Javacrypt has been cracked. It is no longer secure. Do not use this scheme.

Want to password-protect a web page? The best way to do it is to use server-side HTAccess Authentication. Unfortunately, this isn't always possible. You may be stuck with using Microsoft IIS (which can be a nightmare to do authentication on), or you might even be serving these pages straight from a CD (in which case there is no server). The typical solution is to add some JavaScript that asks for a password, then redirects you based on whether the password is valid or not. It goes without saying that this is totally insecure, since anyone can view the source and figure out either the password or the secret URL.

[Javacrypt] Javacrypt was designed to provide a secure client-side method of password protecting pages. Try this demonstration. You can view the source, edit the page locally, fold, bend or mutilate it, but you won't be able to get the content without the password (which is the phrase: 'top secret'). Creating your own password-protected pages is easy, use the encrypting tool to specify a password and the text, then copy the resulting code onto your page. Storing the password in a cookie so that it doesn't have to be entered repeatedly is left as a trivial exercise to the programmer.

How secure is it? I thought it would take considerable effort to break it. The algorithm was inspired by a German Enigma machine on exhibit at Bletchley Park. However, instead of shuffling the cipher table deterministically after each letter, the Javacrypt code uses the previously encoded letter as a seed to shuffle the cipher table. In an effort to determine how secure Javacrypt is, I offered a small prize to the first person who could crack this. Two months later Dr. Srivatsan in India found a simple way to convert the code into a cryptogram which can then be decoded using frequency analysis. Game over.

Last modified: 17 June 2002