KoreLogic's Password Cracking Contest at DEF CON

User Password Creation

Some big themes this year were:
  1. Pay attention to the metadata
  2. Long passwords aren't necessarily good passwords
  3. Mixing strong and weak password hashes can put all users at risk
  4. See #1
User accounts all had various metadata associated with them, but only sometimes was it relevant: City or a person's name suggests their language for the non-English ones, which were generally weak once you knew the right alphabet / wordlist to search for; users within a given Department or Company may share source material and/or password derivation techniques, etc.

One big pool of accounts was created using a variety of techniques and then users were split randomly across hash types, and further split between Pro and Street classes. This resulted in about 60,000 total plaintexts, 30,000 each for Pro and Street, and around 3,300 plains in each of 9 hash types.

Password Themes

Here is a breakdown of the themes used to generate plaintexts, how many of each type landed in Pro and Street classes, and what percentage of them were cracked by any team within that class. Some had explicit hints delivered via Mastodoots as the contest went on.

Name Pro Available Pro Cracked Street Available Street Cracked Description Hint
book_phrases 11,314 73.75% 11,570 45.82% Phrases (2-4 words) pulled from quotes of almost 50 different books plus suffix; see below. [link]
movie_dialog 9,533 79.08% 9,379 55.53% Phrases (2-4 words) pulled from 25+ movie scripts plus suffix; see below. [link]
poradnikzdrowie-pl 1,171 99.49% 1149 87.55% Ripped from the headlines.
epoch 1,022 100.00% 979 100.00% Users' passwords were the UNIX epoch time from their Created: timestamp. [link]
FakeCompanies 844 86.73% 820 49.76% Company name was an abbreviation or prefix of the password.
Russian_stalker_phrases 544 77.02% 583 37.91% Russian text - quotes from Stalker. Users have names/City locations suggesting their language.
sales_team_are_idiots 640 99.38% 653 99.23% Users with... a very limited vocabulary. All users in the Sales department.
NYC-streets 517 25.53% 483 34.99% Passwords were mutations of valid-ish NYC street addresses. All users are in New York.
recent_accounts_ssns 503 0.00% 497 0.00% Common prefixes plus ~9-digit SSN. All users are in company "Dandy". [link]
prod_uat_dev_hostname 480 40.00% 520 6.92% System passwords derived from hostname (username) and system function (DB, webserver, etc.). Usernames suggest hostname, and they have no Name or Phone number. [link]
timewarner 469 100.00% 531 60.64% Ripped from the headlines. All users US-based and in Telecom department.
motorsportforum 498 81.12% 489 73.01% Ripped from the headlines.
Unicode_superscript 501 1.00% 490 1.63% Hostnames and other short strings, using Unicode subscript & superscript characters.
turk-internet 505 92.48% 454 97.36% Ripped from the headlines.
Ukraine_misc 295 50.51% 279 34.41% Ukrainian text - words, names, landmark, some simple phrases. Users' names and cities suggest their language.
IndiaRivers-Hindi 192 54.17% 165 8.48% Hindi text - names of rivers in India. Users' names and cities suggest their language. [link]
IndiaRivers-Bengali 151 25.17% 149 6.71% Bengali text - names of rivers in India. Users' names and cities suggest their language.
Iceland_misc 154 70.78% 141 22.70% Icelandic text - words, names, landmarks, some simple phrases. Users' names and cities suggest their language.
Science 131 28.24% 116 19.83% Formulas/constants from Chemistry, Physics, and Mathematics; last names of famous scientists.
India-Marathi 107 36.45% 131 9.16% Marathi text - words, names, landmark, some simple phrases. Users' names and cities suggest their language.
Japan_misc 128 66.41% 108 60.19% Japanese text - words, names, landmark, some simple phrases. Users' names and cities suggest their language.
India-Tamil 93 59.14% 96 36.46% Tamil text - words, names, landmark, some simple phrases. Users' names and cities suggest their language.
Netherlands_misc 34 29.41% 35 8.57% Dutch text - words, names, landmark, some simple phrases. Users' names and cities suggest their language.
Russian_Nicknames 12 100.00% 13 76.92% Passwords based on the nicknames of the user's first name. Users' names and cities suggest their language.
Russia_misc 8 50.00% 14 50.00% Russian text - words, names, landmark, some simple phrases. Users' names and cities suggest their language.

Phrase Generation

For various phrase generation - especially for book quotes and movie dialog, but also some of the non-English text pulled from other scripts, Wikipedia pages, or "learn language XYZ" example text - a process like this was used:
  • For movie scripts isolate just the dialog - discard stage directions, etc.
  • Split on various punctuation such as periods, commas, etc.
  • Tokenize the resulting short lines into shorter lines or phrases, typically by grabbing N characters and then moving forward until a word boundary is reached. N was ~12+ for English, lower for multibyte languages (because each character might be 2-3+ bytes long).
  • Optionally - but especially for results on the shorter side - add a suffix of a number and/or special, so that the typical plain would match at least say 14class2.
  • Sometimes this would result in a near-collision - two quotes that start out identical and are only unique because of a different suffix; they might then wind up in two different hash-type piles, one fast and one slow.

Sources Used

Sources used were generally in the science fiction genre, in keeping with DEF CON's theme of "the future".
  • Books: The first several page(s) of user-submitted quotes on Goodreads were harvested for: A Big Ship at the Edge of the Universe; A Psalm for the Wild-Built; Ancillary Justice; Axiom's End; Bel Dame Apocrypha series (God's War, etc.); Binti; Confluence series (Fluency, etc.); Gideon the Ninth; Imperial Radch series (Ancillary Justice, etc.); Mars Trilogy (Red Mars, etc.); Parable of the Sower; Planetfall; Project Hail Mary; Provenance; Proxima; Seveneves; The City in the Middle of the Night; The Culture Series (many); The Dispossessed; The Employees; The Expanse books (many); The Fermi Paradox is Our Business Model; The Handmaid's Tale; The Left Hand of Darkness; The Light Brigade; The Long Way to a Small Angry Planet; The Murderbot Diaries (All Systems Red, etc.); The Stars Are Legion; To Be Taught, If Fortunate; Victories Greater Than Death; Vorkosigan Saga (Shards of Honor, etc.); Wild Seed; Zones of Thought series (A Fire Upon The Deep, etc.). Not all of these resulted in good usable quotes.
  • Movies: The scripts for: Abyss, Alien, Alien Nation, Aliens, Armageddon, Back to the Future, Blade Runner, Contact, Dark Star, Dune, Empire Strikes Back, Galaxy Quest, Gattaca, ID4, Logan's Run, Mad Max 2, Pitch Black, Star Trek 2: Wrath of Khan, Star Trek IV, T2, Terminator, The 5th Element, The Day The Earth Stood Still, The Iron Giant, Total Recall, Tron, Twelve Monkeys, War of the Worlds. In some cases it was not the final script but an early draft that was used.
[Up next: per-hash-type crack percentages, mean, and mode lengths.]