied her with a username and a hashed password and asked for her help in gaining access.

A hashed password is a password that has been encrypted with what's called a hashing algorithm.  The purpose of this is that going from a password to a hashed password is very easy, but going the other way is very, very, hard.  This is an important part of online security.  When you log into your online banking account the bank runs whatever you type into the password field through its hashing algorithm.  Then it checks if the result matches what they generated when they hashed whatever you typed when you chose your password.  If it matches then it means you typed the right password.  If hackers break into their computers though, they can't get your password because the bank has never actually saved a copy of it.  The simply don't have a copy of your password on file.

Technically, you CAN figure out a password if you have a hashed password.  You just need to guess passwords until you get a match.  This is called breaking a password using "brute force".  Obviously, you can't do it by hand.  You have to have a computer program that can guess passwords, hash them, and see if they match.  My plan for Julie solving this puzzle counted on her working it out with one of the email accounts I'd set up for the storytelling aspect.  I was going to send her a link to a program called HashSuite that could crack the passwords and instructions on how to run it.  The funny thing is that I didn't really know how to do all this, I just found a program with a tutorial and used one of the 3000 passwords in the tutorial for the email account she needed to unlock.

So you can understand that I was concerned when Julie emailed me to say that she was hard at work without making any request for help.  I realized that she might not realize that the puzzle was never really meant to be figured out like this.  I didn't know how to solve it myself.  I just knew that if you downloaded a specific program and typed in a specific set of commands it would give you an answer.  I worried that if Julie wasn't aware that I had given her a puzzle I myself didn't design or know how to solve, she might embark on an impossible task.  Still, I decided to give her a day to see if she figured that out for herself.

To my surprise, she never came looking for help.  Instead, she just emailed me to let me know when she'd successfully unlocked the secret email account.  She googled hash functions and password cracking and found a program that did the same thing as the one I was going to suggest and figured out how to run it without any instruction from me.  She told me afterwards she wasn't sure at first if the hashes were real or just giberish I'd made up as part of the storytelling.  Then she worried where I'd gotten a list of 3000 hashed passwords after a coworker saw her work computer running hacking software and asked, "Are you cracking passwords?"
"Uh... yeah?"
"Whose passwords are those??"
"Um... I don't actually know..."

I'm really proud of her.  I'm excited to spend my life getting continually surprised.

No comments:

Post a Comment