Password-cracking contest proves theory
- 03 June, 2007 22:00
The password hacking contest I started 10 months ago is two-thirds over. We have a winner for the second of three hash challenges... I just don’t know who that person is.
On July 17, 2006, I challenged Security Adviser blog readers to a password hash cracking contest. The prizes were nominal (US$100 and free copies of my books), but the main challenge was to prove my password theories wrong and to live on in infamy through internet blogs (yeah, right, Roger).
I proposed that shorter, so-called “complex” passwords were easier to break than less complex, longer passwords. I know this to be true because I frequently password crack for a living, and I know that most people’s “complex” passwords aren’t really that complex. When told to pick complex passwords, 80% of all end-users will use the same complexity tricks, such as:
• Most passwords will match the minimum password length (or one character longer), normally six to eight characters.
• Upper case letters will be at the beginning, and will usually be a consonant, followed by a lower case vowel
• The vowels a, e, or o will be highly represented in the password population (greater than a 50% chance)
• If a number is used, it will be a 1 or a 2.
I maintain that length is a better computational protector of password confidentiality than complexity, because true complexity is not easily enforced. And if it is enforced, most users will revolt, frequently forget passwords, or write them down. So if we can’t guarantee complexity, length is a better protector.
I repeated the contest challenge in my Security Adviser column on July 21, 2006. My assertion was further backed up by my November 2006 MySpace password analysis (which was also analysed by Bruce Schneier). This is only one analysis, but I’ve been involved with nearly a hundred others and none have contradicted me.
The contest provided three Windows NT password hashes of varying length and complexity. The easy challenge represented a 10-character password with common “licence plating” complexity. The second challenge was a 15-character password with one or more English words and no complexity. The third challenge was a 15-character password with one or more English words and minor complexity.
I’ve had over 3,000 guesses since posting the challenge, but only two right answers. On November 10, 2006, I revealed that Anthony Adamo of Colorado had broken the first password by successfully computing that the password was S10wDr1v3r.
Guesses as to the second and third password puzzles continued to come in daily. There is at least one university using distributing computing to solve the second and third challenges. I’m still surprised by how many people submit guesses that when hashed, don’t come close to the original hashes.
Lots of password cracker wannabes complain that I don’t use real Windows password hashes (I do, they’re just not LM hashes) or that I chose passwords that can’t be cracked by existing rainbow tables. Yes, and your point is?
A successful answer to the first challenge took nearly four months. Initially, I expected all three challenges to fall in several weeks. I had already provided clues that no password cracker would ever have in real life (that is, English words only, little to no complexity).
The answer to the second challenge came in an anonymous response. Days after I first announced the contest, someone emailed me to ask if I would take anonymous contributions? I thought about it and replied yes. The emailer said they worked with one of our government’s three-letter-agencies and that they had met me before (I frequently teach to those agencies). To this day, I don’t know who this person is or what they used to crack the second password challenge, but the answer was right.
The second password challenge answer is :myengagingwives.
To the winner: to collect your prize, simply show up at any class or presentation I do this year and tell me the “secret quote” I sent you in my email reply. I’ll be speaking in DC many times this year (as always) and I’ll be in New York on June 26 at the InfoWorld Enterprise Data Protection Executive Forum.
Microsoft misjudges customer loyalty with kill-XP plea
Education ministry gets new CIO
Facebook coughs up $19bn to buy WhatsApp, draw younger users
Telecom to change name to Spark
Nov'IT says flashing a new ROM onto your Android phone can make it more secure