Guesses against the second and third challenges continued to come in daily. There is at least one university using distributing computing to solve the second and third challenges. I’m still surprised by how many people submit guesses that when hashed, don’t come close to the original hashes. Lots of password cracker wannabes complain that I don’t use real Windows password hashes (I do, they're just not LM hashes) or that I chose passwords that could not be cracked by existing rainbow tables (yes, and your point is?).
A successful answer to the first challenge took nearly four months. Initially, I expected all three challenges to fall in several weeks. I had already provided clues that no password cracker would ever have in real life (i.e. English words only, little to no complexity).
The answer to the second challenge came in an anonymous response. Days after I first announced the contest, someone e-mailed me to ask if I would take anonymous contributions? I thought about it and replied yes. The e-mailer said they worked with one of our government’s three-letter-agencies and that they had met me before (I frequently teach to those agencies). To this day, I don’t know who this person is or what they used to crack the second password challenge, but they got it right.
The second password challenge answer is myengagingwives.
To the winner: to collect your prize, simply show up at any class or presentation I do this year and tell me the “secret quote” I sent you in my e-mail reply. I’ll be speaking in DC many times this year (as always) and I’ll be in New York on June 26 at the InfoWorld Enterprise Data Protection Executive Forum.
For crackers still interested in the third challenge, I will award you the prize money and copies of all seven of my books on computer security. If you, as some of my readers have suggested, have no use for my books, Wiley has generously agreed to allow the contest winner to pick their prize books from a much wider catalog of Wiley offerings.