Home page logo
/

bugtraq logo Bugtraq mailing list archives

$100 plus several of my books if you can crack my Windows password hashes.
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Mon, 17 Jul 2006 21:07:34 -0400

 
I've been participating in an online thread discussing password
complexity versus length. I say forget complexity and go for length.
Many others feel complexity is the way to go. So to put my money where
my mouth is, I'm sponsoring a contest:

CHALLENGES:
Let's do a test, with three challenges:

Challenge #1 (Complexity at 10 characters) for the first person to email
me the plaintext equivalent to the following NT hashes:

Easiest Challenge: 0570B4C2CC734E230DE9B67C868FAE04

Clues Normal Password Cracker Would Not Have:
1. It's 10 characters long exactly
2. Contains no words contained in the English dictionary, but is based
upon two words that have been "license-plated" (i.e. hybrid attack is
needed) 3. Moderate complexity, but nothing beyond alpha letters and
numbers.

Prize for Challenge #1: 
1. Your name in my InfoWorld column
2. A free copy of my book, Honeypots for Windows (Apress, 2005)
---

Challenge #2 (15 characters long, no complexity) for the first person to
email me the plaintext equivalent to:

Harder Challenge: 7B1FC86A9CD8955963E3930C42F4226F

Clues Normal Password Cracker Would Not Have:
1. It's exactly fifteen characters long
2. Contains one or more words contained in the English dictionary 3.
Absolutely no complexity.

Prize for Challenge #2 for the first person to email me the plaintext
equivalent 
1. Your name in my InfoWorld column 
2. A free copy of my latest book, Professional Windows Desktop and
Server Hardening (WROX, 2006)
---

Challenge #3 (15 characters or longer, some complexity) for the first
person to email me the plaintext equivalent to:
Hardest Challenge: 4475BCB3B66320BF289D5475C7016A81

Clues Normal Password Cracker Would Not Have:
1. It's fifteen characters or longer
2. Contains one or more words contained in the English dictionary 
3. Some minor complexity.

Prize for Challenge #3 for the first person to email me the plaintext
equivalent 
1. Your name in my InfoWorld column 
2. $100 out of my pocket (my wife is going to love me) 3. A free copy of
my latest book, Professional Windows Desktop and Server Hardening (WROX,
2006) 
4. A free copy of my next sole author book, Windows Vista Security:
Preventing Malicious Attacks (Wiley, 2007), when it comes out.
(or you can substitute any of these books for my latest co-author book,
MCSE Core Electives in a Nutshell (O'Reilly, late 2006) when it comes
out.

------
Rules:
1. I solely determine winners and all rules 
2. You can only claim one challenge prize. Send me the passwords if you
break them, but if you win both challenges #1 and #2, I'll give you all
the prizes listed in #2, but I'll give prizes in #1 to the next closest
winner.

All password hashes can easily be cracked with the right tool and
dictionary. I expect the first challenge to be cracked first. I suspect
all three can be cracked. In the real world, the attacker would not be
given the clues I have given. But I want readers to understand how hard
this would be to do even if you had all the clues a real cracker would
need to begin the attack. 

This is proof of concept of password length over complexity. If someone
breaks Challenges #2 or #3 before #1, I'll know I'm wrong.

Have fun and enjoy.

Roger

*******************************************************************
*Roger A. Grimes, Banneret Computer Security, Consultant 
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: roger () banneretcs com
*Author of Professional Windows Desktop and Server Hardening (Wrox)
*http://www.amazon.com/gp/product/0764599909
*******************************************************************


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]