Date: Mon, 2 Aug 2010 16:40:52 -0400 From: Hank Leininger <hlein@...elogic.com> To: john-users@...ts.openwall.com Subject: Re: contest results & ...first set of stats/rules On 2010-08-01, Solar Designer wrote: > First of all, Minga (and others at KoreLogic) - thank you for the > contest! You're welcome! We had a blast. And we have a bunch of lessons learned to make it better if/when we do it again. Minga will probably make a real response to a few points raised in this & other threads once he's done travelling, but my $0.02: > I'd appreciate more info on what each team has been using/doing - > hardware (and cost incurred, if any), software (free or previously > acquired, I suppose?), password cracking techniques, team management > (e.g., what separate roles?), how many team members (and how many of Get out of our brains ;) In this paragraph you have asked almost exactly the questions that we are asking of any team that's willing to talk about it (it's a requirement for being awarded a prize). We want to see that info published (on the contest website and/or teams' own sites/blogs), indeed it was one of our biggest goals in putting on the contest. Some have already started providing writeups. Minga and I will discuss w/you more offlist. > 1. Didn't you promise to release a ruleset for actual use when > attacking real-world passwords? So far, you've only released these > snippets that you used to generate the passwords. Only a subset of > them are candidates for inclusion in an actual-use ruleset, and this > needs more work (as you correctly propose). Actually, it's the other way around. The majority of the rules we just released predated any inkling of doing a contest. They've been developed over some years precisely because they were effective cracking passwords during corporate audits. We then turned around and (after any needed sanitizing) were used to create the majority of the plaintexts used for the challenge. > 2. Your use of the preprocessor is minimal. The ruleset can be made a Guilty! The rules, and more importantly our brain's way of thinking up rules, lags behind the preprocessor's features/capabilities by a wide margin. We definitely need to fold down / rewrite a bunch of rules to make better use of it. Thank you for the examples ;) -- Hank Leininger <hlein@...elogic.com> BE5D FCCA 673B D18B 98A9 3175 896E 3D4A 1B4D C5AC Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.