Date: Fri, 11 Feb 2011 16:20:29 -0500 From: Matt Weir <cweir@...edu> To: john-users@...ts.openwall.com Cc: mingakore@...il.com Subject: Crack Me If You Can 2011 (was Wordlists..) Hey Minga, Thanks once again for deciding to run the contest another year! Considering this will be CMiYC Version 2.0, I'd like to make a couple of suggestions while the contest is still in the planning stages. I really appreciated the fact that KoreLogic decided to spice things up by simulating corporate passwords vs. what we've all see in web-based password disclosures. I think it spurred a lot of thought and discussion about the mangling rules that we all use. I'd actually like to see that taken to the next level with an emphasis on targeting common corporate password creation policies this year. More specifically I think it would be neat if the passwords were organized into groups based on different password creation policies. In addition, the passwords could be worth different values depending on which policy they belonged to. For example: No policy: 1 point 8+ chars, at least 1 non-lower alpha: 2 points 7+ chars, 1 of each char type: 4 points 14+ chars, 1 of each char type: 8 points 21+ chars: 16 points. This would make it worthwhile to target those 21+ character passwords rather than just focusing on the low hanging fruit. What's more important though is that I think the results of the contest would be of interest to the rest of the security community vs just us involved in password cracking. At Shmoocon, Mudge referenced last year's contest and talked about how attacking 14 character passwords was feasible. Let's see how that works out in practice. While it might be possible that these stronger policies result in uncrackable passwords, (Hey anything is possible), I think a much more likely outcome is that the various groups will tear through them. My other suggestion is that I'd really like to see more information about the target hashes posted well in advance of the contest. While there is a lot of excitement in not knowing what you'll find, (much like a real pen-test), from a tool development perspective it's much easier to write scripts to target a particular password creation policy when you haven't been out all night partying in Vegas ;). Keep the actual hashes secret until the contest starts, but if you released info such as: 5k NTLM hashes - No policy 5k Sha1 hashes - 8+ chars 5k MD5 hashes - 7+ chars, 1 of each char type 500 Blowfish hashes - created with pwgen 500 NTLM hashes - 21+ chars ... it would let teams plan their strategies and tune their tools beforehand. A great example of this, some of the other users on this list discovered serious weaknesses with pwgen, but not until long after the contest was competed. If we had a heads up, that would really spur some last minute tool development and research. Thanks once again, Matt Weir
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.