Crack Me If You Can Contest

Back to Top

DEFCON PASSWORD CRACKING CONTEST PRESS FAQ

Where can I get information about the contest?

https://contest-2014.korelogic.com/

Why did KoreLogic organize the password cracking contest?

Despite its weaknesses compared to multi-factor authentication, username/password remains a very common form of authentication. Password cracking helps promote strong passwords that reduce the risk of unauthorized access to data and systems.
KoreLogic's staff has a tradition of developing and sharing security tools and techniques. Rick Redman identified the Contest as an effective way to promote sharing of password cracking rulesets/wordlists/techniques/software/methods/rainbow tables/etc. In addition, many open source and commercial password cracking tools do not have rules that reflect commonly used complex passwords and patterns. KoreLogic hopes to raise awareness of this issue among security professionals such that they can help end users create stronger passwords.

What/where is the authoritative source of contest rules (e.g., what is allowed, what is prohibited, how will the winner be determined, etc.)?

The authoritative source of contest rules can be found at https://contest-2014.korelogic.com/intro.html. KoreLogic will use these to manage the Contest.

Can I get a copy of KoreLogic's password cracking rules? Are there any restrictions on their use?

Anyone may download the rules and wordlists from past years' contest sites; this year's will be published some time after DEFCON. They are free for use by individuals or corporations for their own internal use, or for use in providing general security or IT consulting services. An important restriction is that if you use these rules in a commercial password cracking product, software, or service, KoreLogic must be credited as the provider of the rules. (Contact us if you would like to discuss alternate licensing options.)

Why weren't other hash types included in the contest?

In the past, KoreLogic chose to make the contest closely mimic a penetration test. In 2010 the hash types were made to mimic what a penetration tester would see in a large corporate environment (NTLMs DES, etc). In the more recent contests, the hash-types were chosen in a method that would make for a good combination of "fast" and "slow" hashes. In 2014, the contest is not designed to strictly mimic a penetration test.

Will the release of the rules help attackers?

KoreLogic carefully considered this issue before deciding that the benefits to organizations (i.e., to test and develop stronger passwords) out-weighed the risks from malicious parties who already have access to open source and custom password crackers. The password rules, while very innovative and useful, are not 0-day exploits or other methods that would pose a new risk to organizations.

Do the password hashes contain "real" passwords?

No, the passwords are entirely fictional. The passwords were developed by KoreLogic to provide a challenging cross section of commonly used passwords and password patterns.