The password hacking contest I started 10 months ago is two-thirds over. We have a winner for the second of three hash challenges…I just don’t know who they are.
[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]
On July 17, 2006, I challenged Security Adviser blog readers to a password hash cracking contest. The prizes were nominal ($100 and free copies of my books), but the main challenge was to prove my password theories wrong and to live on in infamy through Internet blogs (yeah, right, Roger).
I proposed that shorter, so-called “complex” passwords were easier to break than less complex, longer passwords. I know this to be true because I frequently password crack for a living, and I know that most people’s "complex" passwords aren’t really that complex. When told to pick complex passwords, 80 percent of all end-users will use the same complexity tricks, such as:
-- Most passwords will match the minimum password length (or one character longer), normally six to eight characters.
-- Uppercase letters will be at the beginning, and will usually be a consonant, followed by a lowercase vowel
-- The vowels a, e, or o will be highly represented in the password population (greater than a 50 percent chance)
-- If a number is used, it will be a 1 or a 2.
I maintain that length is a better computational protector of password confidentiality than complexity, because true complexity is not easily enforced. And if it is enforced, most users will revolt, frequently forget passwords, or write them down. So if we can’t guarantee complexity, length is a better protector.
I repeated the contest challenge in my Security Adviser column on July 21, 2006. My assertion was further backed up by my November 2006 MySpace password analysis (which was also analyzed by Bruce Schneier). This is only one analysis, but I’ve been involved with nearly a hundred others and none have contradicted me.
The contest provided three Windows NT password hashes of varying length and complexity. The easy challenge (0570B4C2CC734E230DE9B67C868FAE04) represented a 10-character password with common “license plating” complexity. The second challenge (7B1FC86A9CD8955963E3930C42F4226F) was a 15-character password with one or more English words and no complexity. The third challenge (4475BCB3B66320BF289D5475C7016A81) was a 15-character password with one or more English words and minor complexity.
I’ve had over 3,000 guesses since posting the challenge, but only two right answers. On November 10, 2006, I revealed that Anthony Adamo of Colorado had broken the first challenge by successfully computing that the password was S10wDr1v3r.
Guesses against the second and third challenges continued to come in daily. There is at least one university using distributing computing to solve the second and third challenges. I’m still surprised by how many people submit guesses that when hashed, don’t come close to the original hashes. Lots of password cracker wannabes complain that I don’t use real Windows password hashes (I do, they're just not LM hashes) or that I chose passwords that could not be cracked by existing rainbow tables (yes, and your point is?).
A successful answer to the first challenge took nearly four months. Initially, I expected all three challenges to fall in several weeks. I had already provided clues that no password cracker would ever have in real life (i.e. English words only, little to no complexity).
The answer to the second challenge came in an anonymous response. Days after I first announced the contest, someone e-mailed me to ask if I would take anonymous contributions? I thought about it and replied yes. The e-mailer said they worked with one of our government’s three-letter-agencies and that they had met me before (I frequently teach to those agencies). To this day, I don’t know who this person is or what they used to crack the second password challenge, but they got it right.
The second password challenge answer is myengagingwives.
To the winner: to collect your prize, simply show up at any class or presentation I do this year and tell me the “secret quote” I sent you in my e-mail reply. I’ll be speaking in DC many times this year (as always) and I’ll be in New York on June 26 at the InfoWorld Enterprise Data Protection Executive Forum.
For crackers still interested in the third challenge, I will award you the prize money and copies of all seven of my books on computer security. If you, as some of my readers have suggested, have no use for my books, Wiley has generously agreed to allow the contest winner to pick their prize books from a much wider catalog of Wiley offerings.