Security Basics mailing list archives
RE: ADS Password Storage Protection-$100 reward to crack my password hashes
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Mon, 17 Jul 2006 20:51:18 -0400
$100 Contest Challenge Below (so keep reading): -------------------------- I password crack for a living. If you can find a fast 15-character password hash cracker, please let me know the tool and technique. I know the theoretical technique...dictionary attack tool that uses words as characters and do character substitution using words instead of letters when doing a dictionary attack. At 15-characters, 99.999% of users won't use a complete dictionary word, so direct dictionary attacking is out. Most users will use one or more dictionary words. Most words will be small (e.g. I, the, me, free, etc.), so entropy will be small. (Dr. J of Microsoft has done an excellent paper on this idea-although his conclusion is that moderately long passphrases are no better than short complex passwords-something I disagree with.) But there aren't any publicly available tools (John the Ripper can be configured to do it though) for word-for-character substitution at the moment. Plus at 15 characters, users may will throw in non-words or complexity in their passphrase. As long as the attacker does know that you use full words only and zero complexity, they would have to guess all characters, and at 15 characters it becomes non-trivial to crack. CHALLENGES: Tell you what, let's do a test, with three challenges: Challenge #1 (Complexity at 10 characters) for the first person to email me the plaintext equivalent to the following NT hashes: Easiest Challenge: 0570B4C2CC734E230DE9B67C868FAE04 Clues Normal Password Cracker Would Not Have: 1. It's 10 characters long exactly 2. Contains no words contained in the English dictionary, but is based upon two words that have been "license-plated" (i.e. hybrid attack is needed) 3. Moderate complexity, but nothing beyond alpha letters and numbers. Prize for Challenge #1: 1. Your name in my InfoWorld column 2. A free copy of my book, Honeypots for Windows (Apress, 2005) --- Challenge #2 (15 characters long, no complexity) for the first person to email me the plaintext equivalent to: Harder Challenge: 7B1FC86A9CD8955963E3930C42F4226F Clues Normal Password Cracker Would Not Have: 1. It's exactly fifteen characters long 2. Contains one or more words contained in the English dictionary 3. Absolutely no complexity. Prize for Challenge #2 for the first person to email me the plaintext equivalent 1. Your name in my InfoWorld column 2. A free copy of my latest book, Professional Windows Desktop and Server Hardening (WROX, 2006) --- Challenge #3 (15 characters or longer, some complexity) for the first person to email me the plaintext equivalent to: Hardest Challenge: 4475BCB3B66320BF289D5475C7016A81 Clues Normal Password Cracker Would Not Have: 1. It's fifteen characters or longer 2. Contains one or more words contained in the English dictionary 3. Some minor complexity. Prize for Challenge #3 for the first person to email me the plaintext equivalent 1. Your name in my InfoWorld column 2. $100 out of my pocket (my wife is going to love me) 3. A free copy of my latest book, Professional Windows Desktop and Server Hardening (WROX, 2006) 4. A free copy of my next sole author book, Windows Vista Security: Preventing Malicious Attacks (Wiley, 2007), when it comes out. (or you can substitute any of these books for my latest co-author book, MCSE Core Electives in a Nutshell (O'Reilly, late 2006) when it comes out. ------ Rules: 1. I solely determine winners and all rules 2. You can only claim one challenge prize. Send me the passwords if you break them, but if you win both challenges #1 and #2, I'll give you all the prizes listed in #2, but I'll give prizes in #1 to the next closest winner. All password hashes can easily be cracked with the right tool and dictionary. I expect the first challenge to be cracked first. I suspect all three can be cracked. In the real world, the attacker would not be given the clues I have given. But I want readers to understand how hard this would be to do even if you had all the clues a real cracker would need to begin the attack. This is proof of concept of password length over complexity. If someone breaks Challenges #2 or #3 before #1, I'll know I'm wrong. Have fun and enjoy. -----Original Message----- From: Gregory Rubin [mailto:grrubin () gmail com] Sent: Monday, July 17, 2006 5:43 PM To: Roger A. Grimes Cc: eric.baechle () dhs gov; security-basics () securityfocus com Subject: Re: ADS Password Storage Protection -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 While I agree that length is far superior to complexity, I must disagree that 15 char is sufficient. (Pure theory to follow) Each additional letter in English provides approximately 1.1 bits of entropy. Even grossly overestimating this at 2 bits, the total entropy of a 15 char passphrase is only 30 bits or the equivelent of a complex password of length 3 to 4. Thus, the passphrase remains vulnerable to dictionary attacks. For secure systems, the user should type a sentance. That will easily provide around 20 or more characters. At that length, the entropy at the word level (as opposed to just the letter) starts to really come into play and the pass phrase becomes secure. For administrators, it doesn't even need to be much longer, but they could throw in a little complexity as they are likely to be more competant. For low security systems, the users are going to pick weak stuff no matter what, so is it worth the added inconvience? Greg P.S. Signed with a 40+ char pass-phrase. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) - WinPT 0.11.9 iD8DBQFEvAR15KDU23nQpRcRAo8NAKC6zl2Y0IhsInZmaH0wec6nGZuzQwCg5jWq UzR9jOPNsVbLXPjA2Lncaz4= =81Gb -----END PGP SIGNATURE----- --------------------------------------------------------------------------- This list is sponsored by: SensePost Hacking, like any art, will take years of dedicated study and practice to master. We can't teach you to hack. But we can teach you what we've learned so far. Our courses are honest, real, technical and practical. SensePost willl be at Black Hat Vegas in July. To see what we're about, visit us at: http://www.sensepost.com/training.html ---------------------------------------------------------------------------
Current thread:
- RE: ADS Password Storage Protection, (continued)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- Message not available
- RE: ADS Password Storage Protection Harold Winshel (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- Message not available
- RE: ADS Password Storage Protection Harold Winshel (Jul 24)
- RE: ADS Password Storage Protection Pranav Lal (Jul 24)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 24)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 17)
- RE: ADS Password Storage Protection Baechle, Eric (Jul 17)
- Re: ADS Password Storage Protection Gregory Rubin (Jul 18)
- RE: ADS Password Storage Protection-$100 reward to crack my password hashes Roger A. Grimes (Jul 18)
- RE: ADS Password Storage Protection-$100 reward to crack my password hashes Donald N Kenepp (Jul 19)
- RE: ADS Password Storage Protection-4 Books for 4 Characters dave kleiman (Jul 19)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 19)
- RE: Re: RE: ADS Password Storage Protection dave kleiman (Jul 18)
- RE: Re: RE: ADS Password Storage Protection Baechle, Eric (Jul 19)
- RE: Re: RE: ADS Password Storage Protection dave kleiman (Jul 19)
- RE: Re: RE: ADS Password Storage Protection Baechle, Eric (Jul 19)