DefCon – Crack me if you can… – or how to prove password policies are harmfull
Passwords are like Pants... a Creative Commons Attribution, Noncommercial, No Derivative Works image from Richard Parmiter's Flickr fotostream
One of the DefCon contests that most sparked my imagination was the “Crack me if you can” password cracking contest, organized by KoreLogic. The goal of the contest is to crack as many of the password hashes provided as possible. The rules of the contest allow the use of off-site and on-site computer equipment of any kind, but in order to be eligible for any prize money at least one team member had to be physically present at the DefCon conference.
The competition is interesting in more than one way. First of all the contest is educational in setup. Even though the amount of computer power a team can come up with is important in getting to good results, it is not the determining factor in winning or losing the contest. Key to winning or doing well in the contest was understanding human behavior. KoreLogic generated a set of passwords they feel is representative of what they actually encounter in the field. Most corporate environments rely on a common set of rules that are used to enforce user to pick “strong” passwords and force them to change them regularly. While the goal of the rules is actually commendable, KoreLogic’s experience learns them that the human behavior triggered by these rules cause passwords to be very predictable. “If you force employees to change their passwords four times a year, they will select something that naturally changes four times in most cities (except Las Vegas)”, typical passwords we find are things like Winter2010. Once you understand this pattern, you can actually reliably predict what this password will in say 9 months or a year. Teams that actually saw this pattern and used it to make smarter password guesses did better in the competition.
The key to making hard to guess passwords is to break with this predicable behavior. If people have to put a special character in their passwords they usually put them in the beginning or at the end of their password, e.g. Summer1969! We had a number of passwords that actually had a password in the middle of it and these passwords where significantly harder to crack.
There is a significant difference between the success rates of cracking certain password hashes. E.g. windows password hashes have proven at be extremely easy to crack. All the teams together cracked 94% of all the windows password hashes provided to them. These contain some LM hashes, but mostly NTLM and NTLM2 hashes. A stupid 20 character long Windows administrator password (2345678901234567890) was guessed by all teams, even though there are no rainbow tables available for passwords of this length . Operating systems like FreeBSD do much better, less than ten of these hashes where cracked and BCrypt hashes achieved an even better success rate, only a few hashes where cracked. Absolute winner where the Oracle password hashes, none of these where cracked.
While this was a serious competition and the first prize of $600 was won by team HashCat, the competition was mostly educational in its setup. Only teams that published their methods for cracking are eligible to win and all results and methods used will be published online later this week (@@@@). The contestants used an interesting array of computer equipment. Graphics Cards based systems, clustered Amazon EC2 instances and a university super computer cluster with 1TB of memory where all used as well as plain simple desktop computers.
Hopefully this competition will not only learn us how to better crack passwords, but also how to pick better passwords and thus make us all a little bit more secure.