I'm stuck at "iatetomatoesyesterday0265Z#521juneVpepsiVIIxngxcaboutAg[moon emojis]italy2020Bf7+" trying to solve the chess notation puzzle.
I especially laughed at the rule "must include today's Worldle" and I'm happy with my solution including every emoji for "must include the current phase of the moon as an emoji."
(HackerNews doesn't seem to display emoji. My solution is to paste every moon phase emoji.)
Excited to see what's next after figuring out the best move in this Chess puzzle.
This reminds me of trying to manually construct an Autogram like below. This one is a quote someone else made. I tried to do it myself and it is so hard because the counts keep changing as you write out other counts!
Only the fool would take trouble to verify that his sentence was composed of ten a's, three b's, four c's, four d's, forty-six e's, sixteen f's, four g's, thirteen h's, fifteen i's, two k's, nine l's, four m's, twenty-five n's, twenty-four o's, five p's, sixteen r's, forty-one s's, thirty-seven t's, ten u's, eight v's, eight w's, four x's, eleven y's, twenty-seven commas, twenty-three apostrophes, seven hyphens and, last but not least, a single !
I got the chess one pretty easily but I'm stuck on "The elements in your password must have atomic numbers that add up to 200". I haven't found a way to satisfy both this and "The roman numerals in your password should multiply to 35" simultaneously. Iodine (I) and Uranium (U) have high atomic numbers which blow out way higher than 200 and I haven't found a way to avoid them.
Edit: OK, just realised that it's case sensitive. So I can use a lower case "u" to avoid it being interpreted as an element.
Yeah, I got an Rf8+ and between that and the roman numerals, didn't know how to get down to 200. Then I tried to move the egg to a different spot and the chicken died.
Now it seems progress has become literally impossible because the chess move + the captcha includes digits that add up to more than 25. I guess having to restart is intended to be part of the game, or is this a bug?
This is indeed what ended up transpiring, but only after trying really hard to figure it out all the while thinking the meanings of gold and green were the opposite of eachother.
I take puzzles way too seriously, and I suck at word puzzles.
"Only the fool would take trouble to verify that his sentence was composed of ten a's, three b's, four c's, four d's, forty-six e's, sixteen f's, four g's, thirteen h's, fifteen i's, two k's, nine l's, four m's, twenty-five n's, twenty-four o's, five p's, sixteen r's, forty-one s's, thirty-seven t's, ten u's, eight v's, eight w's, four x's, eleven y's, twenty-seven commas, twenty-three apostrophes, seven hyphens and, last but not least, a single !"
I couldn't get it to accept a move which involved the knight jumping over a hostile piece. It was definitely the best move (I fed it into stockfish and got the same response). I refreshed the page to get a new puzzle and got a new street view as well. (╯°□°)╯︵ ┻━┻
Edit: Oooohhh, I think I forgot to add a + for check!
Rae1 - rook a to e1. if two rooks on the first line can move to e1.
R4d4 - if two rooks on the 4th line can go to d4.
Ngxh2# - the knight from g captures on h2 with checkmate.
Nd2e4 - In a rare case that there are 3 knights that can go to a single square
Pawn captures are denoted as exd5 (pawn on the line e captures a pawn on d5) even if there is only one pawn that can make a capture.
Using the column they are on, or the row if they are both on the same column. For example Rac8 moves a rook from a8 to c8, R1d2 moves it from d1 to d2.
Haha, yeah I used Chess.com analysis and it gave me a clearly best sequence of moves (three to checkmate) but it didn't take the first move from white that it asked for. :( I saw many other struggle with this one too. Anyway, I gave up here and seeing some of the subsequent steps I doubt I'll reach the end anyway!
A warning to future players: I got to rule 16 and was given an egg named paul that I had to keep safe. Then on rule 18 a fire (of emojis) broke out in my password, killing paul and ending the game. Dont be like me, keep Paul safe.
I was immensely disappointed when I googled "13 minute 39 second video" and then the Youtube video titled "13 minute 39 second countdown" was in fact 13 minutes and 54 seconds long.
You can keep Paul safe by adding something like a lot of = before the egg and continuously delete the appearing fires and at some point the fire will be gone
I killed Paul when trying to get the atomic numbers to equal 200. My plan was to add "H" until the rule was satisfied. Then, I thought I accidentally went past it, so I started holding backspace. I went too far.
For anyone else who was struggling to make the leap year work with all the other math: 0 is a leap year.
For anyone else struggling with how to make the country name work with roman numerals or element names, you can lowercase the country name then it doesn't count as a roman numeral nor element.
If your chess move is illegal, make sure you're also notating the effect of the move (Nxe6 for N captures on e6, not just Ne6. Ne6+ if it's a check. Ne6# if it's mate.)
Spaces are also allowed so feel free to break up parts of the password to separate things and prevent them from interfering with each other.
Use XXXV as the roman numeral. Easiest to work with since only V (23) is an element.
Reroll your color if its hex has any numbers in it. You'll thank me later.
I made it to the final challenge (password must contain the current time) and it became extremely difficult because the current time, the length of the password itself, and a pesky 9 that was in my youtube URL were just too much to add up to 25 (even though I tried to overlap things, like 3:383 to cover 3:38 current time as well as 383 prime password length). I would've needed to somehow reupload a video that didn't have any digits in it (or at least one that had a lower digit like 1 or 2) or wait until it was 10:00 pm or something.
I cycled through _so_ many hex colors and youtube videos. I found that searching the length in the youtube search bar led to plenty options. I even chose to exclude 'x' which was _so_ dumb as I had to switch my XXXV to a V and VII, making life much harder for myself.
Ultimately I finally got a password with length 211, including the current time, that fit all of the rules!
[spoiler] the final step has you re-type your password to "confirm" it, in an impossible amount of time [/spoiler]. What a frustrating ending!!!
Also ended up with exactly 211, maybe the easiest choice. Sad at the ending.
Other hints:
* The eyedropper is a good way to get the hex quickly.
* On Youtube search the time you need and then scroll until you load a metric ton of videos then Cmd+F for the time (e.g. 28:22) since the times are searchable text on screen.
> For anyone else struggling with how to make the country name work with roman numerals or element names, you can lowercase the country name then it doesn't count as a roman numeral nor element.
Unfortunately, "country name" and "all the vowels in your password must be bold" are fundamentally incompatible, since it doesn't recognize country names unless they have unbolded vowels.
EDIT: Gah. I tried every Unicode "bold" variant I found, before finding that the password field had in fact become a rich text field and allowed actual "bold".
I lost Paul to a fire (3 different water emojis didn't put it out :(). Then I didn't feel like typing in every single possible chess move until it was happy, so I gave up redoing it.
Copy (before answering the "is this your final password" question) and paste seemed to work fine on everything except the chicken emoji, so I just had to paste and then manually enter and italicize a chicken and two bugs within the time limit.
It reminds me of "Password Purgatory" that Troy Hunt (of "Have I Been Pwned" fame) built. It sends real scammers to a real-looking site that basically makes them play this game until they give up and go away.
I once had to deal with an site that would be fine with a ' in the password when setting it, but would throw a mysterious error every time you tried to log in.
For about 2 years I reset my password many times, always to the same one and that would also log me in. I just figured the site was broken for me but this worked and contacting support is rarely helpful for stuff like this so whatever, until it suddenly dawned on me the ' might be the "problem".
It doesn't necessarily mean that they don't know how to escape special characters, it just might mean that they're employing a defence in depth approach.
Managed to make it almost all the way to the end! Note that "is this your final password?" is not the last challenge, despite it being the last thing on the lists other people have posted. Afterward you're asked to retype your password which is almost impossible to do, given that it's in various sizes (with any zeroes at font size zero) and partially in windings.
I recommend copy/pasting before you get there. It doesn't let you copy once that final resubmit form appears.
This is the last saved copy of mine (from ~5 steps before the end; also, yc doesn't capture the various fonts, text sizes, and emojis):
yeah, just lost at that point too, didn't have my password copy pasted anywhere :(
I guess I should have been wary of a confirm password phase. i even wrote a tiny auto hotkey script to keep feeding that stupid chicken for 40 minutes while I waited for time to tick from 8:20 (I didn't have the password ready yet) to 9:01...
How do you solve the time issue - does it lock in the time at the moment you complete that rule, or do you need to keep updating the password with the new time? Also, is the time UTC or time zoned?
You need to keep updating the password. It's time zoned. Basically you have to plan ahead as to what time you want your password to be submitted at and get every other rule satisfied before that time.
In my case it was 8:20 and I had a sum of 15 so I fixed my password in the next 20ish minutes and set the target time to 9:01 at the earliest and spun up an auto hotkey script to paste the food for Paul every 20ish seconds (in reality I think it eats faster than that)
I'm impressed you were able to not get tangled up by the youtube/captcha/color hex/roman numeral mess! The youtube one is what screwed me over and over out of all my attempts
Google that, including the quotes, replace the minutes and seconds with your given time, then look through the results and find a URL which fits the password criteria.
Every result should be a video with that duration. If it isn't, check your useragent. I noticed some weirdness with that.
Neal has outdone himself yet again. I had it until the roman numerals and adding upto 25 ones but lost my cool when it said it must include today's wordle answer.
I gave up when I needed to represent the best chess move in algebraic notation, but I couldn't because the text from the captcha I had to solve earlier contained an illegal move... rage
List of countries in geoguessr: AlbaniaAndorraArgentinaAustraliaAustriaBangladeshBelgiumBhutanBoliviaBotswanaBrazilBulgariaCambodiaCanadaChileColombiaCroatiaCzechiaDenmarkDominicanRepublicEcuadorEstoniaFinlandFranceGermanyGhanaGreeceGuatemalaHungaryIcelandIndonesiaIrelandIsraelItalyJapanJordanKenyaKyrgyzstanLatviaLithuaniaLuxembourgMalaysiaMexicoMongoliaMontenegroNetherlandsNewZealandNigeriaNorthMacedoniaNorwayPeruPhilippinesPolandPortugalRomaniaRussiaSenegalSerbiaSingaporeSlovakiaSouthAfricaSouthKoreaSpainSriLankaSwedenSwitzerlandTaiwanThailandTurkeyUnitedStatesUgandaUkraineUnitedArabEmiratesUnitedKingdomUruguayEgyptPakistanChinaDominicanRepublicIndiaVietnamBermudaPuertoRicoRunionFaroeIslandsGreenland
I don’t think this is the source. My answer was Liberia. I was able to spot a .LR domain on a street sign ad.
Then I accidentally lost all progress by clicking the chess notation link and when I got back to the geo guessing it was a small forested area with nowhere to walk to so I gave up :(
it's from fandom.com, so might be out of date. I think the general strategy would work if you had the right list of countries - although if you're determined to just cheat your way past this step, probably better to just look at the source and get coordinates as someone else has suggested.
I had to look at the source to find the possible options. In 906d40b.js starting at line 3471 (could change in the future) is an array of possible values. You can search for the embed url of the iframe to get the country name.
How do you satisfy the chemical elements constrain if you get country starting with 'Au'? It's 79 plus VII (23+53+53) and V (23) (from roman numerals part), while the sum should be 200
I'm about to send an email asking the site manager to remove this before any PHB types take it seriously....yes those types exist and yes they would see this as inspirational...God help us all...
This turns into a mildly frustrating riddle as some of the challenges are random (captcha, Street View, chess challenge) and end up making it impossible to continue. Got my number added up from the captcha and the best chess move came to be Qh6 (I would need a chess master to disagree with me) so I'm already busted on the add to 25 and then it tells me the "Qh6" notation is illegal (Ok, I was never good with chess notation but I'm pretty sure that says Queen to H6...)
I also had to figure out how to enter chess notation. As it turns out you have to add "x" after the piece if you want to capture or "+" suffix for check.
Ah. That might be it... Anyhow after staring at that chess challenge I was sure to get a mate in two moves with the Qh6 but the captcha filled with numbers plus the add to 25 left me with only 3 to spare... So no way am I winning this game.
Yeah, I'm stuck on the chess part too. Figured out how to put black in check, figured out the notation, including the +, but it doesn't agree that's the best move. Put the positions into a chess engine... it agrees with me with what the best move is.
Fun game though, I laughed out loud at the Wordle requirement.
Yeah I think there's a bug with the chess notation, I also had it tell me Rh3 was illegal notation. Interestingly Rf3 is not illegal notation but an illegal move for me.
The "two digit periodic table symbol" is also arbitrary - it has to be initial caps! Then if you refresh the page, the random stuff resets, so I gave up at that point with !marchpepsidn26n2555VIIVabout where "dn26n" is random captcha.
Amazing. I've always wanted a similar game card readers:
Remove your card before the clerk gets annoyed at you. The screen is flashes various messages like "PLEASE REMOVE YOUR CARD after the TRANSACTION IS COMPLETE". Push the card too hard and the reader falls off the table. Pull at an angle or too slow and it drags the reader.
Very nice game! Little trick for the moon-phase, just past all emojis.
Unfortunately got a dead-end yesterday when reaching the rule (18?) about the sum of the periodic elements equating to 200, with the chess move being Nh8 (containing Nh, no 113) and the wordle solution being (tract, containing Ra, no 81), making it impossible to go below 201.
I would have liked in that case a way to request another chess puzzle, just like it is possible to do for the captcha.
There is no bug, it only cares the correct answer is present. It's okay if other substrings are also valid chess notation, that won't prevent you from passing the rule if you include the correct one
Just make sure to add captures/check/etc (Examples from wavemode on this thread: Nxe6 for N captures on e6, not just Ne6. Ne6+ if it's a check. Ne6# if it's mate.)
Reminds me of Password Purgatory.
A site made by Troy Hunt (the haveibeenpwned guy) which looks like a signup page (actually seems to have an api) but the password requirements get more ridiculous each time. The link is then sent to spammers who bug him about his blog.
https://passwordpurgatory.com/get-hell?kvKey=510aa555-e482-4...
That's a shame, I reached an impossible situation. The best chess move is Re5+ which includes the letters Re which is the element Rhenium with atomic number 75. However since the roman numerals need to multiply to 35 then the only valid solution is having VII and V (XXXV for 35 is not recognized for some reason), and V is Vanadium with atomic number 23 and I is Iodine with 53. That already leaves me with 227, above the 200 threshold for one of the rules.
I thought I was being so clever by filling up the password field with food, so I could buy lots of time to search YouTube. I didn't realise Paul could be overfed :'(
I got to rule 35, I think I was one away from victory, best time to play this is probably around 10:00-2:00 so that you can keep low numbers and it doesn't mess up rule 5. I gave up and decided to slay Paul myself. Paul is the bane of my existence.
VIIJuneVShell65$bw6n6aboutHecroatia0000 so far. Croatia was extraordinarily hard to guess. Currently stuck on the chess game, if anyone has generic advice on how to not suck at chess.
Fun bonus: it can't seem to figure out what's going on with the knight. Using "K", "N", or "S" for knight all get me "invalid notation" warnings. I'm having a lot of fun.
New update: got the chess answer! It will accept "N" for my Knight iff I make stupid moves with it. Moving my knight to take a bishop is "invalid notation", but apparently putting it in the middle of nowhere to be captured by a rook is the best possible move.
Managed to find a youtube video of the exact length (rule 25 - in my case it was 18m05, which I found with https://www.youtube.com/watch?v=cLVClhMyJgY after a search for "17 minutes 50 seconds"), but that then screwed up my Roman numerals.
However it did seem to get past that rule to rule 26 (while still complaining about the roman numerals):
"A sacrifice must be made. Pick 2 letters that you will no longer be able to use."
I chose poorly, I thought it was for questions going forward, and I knocked out the "S", needed (amongst other things) for all the sponsors.
I don't think it's easy. Verification is much easier than generating correct solutions for this.
Looking at the JS, these rules use RNG such that you can have an inconsistent or impossible password. E.g. if the only youtube video URLs that work with your duration have roman numerals that multiply above 35 in it you are hard stuck. Your youtube URL can also hard stuck your atomic number summation to 200 if it happens to contain enough elements that adds above 200. Your color hex can hard stuck your 25 sum, etc. The code does not try to generate working passwords given all the rules, it simply adds checks and randomly generates the requirement per rule.
You'd have to have the RNG rules to align well in order to win i.e. youtube video with no roman numerals or numbers or elements, captcha with no numbers or roman numerals or elements, to minimize conflict.
For a given video length, there will be some youtube video urls without roman numerals, and with low digit sum, and atomic number.
I first search this on Google
"0:00 / mm:ss" site:youtube.com
Where mm:ss is the desired length. Then I used some Javascript to scrape the results, finding only youtube urls without roman numbers, and print them out sorted by digit sum and atomic number
I've done it a few times, never had a situation where there was no suitable url
As for the color hex, if it's not suitable, you can regenerate it
I wonder if something like quickcheck could be used to randomly generate characters which pass the criteria. I don't know how it would handle Paul though...
I uploaded a video quick just to pass that step since the length was hard to find. The generated video ID was a bunch of Roman numerals so I was totally fucked.
Reminds me of something I built a few years ago, to answer spammers who keep contacting me with their offers of "services": https://cingen.net/moostik/signup/
The most insistent one tried 31 times (the rules are conflicting and it's impossible to satisfy the answer). Special attention was given to the security questions, but somehow spammers keep picking the simplest one.
Died after the URL, it was too much to recalculate the atomic numbers and keep track of Paul.
Maybe this chicken was the most unfair part of this game, the random captcha and country make it impossible to retry easily (maybe the time frame for feeding could be slowed down); but loved everything else, really ingenious.
Same here, I retried at least ten times if, sometimes stumbling over a copy paste error that got Paul killed, but keeping the chicken alive was the choke point for me. Perhaps it would be allowed to encode part of the url?
Also wouldn't url's with roman numbers in it fail the entire thing as 35 only can be obtained by multiplying 5 and 7? Ah right, or 35, true that but still same issue.
I have a similar problem -- the Google Maps country I got is China, and the C is already 100 -- how do multiply it "down" to 35? Can I do parenthetical math similar to what a sibling comment suggested?
Update: I found the answer in another comment -- I can make the c lowercase! Thank you HN!
I gave up after having to include a leap year (Rule 15), I don't know if this is a spoiler but I ended up with January99Pepsi?XXXVggd7maboutZrJapan (there was an emoji in there for the current moon phase but HN stripped it out)
Looking at the code it should be possible to get a lot further, in theory. Wonder how Paul is doing!
My country was El Salvador. I would not have guessed it (I kept trying equatorial countries). I had to reverse engineer the URL encoding of the embedded map.
Spoiler: There is !1d and !2d, followed by coordinates.
Debatable - the concept of leap years was invented before 0 AD/CE but I'm not aware of any reason to believe that particular year (which certainly wasn't called 0 AD at the time, it was possibly the Roman year 753) was considered to be one.
Interesting that there seem to be a large number of scholars who would accept either 4 AD or 8 AD was the first AD leap year. But less clear what such a year would have been called by Romans at the time. I'm assuming it wasn't common to include full dates (including the year #) on written documents at the time, otherwise surely we'd know pretty much exactly.
I gather AD-based year numbering wasn't actually introduced until ~525 AD (but before that a number of systems had been in use).
0 is a year if we say it is, which astronomers have for hundreds of years (because its extremely mathematically convenient), and which ISO-8601 does.
Year 0 is what historians like to call 1 BC, but historians are also just making that up. Nobody numbered years from Anno Domini anywhere near year 0.
I'm sure it's clear to everybody here why year 0, -1, and -2 are significantly better arbitrary, ahistorical names for the three years preceding year 1.
For the country one, I got "www.google.com/maps/embed?pb=!4v1687119352692!6m8!1m7!1sINHBz4HdSwMAAAQrBnftjg!2m2!1d9.080961517214682!2d7.524398838108427!3f84.34!4f-4.950000000000003!5f0.4000000000000002"
The different font sizes for different characters ended up crashing the browser. I went out just after this:
> XXXV-75-may-Shell-dbfen-straw--china-Qf5+-0000-i am loved- https://youtube.com/watch?v=BprGlhu_Hfs- Po-@@@@@-@@@@@-@@@@@-@@@@@-@@@@@-@@@@@-@@@@@-@@@@@#cd1520-xngxc-$$$$$$-$$$$$$-$$$$$$$-$$$$$$-$$$$$$-$$$$$$-$$$$$$-$$$$$$-$$$$$$-$$$$$$-$$$$$$-$$$$$$-$$$$$$-
Edit- emojis don’t save..
Couple of tips.
- 0000 is a leap year and doesn’t add to your numbers tally
- “not strong enough” - paste the strong man emoji three times.
- hex color - screenshot and upload to a hex color picker (on iOS turn off the screen dimming). Choose a hex color with low numbers. Enter as lowercase to avoid creating more chemical elements such as “F” and “C”
- chess move - install Chessvision.ai and upload screenshot. Taking a piece add an “x” between the piece taking the move and the target square e.g. Qxe5. Taking a piece and putting the king in check Qxe5+. Checkmate Qxe5#
- captcha - avoid numbers. Leave all lowercase. Avoid captchas that could be confused for a chess move (e.g. contains “e5”)
- YouTube URL - google “mm:ss YouTube” replacing the minutes and seconds. Only use one without Roman numerals and very few numbers in the URL. The times are shown in the screenshot on google search
- on fire? Smash the delete button. Add loads of zeros to pad it out to give yourself a chance. You can delete them later.
- copy the password regularly in a notes file. After
Everything goes up on flames you can paste it back in
- country - enter it in lower case. Take a look around if you can and hint for tips. Road signs, tree types (cold or warm climate), road name overlays, advertising, company names, etc. only once I couldn’t figure it out. Middle of a ruined castle??
- you not allowed to overfeed Paul. I kept him up at 5 bugs and it allowed me to jump between apps and jump back. Maybe you can add more but I didn’t risk it.
- ChatGPT can help you with the periodic table and help you with the math.
Almost gave up on the Chess notiation, but now "All the vowels in your password must be bolded." clashes with the requirement to include a captcha and reloading this unleashes all kinds of problem, so game over
I spent forever trying to find a YouTube video that was precisely 16m18s, and when I finally did, the video ID included periodic elements and Roman numerals that broke my earlier rules, and I gave up. Fun game though!
Google that, including the quotes, replace the minutes and seconds with your given time, then look through the results and find a URL which fits the password criteria.
Every result should be a video with that duration. If it isn't, check your useragent. I noticed some weirdness with that.
Can you give an example? "replace the minute and seconds" is vague. Do you mean replace the words "minute" and "second"? Or just the numbers? Do you remove the brackets too?
I tried literally this and I just get videos of random length with various matches in the comments and descriptions. It completely ignores the double quotes here. I've even tried setting my user agent to Chrome on Windows without any change.
But I wasn’t able to finish: I got a captcha with digits 5, 3, 7, and 8. When the chessboard appeared, the best move was Qe6. These conflicted with the rule to have all digits sum to 25 (5+3+7+8+6=29).
If you use duckduckgo to search for youtube videos that's the easiest way over that hurdle because DDG will show the length of the video as an overlay for the thumbnail. Just search for "17 minute timer" or whatever is the closest but less than the length you need. Make sure to sort by short/medium/long as well to limit it to the proper window.
Made it to "the length of your password must be included in your password" and decided to throw in the towel.
A funny game!
For anyone else struggling with the wordle, the answer is here[1].
For anyone else struggling with the country, you can fill in the names of all the countries, then run a bisection.
or you can look at the URL of the google maps embed in devtools then ask chatGPT either to give the location or just the latlong that you can subsequently google :)
Chatgpt got the location wrong just 1/4 times
So does this sometimes reach an unsolvable state? I have a captcha whose digits sum up to 24, a condition that all digits should sum up to 25, and the best chess move is Ne6+ (accepted), but there's no way to get all digits to sum to 25!
mAy@VpepsiVIIm3588tractSibelgiumNe6+
m3588 is the captcha and Ne6+ is the chess move in the above
I've also tried putting something like -5 in the hope that it recognizes negative numbers, but no luck!
When you break the captcha rule, you can re-select the captcha. You want to keep re-rolling till you find a low number combo. There are a few rules where you can re-roll to get a better random number. In general, it gets harder and harder to stay under the 25 limit as you progress.
Hello guys, for level 16 (Chess level) if you cant get pass it use this website https://nextchessmove.com/
How to use?
make the chess board on the website the same as the one on The password game then press Calculate button. Have fun! Edit : press reset to get the full board!
I had a captcha value "ex0888" and the answer for the chess puzzle was Rd8+. Now I can not statisfy the Rule "digit sum adds up to number 25" cause total of all the digits in password was exceeding the 25. Can't go ahead of this!
But It was fun playing and keeping up all the rules!
There doesn't seem to be a way to search YT videos (except videos you yourself post) by exact length. I got 21 min 45 seconds. Looking up "3000 second timer" on YT got me close (only 4 seconds out), but not exact. Do you have a way to find exact-length videos that I'm missing?
Awesome game. Didn't think it was possible to LOSE at picking a password but there you have it. LOST at finding a 16m48s youtube video and a lovely passw0R.513mayIshellXXXV8pfxxtractAusingaporeRh8+ iamenough
When entering the chess game moves make sure to add `x` when taking a piece, `+` when checking, and `#` for checkmate.
I don't think passwords will be replaced. This is more of a demonstration of over complicated password rules, than against passwords itself.
Hardware and biometric keys can be stolen, cloned and lost. And trusting third-parties with keys to harddrive encryption is also not really trustworthy.
1. You can have multiple hardware keys or devices bound to an account as a backup of for ease of use.
2. Passkeys allow you to pick a backup solution of your choosing. Could be your own nextcloud server in the corner. This is no different than giving someone a choice of cloud-synced password manager
Both solutions avoid phishing, password re-use, keylogging, or people picking weak passwords.
There is no excuse for anyone even supporting passwords at this point. Sysadmins have not commonly used passwords for ssh in 20 years, favoring private keys on either hardware or encrypted disks. Keys better than passwords-over-the-wire in every way.
> 1. You can have multiple hardware keys or devices bound to an account as a backup of for ease of use.
How does that help if someone steals your hardware key, login in with it and then puts it back. You don't even know that it was stolen and your account was messed with. With a good password you know if you tell someone. Granted people could film you typing your password, but stealing your hardware key is much easier.
> 2. Passkeys allow you to pick a backup solution of your choosing. Could be your own nextcloud server in the corner. This is no different than giving someone a choice of cloud-synced password manager
This isn't about backup, but trust. Do I trust a third-party to manage the keys to my kingdom? No. And even if, the third-party is a much easier target for 3 letter agencies, governments or other rich/influential bad actors. Also I haven't seen a solution where passkey can be used to decrypt my LUKS partition.
> There is no excuse for anyone even supporting passwords at this point. Sysadmins have not commonly used passwords for ssh in 20 years, favoring private keys on either hardware or encrypted disks. Keys better than passwords-over-the-wire in every way.
The encrypted disks are hopefully protected with a password, and not magically unencrypted, just by booting it with the right TPM configuration. The hardware hopefully requires a pin or password in order to unlock the SSH key, and the SSH key on disk is hopefully encrypted with a password as well.
1. If they have the access to steal your hardware key then they also probably have access to replace your usb charging cable with a malicious one, or install a keylogger on your system, or place a microphone or camera near you for acoustic or optical keylogging. All ways your password could be stolen without you knowing. If your yubikey is stolen at least you find out fast and could warn your IT manager to lock you out. Still, 99.999% of all threats are online, and for the rare few that have physical theft of keys in their threat model, then you have the option to set a pin on your yubikey with a 3 try lockout. Or you can use touchid, or another platform authenticator built into your laptop. If they can steal your unlocked laptop, then neither passwords or passkeys are going to help so this is moot.
2. Fido2 lets you decide who to trust. A non technical user can use google or apple or a hosted nextcloud instance as a backup. A technical user is more likely to enroll the TEEs built into their phones and laptops, with a yubikey in a safety deposit box as a backup.
Passkeys and FIDO2 offer a massive reduction in attack surface and are superior to passwords in every way for every threat model I have ever heard of.
You have all the same options for managing a fido2/passkey/webauthn key as you do an ssh key.
Web passwords should go die in the same fire as SMS 2FA.
> 1. If they have the access to steal your hardware key then they also probably have access to replace your usb charging cable with a malicious one, or install a keylogger on your system, or place a microphone or camera near you for acoustic or optical keylogging. All ways your password could be stolen without you knowing. If your yubikey is stolen at least you find out fast and could warn your IT manager to lock you out. Still, 99.999% of all threats are online, and for the rare few that have physical theft of keys in their threat model, then you have the option to set a pin on your yubikey with a 3 try lockout. Or you can use touchid, or another platform authenticator built into your laptop. If they can steal your unlocked laptop, then neither passwords or passkeys are going to help so this is moot.
You are jumping around various attack scenarios to make your point. If your child steals your hardware token to shop on amazon and then put it back afterwards is a different and much more likely scenario then some targeted attack by some hacker that is prepared and breaks into your home...
Most online threads are about social engineering, where the person that is attacked actually cooperates with the attacker, AFAIK there is no safeguard against that, other than not trusting people with their own stuff.
I would worry more about someone stealing a locked laptop. If there is no password (or other kind of knowleged based protection), then they have everything they need to unlock it.
> Web passwords should go die in the same fire as SMS 2FA.
So since you limited your argument now to just Web passwords. Does that mean you agree with me that you don't think there is a good solution to replace passwords for encryption or local authentication that works offline and doesn't move the trust away from the user?
Web passwords are the primary issue. Secrets that are local on your system with hardware enforced rate limiting, such as a pin on a yubikey, are reasonable. Pins are short and memorable. Passwords generally must be 256 bits of entropy and thus not easily memorable.
You can do FDE with a smart card+pin or smart card+biometrics depending on your threat model.
I consider a pin provided to local hardware or for local decryption different from the concept of a password as is widely deployed on every web service under the sun.
Services should never see your secrets though, only public keys.
I assumed we were talking about web passwords given that is the only scope FIDO2/passkeys cover.
> Web passwords are the primary issue. Secrets that are local on your system with hardware enforced rate limiting, such as a pin on a yubikey, are reasonable. Pins are short and memorable. Passwords generally must be 256 bits of entropy and thus not easily memorable.
I consider PINs, passwords and passphrases as the same thing, just different rules to create/input them. Numerical PINs might be easier to remember, but as with unlock patterns on a phone, it is also easier to casually observe someone entering and memorizing it.
Biometrics I am not a fan of, because they can be stolen without you noticing. With password you have to enter it in an untrusted environment, which takes more effort to setup. Also biometrics cannot easily be changed if they leak. And they also change with time and events involuntary and some people even have identical biometric data.
> I assumed we were talking about web passwords given that is the only scope FIDO2/passkeys cover.
The discussion started with wanting to replace all passwords.
IMO, 2FA via hardware key etc. next to a password/PIN it great, but IMO some kind of proof of knowledge can not be replaced by just a proof of possession.
If using it as a security key (with a password) you don't need to give the device anything but a tap usually.
However, if you use a Yubikey or Trezor for example as a Passkey (No Password), you have to enter a pin on either (Yubikey via OS and Trezor on device) before they will fulfil the request and log you in.
> However, if you use a Yubikey or Trezor for example as a Passkey (No Password), you have to enter a pin on either (Yubikey via OS and Trezor on device) before they will fulfil the request and log you in.
Personally I consider a PIN, password or passphrase the same thing, just different rules. It is security based on knowledge. So If I enter a PIN somewhere it is still a password. IMO this is fine.
I'm stuck on the chess thing as well, and this time I do think it's a bug. The board in FEN notation is 8/7p/5pk1/3n2pq/3N1nR1/1P3P2/P6P/4QK2 w - - 0 1
The best move is 'Qe8+' and that is exactly what I have put in. Including the '+' sign.
This is great! I built a very similar thing a while ago - https://www.funnypasswordchecker.com/
Definitely not in the same league but it was a lot of fun!
Got to the final answer but then I had to re-enter my password before a bomb blew up and it wouldn't let me copy my password. Anyone manage to do that last part? Is it even possible e.g. if you copy your password before that's disabled?
This game is great! Even though I will need to catch up with whatever was happening in my class for the last 2 hours, I thoroughly enjoyed my time and the fact that I have no idea what the professor is talking about is a sign of how engaged I was.
Funny game, but it seemed to break for me when trying to find a YouTube video of length 4:55. I entered multiple videos of lengths 4:54, 4:55, and 4:56, all while keeping Paul fed, but none of them satisfied the requirement somehow.
I am stuck with “ Agtractbnc2fshellXXXVjune995$” and can’t figure out the guess the country one. I have the one where you are in a cave with a lot of people with a hit with a no smoking and no shoes sign
Aww i overfeed paul while trying to find a suitable youtube url.
It ended with:
SmSm#aro#Qg8+1196decemberpepsiXXXVxbcbxI am loved about[moon-emoji]kenya[paul][lifting][lifting][lifting][worm][too many worms]
I loved the Google maps street view bit. I couldn’t exit street view and the road signs were in Cyrillic. Had to walk a long way before I could search for some landmarks and guess Belarus.
I walked around a lot but couldn't figure out the country. I refreshed and the next one was on some cliff that I couldn't move so I pasted a list of all countries and then started deleting in a binary search fashion until I was left with the correct one.
Hah! I was wondering about that. Mine dropped me into what looks like a 3D modeled version of a real place, but sandboxed - there's no way to move around.
I made it up to Foo997!JanuaryVIIVStarbucksxbcbxTRAcTcambodia and it was a lot of fun, but I don't have the patience of somehow working a leap year into it
Well, my chess move is Nd3+, and Nd gives an atomic number of 60. That plus V and VII gives 212. Adding an “n” to VII reduces it to 208, but I am screwed, no password for me…
I only got to the captcha because I was on mobile and couldn't be arsed to make precise edits, but I am very impressed by how slick and funny they made a password modal
I started this just before midnight, and once I got to the wordle question it didn't work. Possibly because the wordle had changed since starting the password game
The first result of "todays wordle" is AI-generated blogspam that might have the answer buried in there somewhere. The first result of "today's wordle" is the wordle game itself.
i cannot get past the rule 5 where it says your password must have digits that add up to 25, my password is this currently TheU youtuebrmilliondollarsjulyXXXVpepsixgcxytractsweden0Rh8+
ive gotten up to rule 16 in total but every time i go to progress it says that i have to complete rule 5 again
finally did it after 10 attempts and several hours..
my password was "[paul]#################7Ge101#2ad2be1:00dpbydstrawmaypepsi[worm][moon][weight][weight][weight]iamlovednorwayQxh7+youtu.be/__uIuGojJU4XXXV"
on rule 18: "The elements in your password must have atomic numbers that add up to 200." My element is "Na" and it says my roman numerals are a problem. They are "VI" and "IV". Not too sure where to go from here.
the roman numerals are all good man its the elements. the "N" in "Na" is adding 90 onto the numeral rule, for rule 18 you can use multiple two letter elements just try and find ones that don't contain roman numerals and you'll be fine
Not sure if this is currently the case, but Wordle used to have the entire list of words for each day served in client-side code (I believe it was a static list with modular arithmetic, or something along those lines). So doing "view source" would not only tell you the current day's word, but also allow you to view the answers for any future day.
When the NYT bought the site, they shuffled the word list but (at least at first) kept this system. They may have obfuscated it by now though.
Either way, since Wordle is a free game, it's not difficult to automate a script that will attempt to solve it and grab the correct answer.
I thought the NY Times had reworked it so you couldn't see the answer in advance anymore, but maybe not. The current code is too obfuscated for me to figure it out easily.
Look at the periodic table and find elements that add up to what you need. In the game lowercase letters will not count as an elemnet unless paired with an uppercase, so either 1 capital letter or One capital and one lowercase letter as the atomic symbols.
It means that whatever strings in your password that are elements in the periodic table, should have atomic numbers (in the periodic table) that add up to 200.
So go find a table on wikipedia, add up the elements it already recognized and choose strategically a couple of new ones to add !
Look up a periodic table and correlate the highlighted letters with numbers on said table.
Change, remove, modify letters until you reach 200 based on the sum of their atomic numbers.
For easy cheese, add H to increment by 1. Repeat capital H until you have reached the sum if you are under. Easy to later add and remove H until you satisfy the condition.
I lost at rule 35 (out of 36) because I overfed Paul.
Some tips I gathered:
9. Use XXXV, as the chemical symbols contained in (V,VII) add up 152, which is already very close to 200 for rule 18;
10. Refresh the captcha so that it only includes lowercase letters, you'll need numbers later and they can't add up to more than 25 according to rule 5;
14. Pray for having a country with a short name, whose first letter isn't also a chemical element and that includes common letters (curse you Zimbabwe);
15. I think 4 is a leap year...
17. Put Paul at the start or the end of your password;
19. You can bold the whole string to meet the condition, but beware of rule 26. Also, before meeting the condition, copy-paste your password elsewhere;
20. Just select the fire and some more characters and delete them, then fill the gap from your copy-pasted password;
22. Use "i am loved" (all lowercase, cf. rule 18) as you'll need to sacrifice two letters for rule 25, but you will already use 'o' for youtu.be, 'v' for XXXV, 'e' for youtu.be, and probably 'l' and 'd' in your captcha, URL (cf. rule 24) or color (cf. rule 28). Also, it's the shorter word of the three, and for rules 32 and 33 it's simpler to add padding symbols than to remove mandatory characters to control the length of the password;
23. Try to have between 2 and 6 max worms at any time, it should give you enough time to think without overfeeding Paul. 9 worms will definitely kill Paul (maybe less, but 6 should be safe);
24. On Chrome, you can use the "YouTube Time Filter" extension to find videos of the correct timelength. On YouTube, type a very generic request (like "game", "car", or even just "p"), open the filters and choose "Video" (to filter out shorts) as well as a length range (to reduce client-side filtering) then in the YouTube Time Filter insert a length range one second before and one second after the required range (the game has a one second leniency). Then scroll and scroll. Of course, once you find a suitable video, strip any superfluous parameter from its length, and make sure that the video id doesn't include any uppercase 'M', 'D', 'C', 'X' (because those roman numerals don't multiply to 35, cf. rule 9) and preferably no 'V' or 'I' (because of rules 9 and 18). It's hard, but with a bit of patience, it doable. Also use the short URL (youtu.be, not youtube.com) and trim the "https://www.", you don't need them;
25. If you applied those tips correctly and you were lucky on the captcha and the country, you should be able to strip the letters 'w' and 'z' at the very least. Other letters if you were very lucky (maybe try to choose another month for rule 6 if it can make you unuse a letter, or maybe you should have used "i am enough" ?);
26. Just put the whole string in italics;
28. Refresh until you have a color without numbers (or 0 at most), for rule 5;
32. It's better to have 123 characters than 97 (cf. rule 5);
33. Sorry, I meant 113. Other probable candidates, depending on your current password length are: 101, 103, 113, 131, 151, 211, 223, 233, 311 and 313. Other numbers are fine too, but it's up to you to see if you can have them depending on your URL and chess move. Maybe include 8 padding symbols at the end of the password, in prevision to rule 35. Know that the length will vary when you feed Paul, but the length should usually be correct;
34. Just skip this one, really;
35. Unfortunately, I didn't pass that one as I overfed Paul, but I think it would be easier to play around midnight, ideally at 00:00:00, because you know, rule 5. But make sure to write it at 23:59 and change the police size to 0px before midnight, so every rule can be met at midnight. Not sure if the seconds are needed or not, since I didn't pass it.
To add a couple of things to this:
9. I use XXXV (23), He (2), Fm (100), these make it easier to adjust the symbols later on.
15. 0 is a leap year
20. Ctrl+Backspace will delete the whole fire if you place your cursor at the end of it
24. If you type your exact time into youtube (e.g. 32:15) you will find many videos with that length, bad thing about this solution however is that if you're given a time that can also be a date (e.g 21:01) you'll just get a bunch of news broadcasts from that day.
Also I think the limit for Paul is 5 caterpillars, I keep it at 4 just to be safe though.
I'm stuck at level 28 where I have to convert the image to hexadecimal which I have done using multiple websites all getting the same answer however when I copy it over to the game it doesn't work. Please help I've spent too long doing this
I especially laughed at the rule "must include today's Worldle" and I'm happy with my solution including every emoji for "must include the current phase of the moon as an emoji."
(HackerNews doesn't seem to display emoji. My solution is to paste every moon phase emoji.)
Excited to see what's next after figuring out the best move in this Chess puzzle.
This reminds me of trying to manually construct an Autogram like below. This one is a quote someone else made. I tried to do it myself and it is so hard because the counts keep changing as you write out other counts!
Only the fool would take trouble to verify that his sentence was composed of ten a's, three b's, four c's, four d's, forty-six e's, sixteen f's, four g's, thirteen h's, fifteen i's, two k's, nine l's, four m's, twenty-five n's, twenty-four o's, five p's, sixteen r's, forty-one s's, thirty-seven t's, ten u's, eight v's, eight w's, four x's, eleven y's, twenty-seven commas, twenty-three apostrophes, seven hyphens and, last but not least, a single !
https://en.wikipedia.org/wiki/Autogram