Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 11 Feb 2011 20:02:22 -0500
From: Brad Tilley <>
Subject: Re: Crack Me If You Can 2011 (was Wordlists..)

On 02/11/2011 04:20 PM, Matt Weir wrote:
> Hey Minga,
>     Thanks once again for deciding to run the contest another year!
> Considering this will be CMiYC Version 2.0, I'd like to make a couple
> of suggestions while the contest is still in the planning stages.
> I really appreciated the fact that KoreLogic decided to spice things
> up by simulating corporate passwords vs. what we've all see in
> web-based password disclosures. I think it spurred a lot of thought
> and discussion about the mangling rules that we all use. I'd actually
> like to see that taken to the next level with an emphasis on targeting
> common corporate password creation policies this year. More
> specifically I think it would be neat if the passwords were organized
> into groups based on different password creation policies. In
> addition, the passwords could be worth different values depending on
> which policy they belonged to. For example:
> No policy: 1 point
> 8+ chars, at least 1 non-lower alpha: 2 points
> 7+ chars, 1 of each char type: 4 points
> 14+ chars, 1 of each char type: 8 points
> 21+ chars: 16 points.

This is a great idea Matt. Many places I've worked with (that enforce
password complexity) require 3 of the 4 main sets and a minimum of 8 in
length... Where the 4 sets are:

1. Lower alpha (a-z)
2. Upper alpha (A-Z)
3. numbers
4. special chars

PCI DSS requires password length of 7, alpha and numeric chars, nothing
more. So "soccer1" would meet the PCI DSS requirements today... lame I
know. ;) Minga could make a set of PCI-DSS acceptable passwords (which
all would be cracked right away) and maybe people responsible for
setting these standards would see the results and raise the bar a bit.

The contest last year was loads of fun (even tho I did not score that
high with my homemade software). I'm looking forward to doing it again.
It would be cool if this became a DEFCON tradition!


> This would make it worthwhile to target those 21+ character passwords
> rather than just focusing on the low hanging fruit. What's more
> important though is that I think the results of the contest would be
> of interest to the rest of the security community vs just us involved
> in password cracking. At Shmoocon, Mudge referenced last year's
> contest and talked about how attacking 14 character passwords was
> feasible. Let's see how that works out in practice. While it might be
> possible that these stronger policies result in uncrackable passwords,
> (Hey anything is possible), I think a much more likely outcome is that
> the various groups will tear through them.
> My other suggestion is that I'd really like to see more information
> about the target hashes posted well in advance of the contest. While
> there is a lot of excitement in not knowing what you'll find, (much
> like a real pen-test), from a tool development perspective it's much
> easier to write scripts to target a particular password creation
> policy when you haven't been out all night partying in Vegas ;). Keep
> the actual hashes secret until the contest starts, but if you released
> info such as:
> 5k NTLM hashes - No policy
> 5k Sha1 hashes - 8+ chars
> 5k MD5 hashes - 7+ chars, 1 of each char type
> 500 Blowfish hashes - created with pwgen
> 500 NTLM hashes - 21+ chars
> ...
> it would let teams plan their strategies and tune their tools
> beforehand. A great example of this, some of the other users on this
> list discovered serious weaknesses with pwgen, but not until long
> after the contest was competed. If we had a heads up, that would
> really spur some last minute tool development and research.
> Thanks once again,
> Matt Weir

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.