HotCRP is a widely used conference management software package in the academic community (e.g. USENIX Security uses it for paper submissions). The the software is maintained by Eddie Kohler and the software is freely available at the HotCRP web page.
HotCRP account passwords are currently stored as clear text in the database (the ContactInfo table). If the user requests it, their password will be sent in clear text to the associated email address.
The challenge is to extend and improve the HotCRP software in two ways:
$Opt option that causes HotCRP to
store passwords in encrypted form, rather than plain text. A
password should be recoverable from the encrypted database
versions using a key set in $Opt (i.e. not in the database).
Alternatively, or in addition, introduce an $Opt
option that causes HotCRP to store cryptogrpahic hashes of
passwords. In this mode, HotCRP will not be able to recover
passwords from the database. This will require changes to mail
templates and the account user interface.The challenge is open to all.
The solution must be composed of two parts:
The solution must be compatible with the HotCRP software license and be provided with terms that allow it to be covered by the HotCRP license in order to be included in future versions of the HotCRP package. Solutions will be shared with the HotCRP maintainer, Eddie Kohler, for evaluation and consideration for merging into a future release of the HotCRP package. All solutions must be sent to dragon@dragonresearchgroup.org with a Subject: line including the "[hotcrp]" tag. All submissions must arrive at the DRG via email by September, 30, 2012 2359 UTC.
The winner, selected by the Dragon Research Group and Eddie Kohler, will be awarded two free entrances for the hack.lu 2012 conference, a DRG t-shirt and the recognition by the sponsors for a job well done. .