Skip to content

Instantly share code, notes, and snippets.

Aaron Toponce atoponce

Block or report user

Report or block atoponce

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile

Verifiable brute force strength

Below are table of various projects that can completely exhaust n-bits of keyspace. In other words, counting completely and fully from 0 to 2^n-1.

This Gist implies no discussion about how this is relevant to quantum computing using Grover's algorithm, meet-in-the-middle or birthday attacks, or anything of the like. It's strictly a Gist about raw speed, measuring the result in bits.

If you know of other note-worthy and verifiable brute force searching projects,

atoponce /
Last active Sep 30, 2019
Magic Hashes

Magic Hashes


Calculating magic hashes for These strings should probably be put into a blacklist preventing users from using them as passwords to mitigate PHP evaluating hashes starting with "0e" as floats.


View gist:c0e988023ac8cdebbec7d900f456a792
A = [0, 0, 0, 0, 1, 0, 0, 2, 0, 2, 1, 1, 1, 2, 0, 0, 2, 0, 1, 0, 1, 2, 1, 1, 0, 1, 2, 0, 3, 0, 2, 3, 0, 1, 1, 0, 1, 0, 1, 2, 1, 1, 0, 1, 0, 1, 0, 1, 2, 3, 1, 1, 1, 1, 0, 1, 0, 2, 1, 0, 0, 0, 1, 1]
min-entropy: H = -log2(p_max)
Shannon: H = -sum(p_i * log2(p_i))
max-entropy: H = -log2(unique(p_i))
min-entropy ~= 4.196397212803504
Shannon ~= 5.158365849770286
max-entropy = 2
atoponce /
Created Jul 2, 2019
Encrypted Filesystems for Linux
Filesystem Type Default Cipher Block Mode Authentication Encryption Mode Password Hash RNG Audit
CryFS Stacked FS AES-256 ? GCM AEAD scrypt ? ?
Cryptomator Stacked FS AES-256 ? HMAC-SHA256 Encrypt-then-MAC scrypt Userspace ?
dm-crypt Block Device AES-256 ESSIV None N/A RIPEMD160 Kernelspace ?
eCryptfs Stacked FS ? ? ? ? ? ? ?
EncFS Stacked FS ? ? ? ? ? ? ?
ext4 Block Device ? ? ? ?
atoponce / log.txt
Created Jun 26, 2019
Testing negotiated MACs with OpenSSH 7.9
View log.txt
debug1: kex: server->client cipher: MAC: <implicit> compression: none
debug1: kex: client->server cipher: MAC: <implicit> compression: none
debug1: kex: server->client cipher: aes128-ctr MAC: compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: compression: none
debug1: kex: server->client cipher: aes192-ctr MAC: compression: none
debug1: kex: client->server cipher: aes192-ctr MAC: compression: none
debug1: kex: server->client cipher: aes256-ctr MAC: compression: none
View gist:983b287af496338954942da5d612176d
Show the differences betwen various base-32 encoding schemes. Alphanumeric order used to show what's missing in each.
RFC 2938: 0123456789ABCDEFGHIJKLMNOPQRSTUV : Preserves hex bitwise sort order
RFC 4648: 234567 ABCDEFGHIJKLMNOPQRSTUVWXYZ: 8/B, 9/g, 0/O, and 1/I ambiguity
Crockford: 0123456789ABCDEFGH JK MN PQRST VWXYZ: 0/O and 1/I/L ambiguity
Geohash: 0123456789 BCDEFGH JK MN PQRSTUVWYYZ: 0/O and 1/I/L ambiguity. No "A"
z-base-32: 1 3456789ABCDEFGHIJK MNOPQRSTU WXYZ: human ease-of-use
atoponce / index.html
Last active Apr 26, 2019
JavaScript entropy proof-of-concept
View index.html
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
<title>JavaScript Entropy Proof-of-Concept</title>
<script language='javascript'>
atoponce /
Last active Apr 5, 2019
Best practices for examples in documentation

Reserved Examples

Below are examples for best practices that have been set aside specifically for writing documentation, fictional stories, source code, or anything else where an example needs to be given without the fear of resolving to an actual phone number, domain, website, etc.

Domain Names

In 1999, the "" domains have been set aside by the IETF in RFC 2606 specifically for documentation and source code. They include,, and The domain was added by ICANN in 2000. Later, the ".example" top-level domain name has since been added explicitly for documentation purposes.

While the pseudo-top-level domain ".local" carries no meaning, it is commonly deployed in multicast DNS, local DNS, and private networks. While it too could be used for documentation, it's better left alone, and to use the "" and ".example" domains.


If you wanted to document getting a specific resource via a REST API

atoponce /
Last active Jun 8, 2019
Proposed improvements to EFF's FANDOM wordlists

Proposed EFF Fandom Improvements


If there are any problems with the word lists, please reach out to me on Twitter [@AaronToponce][0].

Original Word List Problems

The [initial EFF word lists][1] have several problems:

  1. The word lists are not alphabetical for visual inspection.
atoponce /
Last active Dec 5, 2018
Password generation in the shell

Simple Shell Password Generation

Just using the shell, either with built-in tools, or 3rd party generators, for building passwords with at least 70-bits of entropy (1 in at least 1,180,591,620,717,411,303,424 possibilities).

Each provide their own advantages and disadvantages.

Built-in Tools

All graphical keyboard characters

All possible 94 graphical characters (not the <Space> or <Tab>) are

You can’t perform that action at this time.