Challenge idea: sqlite file with username/password dumps

[bendehaan]

Context

• What should the challenge scenario be like? A sqlite file with ~2000 username/password dumps, where the password is either (wrongly) hashed, encrypted, or both, from which a user is dynamically selected at runtime. The participant should find out the password belonging to the user.
• What should the participant learn from completing the challenge? Wrong hashing/encryption for username/password tables.
• For what category would the challenge be? Code/Docker

Did you encounter this in real life? Could you tell us more about the scenario?

Yes, a pseudonym generator that was easily traced to the unique entries.

If the challenge request is approved, would you be willing to submit a PR?

Yes

[yashgoyal0110]

Hey @bendehaan
can i work on this one?

[Sanskriti10247]

Hi @bendehaan and maintainers 👋

This looks like a great security-focused challenge idea.
I went through the context and understand that the scenario is designed to teach contributors about:

• Incorrect handling of password storage using weak or misapplied hashing, encryption, or both

• Realizing the risks of improper crypto hygiene in username/password tables

• Learning how flawed implementations can still leak sensitive data through unique patterns (like the traced pseudonym case mentioned)

• The idea of using a SQLite DB with ~2000 credential dumps and selecting a user dynamically at runtime is a realistic and effective setup for a hands-on DevSec learning experience, especially for the Code/Docker category.

I’m very interested in contributing to security challenges like this and can help with:

1. Structuring the crypto lesson clearly in documentation
2. Setting up reproducible Docker environments
3. Fixing or expanding testable challenge templates if needed
4. Validating CI-ready PR hygiene for security contributions

Since this challenge concept is already being discussed by other contributors, I won’t interrupt the current flow, but I’d love to pick this up once it’s officially open for implementation or review.

Thanks
Sanskriti

[commjoen]

Hi @yashgoyal0110 ,
sorry for missing this one, do you still want to work at the issue? Or are you ok if we give this to @Sanskriti10247 ?
With kind regards,
Jeroen