Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20060718231408.GA9915@openwall.com>
Date: Wed, 19 Jul 2006 03:14:08 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Fwd: $100 plus several of my books if you can crack my Windows password hashes.

This could be fun.

----- Forwarded message from "Roger A. Grimes" <roger@...neretcs.com> -----

Subject: $100 plus several of my books if you can crack my Windows password hashes.
Date: Mon, 17 Jul 2006 21:07:34 -0400
From: "Roger A. Grimes" <roger@...neretcs.com>
To: <bugtraq@...urityfocus.com>

 
I've been participating in an online thread discussing password
complexity versus length. I say forget complexity and go for length.
Many others feel complexity is the way to go. So to put my money where
my mouth is, I'm sponsoring a contest:

CHALLENGES:
Let's do a test, with three challenges:

Challenge #1 (Complexity at 10 characters) for the first person to email
me the plaintext equivalent to the following NT hashes:

Easiest Challenge: 0570B4C2CC734E230DE9B67C868FAE04

Clues Normal Password Cracker Would Not Have:
1. It's 10 characters long exactly
2. Contains no words contained in the English dictionary, but is based
upon two words that have been "license-plated" (i.e. hybrid attack is
needed) 3. Moderate complexity, but nothing beyond alpha letters and
numbers.

Prize for Challenge #1: 
1. Your name in my InfoWorld column
2. A free copy of my book, Honeypots for Windows (Apress, 2005)
---

Challenge #2 (15 characters long, no complexity) for the first person to
email me the plaintext equivalent to:

Harder Challenge: 7B1FC86A9CD8955963E3930C42F4226F

Clues Normal Password Cracker Would Not Have:
1. It's exactly fifteen characters long
2. Contains one or more words contained in the English dictionary 3.
Absolutely no complexity.

Prize for Challenge #2 for the first person to email me the plaintext
equivalent 
1. Your name in my InfoWorld column 
2. A free copy of my latest book, Professional Windows Desktop and
Server Hardening (WROX, 2006)
---

Challenge #3 (15 characters or longer, some complexity) for the first
person to email me the plaintext equivalent to:
Hardest Challenge: 4475BCB3B66320BF289D5475C7016A81

Clues Normal Password Cracker Would Not Have:
1. It's fifteen characters or longer
2. Contains one or more words contained in the English dictionary 
3. Some minor complexity.

Prize for Challenge #3 for the first person to email me the plaintext
equivalent 
1. Your name in my InfoWorld column 
2. $100 out of my pocket (my wife is going to love me) 3. A free copy of
my latest book, Professional Windows Desktop and Server Hardening (WROX,
2006) 
4. A free copy of my next sole author book, Windows Vista Security:
Preventing Malicious Attacks (Wiley, 2007), when it comes out.
(or you can substitute any of these books for my latest co-author book,
MCSE Core Electives in a Nutshell (O'Reilly, late 2006) when it comes
out.

------
Rules:
1. I solely determine winners and all rules 
2. You can only claim one challenge prize. Send me the passwords if you
break them, but if you win both challenges #1 and #2, I'll give you all
the prizes listed in #2, but I'll give prizes in #1 to the next closest
winner.

All password hashes can easily be cracked with the right tool and
dictionary. I expect the first challenge to be cracked first. I suspect
all three can be cracked. In the real world, the attacker would not be
given the clues I have given. But I want readers to understand how hard
this would be to do even if you had all the clues a real cracker would
need to begin the attack. 

This is proof of concept of password length over complexity. If someone
breaks Challenges #2 or #3 before #1, I'll know I'm wrong.

Have fun and enjoy.

Roger

*******************************************************************
*Roger A. Grimes, Banneret Computer Security, Consultant 
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: roger@...neretcs.com
*Author of Professional Windows Desktop and Server Hardening (Wrox)
*http://www.amazon.com/gp/product/0764599909
*******************************************************************


----- End forwarded message -----

-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.