| CMIYC 2013 Encrypted Challenge Files, Password Creation, and Hints | 2013-09-04 23:59 |
We've just published details about the Crack Me If You Can 2013
encrypted file challenges here: the
passphrase for each encrypted file, and the hints that are included in
each one.
Encrypted File Types
Each encrypted file type had an Easy, Medium, and Hard file, with increasingly complex passphrases. As with the main password sets, there were different passphrases for Pro and Street files. We did fewer file types than last year, and they were for fewer points, proportionately, than last time.
As before, we did not try to set point values proportionate to the difficulty of cracking one file type vs another. There be dragons.
We also didn't enforce strict rules internally about the difficulty of the different passphrases; they get longer and/or have increased character set complexity as you go up, but not all "Easy" passphrases were created equal, etc.
Password Creation
As we do every time, we spent all year generating new sets of plaintexts for the main password hash lists. A bunch of different KoreLogic staff contributed, using many different inspirations for wordlists, mangling rules, or other themes.
This time we took notes about what inspiration we used for each set. Although the plaintexts were split into multiple different "Company" subdirectories (see here for more), we kept each set of similarly-generated plaintexts local to a given company.
This sort of simulates the cultural biases that can cause an organization to have similarities in their plaintexts:
Hints
Some of those notes then became hints that were embedded as the contents of the encrypted challenge files: crack a file, learn something that'll help crack some of the password hashes. There were typically 10+ differently-inspired sets of plaintexts that went into each Company, and we only released hints about one (at most) set per Company. So knowing the hints would give a team an advantage, but not a huge one.
We had another, hidden purpose for doing these groupings and hints, which I will write more about later. Wild speculation in comments to this post are encouraged ;)
Encrypted File & Hint Results
I think we just generally made the challenge files too hard--and/or it was so non-obvious that their contents were useful hints that, coupled with the relatively low point value, teams did not bother much with them.
Some teams do mention figuring out some common patterns among plaintexts they cracked, relevant wordlists, etc. Which is great, but I wish there had been more challenges cracked so there were more hints "in circulation" during the contest.
Encrypted File Types
Each encrypted file type had an Easy, Medium, and Hard file, with increasingly complex passphrases. As with the main password sets, there were different passphrases for Pro and Street files. We did fewer file types than last year, and they were for fewer points, proportionately, than last time.
As before, we did not try to set point values proportionate to the difficulty of cracking one file type vs another. There be dragons.
We also didn't enforce strict rules internally about the difficulty of the different passphrases; they get longer and/or have increased character set complexity as you go up, but not all "Easy" passphrases were created equal, etc.
Password Creation
As we do every time, we spent all year generating new sets of plaintexts for the main password hash lists. A bunch of different KoreLogic staff contributed, using many different inspirations for wordlists, mangling rules, or other themes.
This time we took notes about what inspiration we used for each set. Although the plaintexts were split into multiple different "Company" subdirectories (see here for more), we kept each set of similarly-generated plaintexts local to a given company.
This sort of simulates the cultural biases that can cause an organization to have similarities in their plaintexts:
- Staff working in a given industry may commonly gravitate towards industry-related terms
- A bunch of users will embed the names of the local sports teams, such as the city where a company has its headquarters
- Enterprise-wide user training and examples can lead to users following similar patterns in plaintext manipulation/modification
Hints
Some of those notes then became hints that were embedded as the contents of the encrypted challenge files: crack a file, learn something that'll help crack some of the password hashes. There were typically 10+ differently-inspired sets of plaintexts that went into each Company, and we only released hints about one (at most) set per Company. So knowing the hints would give a team an advantage, but not a huge one.
We had another, hidden purpose for doing these groupings and hints, which I will write more about later. Wild speculation in comments to this post are encouraged ;)
Encrypted File & Hint Results
I think we just generally made the challenge files too hard--and/or it was so non-obvious that their contents were useful hints that, coupled with the relatively low point value, teams did not bother much with them.
Some teams do mention figuring out some common patterns among plaintexts they cracked, relevant wordlists, etc. Which is great, but I wish there had been more challenges cracked so there were more hints "in circulation" during the contest.
| 2 comments | Posted by Hank at: 23:59 permalink |
Hank wrote at 2013-09-06 17:28:
Every year the winning team sends us their writeup the fastest ;) But yes, I do hope we get more from other teams soon.
Challenge9 is kind of weird, even though it contains hints, it was scored like passwords (mostly because they were per-user). I will add them to the table. Thanks!
Comments are closed for this story.
Mastercracker wrote at 2013-09-06 09:00: