[<prev] [next>] [day] [month] [year] [list]
Message-ID: <096A04F511B7FD4995AE55F13824B833197A79@banneretcs1.local.banneretcs.com>
Date: Mon, 17 Jul 2006 21:07:34 -0400
From: "Roger A. Grimes" <roger@...neretcs.com>
To: <bugtraq@...urityfocus.com>
Subject: $100 plus several of my books if you can crack my Windows password hashes.
I've been participating in an online thread discussing password
complexity versus length. I say forget complexity and go for length.
Many others feel complexity is the way to go. So to put my money where
my mouth is, I'm sponsoring a contest:
CHALLENGES:
Let's do a test, with three challenges:
Challenge #1 (Complexity at 10 characters) for the first person to email
me the plaintext equivalent to the following NT hashes:
Easiest Challenge: 0570B4C2CC734E230DE9B67C868FAE04
Clues Normal Password Cracker Would Not Have:
1. It's 10 characters long exactly
2. Contains no words contained in the English dictionary, but is based
upon two words that have been "license-plated" (i.e. hybrid attack is
needed) 3. Moderate complexity, but nothing beyond alpha letters and
numbers.
Prize for Challenge #1:
1. Your name in my InfoWorld column
2. A free copy of my book, Honeypots for Windows (Apress, 2005)
---
Challenge #2 (15 characters long, no complexity) for the first person to
email me the plaintext equivalent to:
Harder Challenge: 7B1FC86A9CD8955963E3930C42F4226F
Clues Normal Password Cracker Would Not Have:
1. It's exactly fifteen characters long
2. Contains one or more words contained in the English dictionary 3.
Absolutely no complexity.
Prize for Challenge #2 for the first person to email me the plaintext
equivalent
1. Your name in my InfoWorld column
2. A free copy of my latest book, Professional Windows Desktop and
Server Hardening (WROX, 2006)
---
Challenge #3 (15 characters or longer, some complexity) for the first
person to email me the plaintext equivalent to:
Hardest Challenge: 4475BCB3B66320BF289D5475C7016A81
Clues Normal Password Cracker Would Not Have:
1. It's fifteen characters or longer
2. Contains one or more words contained in the English dictionary
3. Some minor complexity.
Prize for Challenge #3 for the first person to email me the plaintext
equivalent
1. Your name in my InfoWorld column
2. $100 out of my pocket (my wife is going to love me) 3. A free copy of
my latest book, Professional Windows Desktop and Server Hardening (WROX,
2006)
4. A free copy of my next sole author book, Windows Vista Security:
Preventing Malicious Attacks (Wiley, 2007), when it comes out.
(or you can substitute any of these books for my latest co-author book,
MCSE Core Electives in a Nutshell (O'Reilly, late 2006) when it comes
out.
------
Rules:
1. I solely determine winners and all rules
2. You can only claim one challenge prize. Send me the passwords if you
break them, but if you win both challenges #1 and #2, I'll give you all
the prizes listed in #2, but I'll give prizes in #1 to the next closest
winner.
All password hashes can easily be cracked with the right tool and
dictionary. I expect the first challenge to be cracked first. I suspect
all three can be cracked. In the real world, the attacker would not be
given the clues I have given. But I want readers to understand how hard
this would be to do even if you had all the clues a real cracker would
need to begin the attack.
This is proof of concept of password length over complexity. If someone
breaks Challenges #2 or #3 before #1, I'll know I'm wrong.
Have fun and enjoy.
Roger
*******************************************************************
*Roger A. Grimes, Banneret Computer Security, Consultant
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: roger@...neretcs.com
*Author of Professional Windows Desktop and Server Hardening (Wrox)
*http://www.amazon.com/gp/product/0764599909
*******************************************************************
Powered by blists - more mailing lists