Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 2 Aug 2010 16:40:52 -0400
From: Hank Leininger <hlein@...elogic.com>
To: john-users@...ts.openwall.com
Subject: Re: contest results & ...first set of stats/rules

On 2010-08-01, Solar Designer wrote:
> First of all, Minga (and others at KoreLogic) - thank you for the
> contest!

You're welcome!  We had a blast.  And we have a bunch of lessons learned
to make it better if/when we do it again.

Minga will probably make a real response to a few points raised in this
& other threads once he's done travelling, but my $0.02:

> I'd appreciate more info on what each team has been using/doing -
> hardware (and cost incurred, if any), software (free or previously
> acquired, I suppose?), password cracking techniques, team management
> (e.g., what separate roles?), how many team members (and how many of

Get out of our brains ;)  In this paragraph you have asked almost
exactly the questions that we are asking of any team that's willing to
talk about it (it's a requirement for being awarded a prize).  We want
to see that info published (on the contest website and/or teams' own
sites/blogs), indeed it was one of our biggest goals in putting on the
contest.  Some have already started providing writeups.  Minga and
I will discuss w/you more offlist.

> 1. Didn't you promise to release a ruleset for actual use when
> attacking real-world passwords?  So far, you've only released these
> snippets that you used to generate the passwords.  Only a subset of
> them are candidates for inclusion in an actual-use ruleset, and this
> needs more work (as you correctly propose).

Actually, it's the other way around.  The majority of the rules we just
released predated any inkling of doing a contest.  They've been
developed over some years precisely because they were effective cracking
passwords during corporate audits.  We then turned around and (after any
needed sanitizing) were used to create the majority of the plaintexts
used for the challenge.

> 2. Your use of the preprocessor is minimal.  The ruleset can be made a

Guilty!  The rules, and more importantly our brain's way of thinking up
rules, lags behind the preprocessor's features/capabilities by a wide
margin.  We definitely need to fold down / rewrite a bunch of rules to
make better use of it.  Thank you for the examples ;)

-- 

Hank Leininger <hlein@...elogic.com>
BE5D FCCA 673B D18B 98A9  3175 896E 3D4A 1B4D C5AC

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.