Security Adviser | Roger A. Grimes » Win money and books for cracking my Windows password hashes!

July 17, 2006 | Comments: (0)

Win money and books for cracking my Windows password hashes!

TAGS: None

$100 plus several of my books if you can crack my Windows password hashes.

I've been participating in an online thread discussing password complexity versus length. I say forget complexity and go for length. Many others feel complexity is the way to go. So to put my money where my mouth is, I'm sponsoring a contest:

CHALLENGES:
Let's do a test, with three challenges:

Challenge #1 (Complexity at 10 characters) for the first person to email me the plaintext equivalent to the following NT hashes:

Easiest Challenge: 0570B4C2CC734E230DE9B67C868FAE04

Clues Normal Password Cracker Would Not Have:
1. It's 10 characters long exactly
2. Contains no words contained in the English dictionary, but is based upon two words that have been "license-plated" (i.e. hybrid attack is needed)
3. Moderate complexity, but nothing beyond alpha letters and numbers.

Prize for Challenge #1:
1. Your name in my InfoWorld column
2. A free copy of my book, Honeypots for Windows (Apress, 2005)
---

Challenge #2 (15 characters long, no complexity) for the first person to email me the plaintext equivalent to:

Harder Challenge: 7B1FC86A9CD8955963E3930C42F4226F

Clues Normal Password Cracker Would Not Have:
1. It's exactly fifteen characters long
2. Contains one or more words contained in the English dictionary
3. Absolutely no complexity.

Prize for Challenge #2 for the first person to email me the plaintext equivalent
1. Your name in my InfoWorld column
2. A free copy of my latest book, Professional Windows Desktop and Server Hardening (WROX, 2006)
---

Challenge #3 (15 characters or longer, some complexity) for the first person to email me the plaintext equivalent to:
Hardest Challenge: 4475BCB3B66320BF289D5475C7016A81

Clues Normal Password Cracker Would Not Have:
1. It's fifteen characters or longer
2. Contains one or more words contained in the English dictionary
3. Some minor complexity.

Prize for Challenge #3 for the first person to email me the plaintext equivalent
1. Your name in my InfoWorld column
2. $100 out of my pocket (my wife is going to love me)
3. A free copy of my latest book, Professional Windows Desktop and Server Hardening (WROX, 2006)
4. A free copy of my next sole author book, Windows Vista Security: Preventing Malicious Attacks (Wiley, 2007), when it comes out.
(or you can substitute any of these books for my latest co-author book, MCSE Core Electives in a Nutshell (O'Reilly, late 2006) when it comes out.

------
Rules:
1. I solely determine winners and all rules
2. You can only claim one challenge prize. Send me the passwords if you break them, but if you win both challenges #1 and #2, I'll give you all the prizes listed in #2, but I'll give prizes in #1 to the next closest winner.

All password hashes can easily be cracked with the right tool and dictionary. I expect the first challenge to be cracked first. I suspect all three can be cracked. In the real world, the attacker would not be given the clues I have given. But I want readers to understand how hard this would be to do even if you had all the clues a real cracker would need to begin the attack.

This is proof of concept of password length over complexity. If someone breaks Challenges #2 or #3 before #1, I'll know I'm wrong.

Have fun and enjoy.

Posted by Roger Grimes on July 17, 2006 05:54 PM

RATE THIS ARTICLE: