HotCRP is a widely used conference management software package in the academic community (e.g. USENIX Security uses it for paper submissions). The the software is maintained by Eddie Kohler and the software is freely available at the HotCRP web page.
HotCRP account passwords are currently stored as clear text in the database (the ContactInfo table). If the user requests it, their password will be sent in clear text to the associated email address.
The challenge is to extend and improve the HotCRP software in two ways:
$Optoption that causes HotCRP to store passwords in encrypted form, rather than plain text. A password should be recoverable from the encrypted database versions using a key set in $Opt (i.e. not in the database). Alternatively, or in addition, introduce an
$Optoption that causes HotCRP to store cryptogrpahic hashes of passwords. In this mode, HotCRP will not be able to recover passwords from the database. This will require changes to mail templates and the account user interface.
The challenge is open to all.
The solution must be composed of two parts:
The solution must be compatible with the HotCRP software license and be provided with terms that allow it to be covered by the HotCRP license in order to be included in future versions of the HotCRP package. Solutions will be shared with the HotCRP maintainer, Eddie Kohler, for evaluation and consideration for merging into a future release of the HotCRP package. All solutions must be sent to firstname.lastname@example.org with a Subject: line including the "[hotcrp]" tag. All submissions must arrive at the DRG via email by September, 30, 2012 2359 UTC.
The winner, selected by the Dragon Research Group and Eddie Kohler, will be awarded two free entrances for the hack.lu 2012 conference, a DRG t-shirt and the recognition by the sponsors for a job well done. .