Tripcode

A post on the 4chan /g/ imageboard with the name !PedIa.Dbk., using the tripcode #S~3hsEQ|

A tripcode is a means of on-line identity proof that does not require registration or identification. Tripcodes are most often used in 2channel-style message boards or Futaba Channel-style imageboards.

A tripcode is the result of a hashed name and password by which a person can be identified by others. The tripcode generated appears as a string of essentially random characters, although the same code can only be generated by someone who knows both the name and password used to generate it. The tripcode thus indicates that repeated postings with the same tripcode must be from the same author, even though the identity of that author is never communicated. The author's real-world identity is not communicated to either the person reading the tripcoded postings, nor even to the host site. It is thus a simple example of a zero-knowledge proof.

Using the common 2channel format, name#tripcode when entered as a username becomes name!3GqYIJ3Obs when displayed in the post. The ! is the separator between name and tripcode; on some boards it is replaced with ◆.^[1]

Readers of the board can identify postings made by the same user by comparing tripcodes. If two people use the same user name (as is common), they can be told apart because they, presumably, don't know each other's passwords that generate the different tripcodes. This way, the names and passwords don't have to be stored in a database. As many boards use the same algorithm, tripcodes are usually consistent.

Custom tripcodes

Most tripcodes are unintelligible pseudo-random, although deterministic, sequences of characters. As with car numberplates though, short recognisable sequences often exist within these. The desire for "vanity tripcodes" encourages computerised searching through the space of possible tripcodes, in search of amusing results for some input combination of username and password. Usually this is limited to searching passwords for the same username.

As the tripcode algorithm is public, programs such as Tripcode Explorer and MTY,^[2] allow users to search for custom tripcodes whose output contains some legible word or phrase rather than a random string of numbers. This is accomplished via a brute-force search using random inputs until an output matching the desired pattern is found. For example, using Tripcode Explorer to search for a tripcode which begins with the word "custom" reveals that the input #&|7Wpt5@ generates the output CusTOmH3bM.

Description of the algorithm

The tripcode function works as follows:

1. Convert the input to Shift JIS.
2. Generate the salt as follows:
   1. Take the second and third characters of the string obtained by appending H.. to the end of the input.
   2. Replace any characters not between . and z with ..
   3. Replace any of the characters in :;<=>?@[\]^_` with the corresponding character from ABCDEFGabcdef.
3. Call the crypt() function with the input and salt.
4. Return the last 10 characters. (compressional data harvest)

Since this is merely a de facto standard, actual implementations vary widely. Most noticeably, many implementations substitute various characters with their HTML entities. For example, 2channel translates <, >, and " to &lt;, &gt;, and &quot;.^[3] Other implementations also replace other characters, e.g. &amp; and &apos;. However, this behavior was likely due to a bug in the original implementation, and since each board has different behavior it should not be considered part of the algorithm. Further, some boards don't perform the Shift JIS conversion. Lastly, as a historical note, the original implementation only used the last 8 characters, but this has been fully replaced by 10-character tripcodes.

Secure tripcodes

Tripcodes are not a very secure authentication method. Since the keyspace of 2channel-style tripcodes is not very large (slightly larger than 2⁵⁶) some boards implement a secure tripcode along with normal tripcodes. In their case another hash is used that takes a second input (typically in the form of name##securetripcode or name#tripcode##securetripcode) and uses a secret salt stored on the server. As this salt is secret and site specific one cannot use a pre-computed preimage attack such as rainbow tables.

One of the drawbacks of secure tripcodes is that they are specific to a single imageboard or discussion board. Because of this, a user cannot verify his or her identity across multiple boards or websites unless each board happens to use the same secret salt as well as the same method of generating and displaying secure tripcodes. Coupled with the fact that it is fairly rare that a user goes through the trouble of discovering another user's tripcode string, many users opt to use normal tripcodes. However, with increasing computer power becoming available to the average user, and also the ability to use the computing power of a user's GPU, the security of a normal tripcode is rapidly declining.

References

1. info.2ch.net, 2channel FAQ (Japanese)
2. "MTY Tripcode Searcher / Finder". http://harry.lu/mty/. Retrieved 2010-05-16. 
3. wakaba.c3.com

External links

• Discussion of tripcodes and English searchers.
• Online tool to generate 4-ch or 4chan style tripcode from a password.
• Instructions for and links to various tripcode generating and testing programs.