…and if the end-user uses JavaScript in the Console to replace your onsubmit
handler with one of their own?
Then they still can’t progress beyond that door.
Since the last page of the game is encrypted, there’s no way to read it in the source unless you know/submit the passphrase.
Hash collisions are a thing, though. They may not find the “real” password, but they could (given enough time and/or hardware) find another one that works.
Granted, using cryptography does dramatically raise the effort vs. reward tradeoff. But as HiEv said, this isn’t really all that practical inside a Twine game. I don’t think you can encrypt the whole of the rest of the story; you could encrypt part of one passage, perhaps, but it could still be bypassed entirely with little effort.
And as Dan pointed out, this will be for naught the instant someone posts a hint guide or walk through, unless the OP makes it their life mission to scour the web and report all hint threads.
I know the puzzle is randomly generated, but a hint thread telling you that the answer is 2 + 4 is only one thought process removed from telling you it’s 6.
Basically I’m bringing this all the way back around to Zarf’s comment: