Generating and storing passwords

Houdini stores passwords in the database using a hashing algorithm known as bcrypt. At the time of writing this, bcrypt is well regarded as a good standard for storing passwords inside of a database, this means that even in the tragic event your database gets leaked to the world, the passwords inside will be pretty much useless thanks to multiple rounds of hashing and the use of a salt.

If you would like to learn more about bcrypt and how it works, you may visit this Wikipedia Article.

This page is here to explain how passwords should be generated appropriately for use with Houdini, as the process is slightly different since it works around the old design of the Club Penguin client, which traditionally always used MD5, which is now deprecated.

This diagram explains how passwords are generated for Houdini. You may use this as a tool to develop your own registration page, or something…


Here is a PHP script which can be used to generate a password.

$password = "hello";

$hashedPassword = strtoupper(md5($password));
$staticKey = 'houdini';

$flashClientHash = getLoginHash($hashedPassword, $staticKey);
$datbasePassword = password_hash($flashClientHash, PASSWORD_DEFAULT, [ 'cost' => 12 ]);

echo "\n\r\n\r -> " . $datbasePassword . " <- \n\r\n\r";

function encryptPassword($password, $md5 = true) {
    if($md5 !== false) {
        $password = md5($password);
    $hash = substr($password, 16, 16) . substr($password, 0, 16);
    return $hash;
function getLoginHash($password, $staticKey) {        
    $hash = encryptPassword($password, false);
    $hash .= $staticKey;
    $hash .= 'Y(02.>\'H}t":E1';
    $hash = encryptPassword($hash);
    return $hash;

Password generator

You may use this generator to create secure passwords for use with Houdini. It implements all the processes explained above. (Passwords are not sent to a remote server, they are generated by your browser, so don’t worry about the use of this tool being logged)