The Snake Oil Index

A simple method for rating potentially revolutionary contributions to cryptography and security engineering.
Shamelessly copied from Inspired by John Baez's Crackpot Index. Many thanks to John for reviewing it.

  1. A -5 point starting credit.
  2. 1 point for not disclosing the source code.
  3. 1 point for a license explicitly prohibiting reverse-engineering your product, or containing any other legal measure to stop people from trying to discover how it works.
  4. 2 points for claiming "military-grade" security.
  5. 2 points for each use of the words "cyber" or "hacking" in the description of your product.
  6. 5 points for each claim that your product "provides unbreakable encryption" or "is the world's strongest" or "is 100% secure".
  7. 5 points for organizing a cracking contest. 5 more for establishing unreasonable or unrealistic rules. 5 more for claiming that your product is secure because nobody bothered participating to the cracking contest.
  8. 5 points for claiming that your product has been reviewed by "security experts" without providing scholarly references.
  9. 5 points for storing users' secrets (e.g. private keys) on your servers without good reason.
  10. 5 points for seeding a PRNG with a predictable value.
  11. 5 points for disabling copy & paste in password input fields.
  12. 5 points for implementing Security Questions for password recovery.
  13. 5 points for implementing Security Questions in addition to a password, and declaring this as 2FA.
  14. 10 points for not divulging the cryptographic algorithms you use (because "hackers could break it").
  15. 10 points for any other implementation of security through obscurity.
  16. 10 points for using absurd key lengths (e.g. 1 million bits).
  17. 10 points for using one-time pads.
  18. 10 points for using known broken ciphers.
  19. 10 points for encrypting by XORing the key with the data.
  20. 10 points for storing passwords in plaintext, or in another trivially accessible way (e.g. encrypted with a symmetric key stored on the same server).
  21. 10 points for having a key recovery feature, or a key escrow mechanism.
  22. 10 points for jumping on the blockchain bandwagon by implementing a blockchain in your product without good reason, or for any other mention of pseudo-crypto balderdash (e.g. quantum AI encryption).
  23. 20 points for designing your own cryptographic algorithm. (Unless your last name happens to be Adleman, Feistel, Rivest, Shamir, etc.)
  24. 20 points for mailing your cryptographic algorithm to someone you don't know personally and asking them to review it and/or find any flaws.
  25. 20 points for each new term you invent and use without properly defining it.
  26. 20 points for every pseudo-mathematical statement that is either nonsensical, vacuous, or inconsistent.
  27. 20 points for confusing symmetric cryptography with public-key cryptography.
  28. 20 points for confusing pseudorandom with random.
  29. 20 points for any other evidence of extreme cluelessness about cryptography.
  30. 20 points for inadvertently introducing vulnerabilities in your system as a consequence of misidentifying the attack vector (e.g. having AV software installed on electronic voting machines).
  31. 30 points for designing your own cryptographic protocol based on a new paradigm (e.g. neural networks, chaos theory, quantum entanglement).
  32. 30 points for declaring your own cryptographic protocol secure just because you couldn't break it.
  33. 30 points for replying to those who argue against your product by pointing out your academic credentials, how long you've been in business, or how many clients you have. 30 more if you're caught sockpuppeting.
  34. 30 points for mistaking encoding for encryption (e.g. "we encrypt all credit card numbers in Base64").
  35. 30 points for mistaking obfuscation (e.g. ROT13) for encryption.
  36. 30 points for providing a feature that bypasses all security (e.g. a master password).
  37. 40 points for designing your own cryptographic protocol based on a new branch of mathematics you invented. 40 more for stating, without proofs, that you solved the Riemann hypothesis or the Goldbach's conjecture thanks to it.
  38. 40 points for claiming extraordinary feats (e.g. breaking 2048-bit RSA encryption, or being a revolutionary breakthrough) without proofs.
  39. 40 points for putting a backdoor on your product.
  40. 50 points for ending up in Schneier's Doghouse.




by Daniele Raffo         page created on 13 December 2012         page updated on 18 July 2021