PassWord 4.x applet

How the Password 4 applet internally works.

The applet uses a simple symmetric encryption decryption method.
It's based on a variant of rot13, which I call rotx.
The x is calculated out of the user name.
The (alphabet) isn't used in a sorted order.
Also other non-alphabetic characters are added to the alphabet.
If a character isn't in my alphabet then it isn't changed.

It's a fast but weak encryption algorithm.
But it will take a human some time to crack it.
Even so you can't crack it if you don't know the password.
And the user should keep it password a secret.
Cracking without password is equal to just guessing.

The decrypted password is a file name!
So reverse engineering of the applet would not reveal any details.

There are two ways to set up the password applet.

  1. The applet redirects automatically to this file name.
  2. The file name is a password file.
    The applet reads this password file until it finds the user name.
    If it finds the username it will only use the next two lines.
    If it doesn't find the username it will use the last two lines.
    The first line is used as URL (thats the hidden link).
    The next line will be the html frame target.
    Its a good practice to add the username into the password file
    and make the last two lines point to the denial page.
  3. (See also page "The hacker at work" section brute force attack)
But how does the applet determine if the user name and password is valid?
It simply tries to ask the provider's computer if the file exists.

The causes of an access denied:
  1. The password applet asks the provider's computer for an http responds code.
    If the respond code is greater or equal to 400 then the user hasn't access.
    You probably all once encountered the famous 404 file not found message.

  2. It's also possible that the decrypted password isn't a syntactical valid file name.
    For example its syntax doesn't comply with the http standard.
    So the user entered an invalid entry.
    In such case the user is also redirected to the denial html page.

  3. Please note that the applet can only query the http software of your provider.
    Because of Java applet security the applet only connect back to your providers computer.
    So you can't use this applet to hide external links.
    Well there is a workaround.
    Create a local page with a <META HTTP-EQUIV="REFRESH" CONTENT="0" URL="">

  4. Testing this applet on your local computer at home can cause some troubles.
    There is no http software to query on your local PC.
    Instead of that the applet queries the local file system.
    But browser software also restricts the access to your local file system.
    To workaround this problem:
    A: place all files in the same directory.
    B: only use file names (no http:// only filename.extension)
    This should solve the problem for most browsers.

    Please note that you windows file system isn't case sensitive.
    UNIX and the http protocol are case sensitive.