Oh shit! You are completely correct… I looked up my math, and apparently I put a mutiplication sign instead of a power-of sign…

That’s horrifically wrong, but as you mention, still not strong enough…

I have struck out the parts where I was wrong.

Cryptography is the practice of hiding and protecting information.

Modern cryptography is about computer algorithms.

These computer algorithms are notoriously hard to invent, and even just to implement.

Cryptography is a constant cat and mouse game. Some people will attempt to build new algorithms, and some people will be trying to break these algorithms. In some situations people are doing this benevolently, where researchers will look for weaknesses so they can be fixed. In other situations people are malicious and an looking for weaknesses to exploit them.

Inventing a new algorithm usually takes years, and then it’s researched for even more years to make sure there are no obvious weaknesses.

Then people implement these algorithms and these implementations are then again researched for long times to look for weaknesses.

Inventing a new algorithm is insanely hard, and only a rather small amount of people around the world has had decent success.

But even if you have a good algorithm that is theoretically secure, then when you try to implement it in actual code, it’s again incredibly easy to make mistakes that completely undermine the security.

What the OP did was to try to invent a new algorithm. OPs algorithm is very flawed and easily broken. Then OP wrapped it in a Web page that purported to allow you to securely encrypt something. And used words like “crazy strong encryption” which could lead others to think the service is safe and secure, and rely on it for something critical, only for their security to be utterly compromised.

The mantra in the security community is “Don’t roll your own crypt”, and OP rolled their own crypto, and failed, without giving a proper disclaimer.

So this basically runs key derivation by taking the password, SHA-256 hashing it, and feeding the result to a SecureRandom. Then XORs the output of SecureRandom with the plaintext in CBC mode with a block size of 1 byte… CBC meant this isn’t protected against tampering, since the encryption mode isn’t authenticated. And the blocksize of 1 byte, means you can attack each character of the ciphertext one at a time.

This is a woefully inadequate key derivation, and the actual encryption seems fairly flawed. I only have a basic Cryptography 101 course under my belt, and while I don’t have the skill to obviously break it, it absolutely makes the hair on my neck stand up…

Discounting any weaknesses in the actual crypto, the heaviest part of this algorithm is the actual SHA-256 hash, and with some tweaking, I’m sure someone determined could modify hashcat to attack this encryption directly. I just had a look at some Hashcat benchmark on an AWS p5en.48xlarge instance, which has 8x Nvidia H100 GPUs. These together can churn out 126.9 Giga-hashes per second on SHA-256. Which means it can try ALL alpha-numeric passwords with 12 characters in just around 0.59 nanoseconds. This instance isn’t cheap, as it costs around $64 per hour to run, but at that speed you don’t have to run it for very long anyway.

So even at the worst-case, of having to brute-force your XOR encryption algorithm, breaking it will be trivial.

Please don’t roll your own crypto… Or if you do, please make it very clear to anyone that it’s your own hobby project, and that it shouldn’t be relied upon for actual security.

EDIT: apparently I can’t operate a calculator

These DDOS for hire services make use of hacked machines as botnets to perform the DDOS attacks.

So while the people paying for the service didn’t hack anything, the people performing the DDOS certainly did.

I think the key word here is “unknowingly”… I don’t think Trump will get us into WWIII “unknowingly”…

“intentionally” seems like a more fitting word for what Trump is up to.

Wouldn’t bright pink be even better?