4chan tripcode
To focus on anonymous posting, 4chan and other imageboards do not have user accounts at all. However there are some cases where it can be beneficial to identify some particular “VIP” posters, such as a creator speaking about their own work, or someone organizing an event — anything where impersonation of the VIP could really hurt the discussion. For these cases imageboards have a special functionality called “tripcode”, trip for short.
You can write your desired name when posting on 4chan to replace the “Anonymous” default, but clearly this method is completely vulnerable to impersonation. However, there is the another field where you can write any “passphrase”, kind of like a password. The server computes from that passphrase the tripcode, a sequence of characters, using a “hash function”, and displays it on the post for all users to see.
Two important properties of such a hash are:
- It’s fast to compute, but nearly impossible to backwards figure out the passphrase that was used for a given hash.
- it’s very difficult to control the “appearance” of the hash: It looks like a completely random sequence of letters and numbers. If you change your passphrase just a little, the trip completely changes. There is no way to predict what the hash will be or even what character it will start with.
These properties mean that would-be-impersonators who can see the trip on the legit posts cannot figure out what passphrase the VIP used and therefore cannot replicate the trip, not even so that their attempt kind of looks the same with many matching characters. That the bad actors can’t do that means the other users can trust, that in general, all posts with the same trip have been written by the same person.
For true VIP situations, this still leaves open the question whether a person using a trip actually is who they claim to be. One way is that the VIP posts a link on some trusted social media account or website of theirs saying that this particular 4chan post/tripcode is theirs, and therefore also all the other posts with the same trip.
Now, you can, but it’s very frowned upon, use tripcodes for any other purpose. Some users will use the same tripcode for all their posts to try to make themselves recognizable. Others call them tripfags, and routinely ignore them. In the page image at top, two tripfags can be seen.
A similarly despised phenomenon is called avatarfagging, where a poster makes themselves recognizable by repeatedly posting images of the same anime character, celebrity, or something else in all of their posts. A lesser and more acceptable form of repeated posting is where you just set the name field, which easily allows impersonation, assuming no one would actually bother because you don’t have anything that important to say.
Finally, getting back to the supposed properties of tripcode above, the example tripcode in the opening image may have arisen your suspicions: How can the poster have tripcode “xxxXxxXT1M” if the hash function is random and unpredictable? The answer is that there are tons of different hash function implementations out there and the one 4chan happens to use has the properties that it’s very fast to compute and also available for anyone to run on their own PCs. So brute force attacks are possible.
What some users do is set up a string like “xxxxxxxxxxx” and then start trying out billions of passphrases in order “a”, “b”, …, “aa”, “ab”,…, checking for each one if the computed hash has many leading “x” characters and making note of those passphrases that do.
The opening image user with the repeating “xxx” tripcode probably had his PC crunch for a week to generate that tripcode that is all “x”, except for the last three characters. He definitely had to make the concession that the letters can either be a lowercase “x” or uppercase “X”, in order to reduce the search space. He also could not wait until the last three characters would be solved. As a back-of-the-envelope calculation, the size of the tripcode character set is 27 + 10 for incase-sensitive letters plus digits. So to figure out a passphrase with x or X characters also for the last three positions of the tripcode, he would have needed to have his computers run about 37 * 37 * 37 = 50653 times longer than they had already done — clearly not feasible.
