Date: Fri, 11 Feb 2011 20:02:22 -0500 From: Brad Tilley <brad@...ystems.com> To: john-users@...ts.openwall.com Subject: Re: Crack Me If You Can 2011 (was Wordlists..) On 02/11/2011 04:20 PM, Matt Weir wrote: > Hey Minga, > Thanks once again for deciding to run the contest another year! > Considering this will be CMiYC Version 2.0, I'd like to make a couple > of suggestions while the contest is still in the planning stages. > > I really appreciated the fact that KoreLogic decided to spice things > up by simulating corporate passwords vs. what we've all see in > web-based password disclosures. I think it spurred a lot of thought > and discussion about the mangling rules that we all use. I'd actually > like to see that taken to the next level with an emphasis on targeting > common corporate password creation policies this year. More > specifically I think it would be neat if the passwords were organized > into groups based on different password creation policies. In > addition, the passwords could be worth different values depending on > which policy they belonged to. For example: > > No policy: 1 point > 8+ chars, at least 1 non-lower alpha: 2 points > 7+ chars, 1 of each char type: 4 points > 14+ chars, 1 of each char type: 8 points > 21+ chars: 16 points. This is a great idea Matt. Many places I've worked with (that enforce password complexity) require 3 of the 4 main sets and a minimum of 8 in length... Where the 4 sets are: 1. Lower alpha (a-z) 2. Upper alpha (A-Z) 3. numbers 4. special chars PCI DSS requires password length of 7, alpha and numeric chars, nothing more. So "soccer1" would meet the PCI DSS requirements today... lame I know. ;) Minga could make a set of PCI-DSS acceptable passwords (which all would be cracked right away) and maybe people responsible for setting these standards would see the results and raise the bar a bit. The contest last year was loads of fun (even tho I did not score that high with my homemade software). I'm looking forward to doing it again. It would be cool if this became a DEFCON tradition! Brad > This would make it worthwhile to target those 21+ character passwords > rather than just focusing on the low hanging fruit. What's more > important though is that I think the results of the contest would be > of interest to the rest of the security community vs just us involved > in password cracking. At Shmoocon, Mudge referenced last year's > contest and talked about how attacking 14 character passwords was > feasible. Let's see how that works out in practice. While it might be > possible that these stronger policies result in uncrackable passwords, > (Hey anything is possible), I think a much more likely outcome is that > the various groups will tear through them. > > My other suggestion is that I'd really like to see more information > about the target hashes posted well in advance of the contest. While > there is a lot of excitement in not knowing what you'll find, (much > like a real pen-test), from a tool development perspective it's much > easier to write scripts to target a particular password creation > policy when you haven't been out all night partying in Vegas ;). Keep > the actual hashes secret until the contest starts, but if you released > info such as: > > 5k NTLM hashes - No policy > 5k Sha1 hashes - 8+ chars > 5k MD5 hashes - 7+ chars, 1 of each char type > 500 Blowfish hashes - created with pwgen > 500 NTLM hashes - 21+ chars > ... > > it would let teams plan their strategies and tune their tools > beforehand. A great example of this, some of the other users on this > list discovered serious weaknesses with pwgen, but not until long > after the contest was competed. If we had a heads up, that would > really spur some last minute tool development and research. > > Thanks once again, > > Matt Weir
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.