The password hacking contest I started 10 months ago is two-thirds over. We have a winner for the second of three hash challenges…I just don’t know who they are.
[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]
On July 17, 2006, I challenged Security Adviser blog readers to a password hash cracking contest. The prizes were nominal ($100 and free copies of my books), but the main challenge was to prove my password theories wrong and to live on in infamy through Internet blogs (yeah, right, Roger).
I proposed that shorter, so-called “complex” passwords were easier to break than less complex, longer passwords. I know this to be true because I frequently password crack for a living, and I know that most people’s "complex" passwords aren’t really that complex. When told to pick complex passwords, 80 percent of all end-users will use the same complexity tricks, such as:
-- Most passwords will match the minimum password length (or one character longer), normally six to eight characters.
-- Uppercase letters will be at the beginning, and will usually be a consonant, followed by a lowercase vowel
-- The vowels a, e, or o will be highly represented in the password population (greater than a 50 percent chance)
-- If a number is used, it will be a 1 or a 2.
I maintain that length is a better computational protector of password confidentiality than complexity, because true complexity is not easily enforced. And if it is enforced, most users will revolt, frequently forget passwords, or write them down. So if we can’t guarantee complexity, length is a better protector.
I repeated the contest challenge in my Security Adviser column on July 21, 2006. My assertion was further backed up by my November 2006 MySpace password analysis (which was also analyzed by Bruce Schneier). This is only one analysis, but I’ve been involved with nearly a hundred others and none have contradicted me.
The contest provided three Windows NT password hashes of varying length and complexity. The easy challenge (0570B4C2CC734E230DE9B67C868FAE04) represented a 10-character password with common “license plating” complexity. The second challenge (7B1FC86A9CD8955963E3930C42F4226F) was a 15-character password with one or more English words and no complexity. The third challenge (4475BCB3B66320BF289D5475C7016A81) was a 15-character password with one or more English words and minor complexity.
I’ve had over 3,000 guesses since posting the challenge, but only two right answers. On November 10, 2006, I revealed that Anthony Adamo of Colorado had broken the first challenge by successfully computing that the password was S10wDr1v3r.