Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <4D55DC1E.4010108@16systems.com>
Date: Fri, 11 Feb 2011 20:02:22 -0500
From: Brad Tilley <brad@...ystems.com>
To: john-users@...ts.openwall.com
Subject: Re: Crack Me If You Can 2011 (was Wordlists..)

On 02/11/2011 04:20 PM, Matt Weir wrote:
> Hey Minga,
>     Thanks once again for deciding to run the contest another year!
> Considering this will be CMiYC Version 2.0, I'd like to make a couple
> of suggestions while the contest is still in the planning stages.
> 
> I really appreciated the fact that KoreLogic decided to spice things
> up by simulating corporate passwords vs. what we've all see in
> web-based password disclosures. I think it spurred a lot of thought
> and discussion about the mangling rules that we all use. I'd actually
> like to see that taken to the next level with an emphasis on targeting
> common corporate password creation policies this year. More
> specifically I think it would be neat if the passwords were organized
> into groups based on different password creation policies. In
> addition, the passwords could be worth different values depending on
> which policy they belonged to. For example:
> 
> No policy: 1 point
> 8+ chars, at least 1 non-lower alpha: 2 points
> 7+ chars, 1 of each char type: 4 points
> 14+ chars, 1 of each char type: 8 points
> 21+ chars: 16 points.

This is a great idea Matt. Many places I've worked with (that enforce
password complexity) require 3 of the 4 main sets and a minimum of 8 in
length... Where the 4 sets are:

1. Lower alpha (a-z)
2. Upper alpha (A-Z)
3. numbers
4. special chars

PCI DSS requires password length of 7, alpha and numeric chars, nothing
more. So "soccer1" would meet the PCI DSS requirements today... lame I
know. ;) Minga could make a set of PCI-DSS acceptable passwords (which
all would be cracked right away) and maybe people responsible for
setting these standards would see the results and raise the bar a bit.

The contest last year was loads of fun (even tho I did not score that
high with my homemade software). I'm looking forward to doing it again.
It would be cool if this became a DEFCON tradition!

Brad

> This would make it worthwhile to target those 21+ character passwords
> rather than just focusing on the low hanging fruit. What's more
> important though is that I think the results of the contest would be
> of interest to the rest of the security community vs just us involved
> in password cracking. At Shmoocon, Mudge referenced last year's
> contest and talked about how attacking 14 character passwords was
> feasible. Let's see how that works out in practice. While it might be
> possible that these stronger policies result in uncrackable passwords,
> (Hey anything is possible), I think a much more likely outcome is that
> the various groups will tear through them.
> 
> My other suggestion is that I'd really like to see more information
> about the target hashes posted well in advance of the contest. While
> there is a lot of excitement in not knowing what you'll find, (much
> like a real pen-test), from a tool development perspective it's much
> easier to write scripts to target a particular password creation
> policy when you haven't been out all night partying in Vegas ;). Keep
> the actual hashes secret until the contest starts, but if you released
> info such as:
> 
> 5k NTLM hashes - No policy
> 5k Sha1 hashes - 8+ chars
> 5k MD5 hashes - 7+ chars, 1 of each char type
> 500 Blowfish hashes - created with pwgen
> 500 NTLM hashes - 21+ chars
> ...
> 
> it would let teams plan their strategies and tune their tools
> beforehand. A great example of this, some of the other users on this
> list discovered serious weaknesses with pwgen, but not until long
> after the contest was competed. If we had a heads up, that would
> really spur some last minute tool development and research.
> 
> Thanks once again,
> 
> Matt Weir

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.