Back to Top
DEFCON PASSWORD CRACKING CONTEST PRESS FAQ
Where can I get information about the contest?
https://contest-2010.korelogic.com/
Why did KoreLogic organize the password cracking contest?
1)Despite its weaknesses compared to multi-factor authentication, username/password remains a very common form of authentication. Password cracking helps promote strong passwords that reduce the risk of unauthorized access to data and systems.
2)KoreLogic's staff has a tradition of developing and sharing security tools and techniques. Rick Redman identified the Contest as an effective way to promote sharing of password cracking rulesets/wordlists/techniques/software/methods/rainbow tables/etc. In addition, many open source and commercial password cracking tools do not have rules that reflect commonly used complex passwords and patterns. KoreLogic hopes to raise awareness of this issue among security professionals such that they can help end users create stronger passwords.
What/where is the authoritative source of contest rules (e.g., what is allowed, what is prohibited, how will the winner be determined, etc.)?
The authoritative source of contest rules can be found at
https://contest-2010.korelogic.com/intro.html. KoreLogic will use these to manage the Contest.
Can I get a copy of KoreLogic's password cracking rules? Are there any restrictions on their use?
Anyone may download the rules and wordlists after August 2, 2010. They are free for use by individuals or corporations for their own internal use, or for use in providing general security or IT consulting services. An important restriction is that if you use these rules in a commercial password cracking product, software, or service, KoreLogic must be credited as the provider of the rules. (
Contact us if you would like to discuss alternate licensing options.)
Why weren't other hash types included in the contest?
The hash types we chose, and the distribution/composition (the percentage of each type) is based on statistics of real world large corporate environments we have tested. A large number of NTLMs (from an Active Directory), various UNIX hashes, hashes from LDAP directories, and Oracle were chosen as being the most common types of hashes seen. Example of hash type not used: mRAW-MD5 was not used because it is rarely used in as a method for storing credentials in enterprise environments.
Will the release of the rules help attackers?
KoreLogic carefully considered this issue before deciding that the benefits to organizations (i.e., to test and develop stronger passwords) out-weighed the risks from malicious parties who already have access to open source and custom password crackers. The password rules, while very innovative and useful, are not 0-day exploits or other methods that would pose a new risk to organizations.
Do the password hashes contain "real" passwords?
No, the passwords are entirely "fictional." The passwords were developed by KoreLogic to provide a challenging cross section of commonly used passwords and password patterns.