Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 11 Feb 2011 16:20:29 -0500
From: Matt Weir <>
Subject: Crack Me If You Can 2011 (was Wordlists..)

Hey Minga,
    Thanks once again for deciding to run the contest another year!
Considering this will be CMiYC Version 2.0, I'd like to make a couple
of suggestions while the contest is still in the planning stages.

I really appreciated the fact that KoreLogic decided to spice things
up by simulating corporate passwords vs. what we've all see in
web-based password disclosures. I think it spurred a lot of thought
and discussion about the mangling rules that we all use. I'd actually
like to see that taken to the next level with an emphasis on targeting
common corporate password creation policies this year. More
specifically I think it would be neat if the passwords were organized
into groups based on different password creation policies. In
addition, the passwords could be worth different values depending on
which policy they belonged to. For example:

No policy: 1 point
8+ chars, at least 1 non-lower alpha: 2 points
7+ chars, 1 of each char type: 4 points
14+ chars, 1 of each char type: 8 points
21+ chars: 16 points.

This would make it worthwhile to target those 21+ character passwords
rather than just focusing on the low hanging fruit. What's more
important though is that I think the results of the contest would be
of interest to the rest of the security community vs just us involved
in password cracking. At Shmoocon, Mudge referenced last year's
contest and talked about how attacking 14 character passwords was
feasible. Let's see how that works out in practice. While it might be
possible that these stronger policies result in uncrackable passwords,
(Hey anything is possible), I think a much more likely outcome is that
the various groups will tear through them.

My other suggestion is that I'd really like to see more information
about the target hashes posted well in advance of the contest. While
there is a lot of excitement in not knowing what you'll find, (much
like a real pen-test), from a tool development perspective it's much
easier to write scripts to target a particular password creation
policy when you haven't been out all night partying in Vegas ;). Keep
the actual hashes secret until the contest starts, but if you released
info such as:

5k NTLM hashes - No policy
5k Sha1 hashes - 8+ chars
5k MD5 hashes - 7+ chars, 1 of each char type
500 Blowfish hashes - created with pwgen
500 NTLM hashes - 21+ chars

it would let teams plan their strategies and tune their tools
beforehand. A great example of this, some of the other users on this
list discovered serious weaknesses with pwgen, but not until long
after the contest was competed. If we had a heads up, that would
really spur some last minute tool development and research.

Thanks once again,

Matt Weir

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.