Win money and books for cracking my Windows password hashes!

$100 plus several of my books if you can crack my Windows password hashes.

I’ve been participating in an online thread discussing password complexity versus length. I say forget complexity and go for length. Many others feel complexity is the way to go. So to put my money where my mouth is, I’m sponsoring a contest:

CHALLENGES:

Let’s do a test, with three challenges:

Challenge #1 (Complexity at 10 characters) for the first person to email me the plaintext equivalent to the following NT hashes:

Easiest Challenge: 0570B4C2CC734E230DE9B67C868FAE04

Clues Normal Password Cracker Would Not Have:

1. It’s 10 characters long exactly

2. Contains no words contained in the English dictionary, but is based upon two words that have been “license-plated” (i.e. hybrid attack is needed)

3. Moderate complexity, but nothing beyond alpha letters and numbers.

Prize for Challenge #1:

1. Your name in my InfoWorld column

2. A free copy of my book, Honeypots for Windows (Apress, 2005)

—

Challenge #2 (15 characters long, no complexity) for the first person to email me the plaintext equivalent to:

Harder Challenge: 7B1FC86A9CD8955963E3930C42F4226F

Clues Normal Password Cracker Would Not Have:

1. It’s exactly fifteen characters long

2. Contains one or more words contained in the English dictionary

3. Absolutely no complexity.

Prize for Challenge #2 for the first person to email me the plaintext equivalent

1. Your name in my InfoWorld column

2. A free copy of my latest book, Professional Windows Desktop and Server Hardening (WROX, 2006)

—

Challenge #3 (15 characters or longer, some complexity) for the first person to email me the plaintext equivalent to:

Hardest Challenge: 4475BCB3B66320BF289D5475C7016A81

Clues Normal Password Cracker Would Not Have:

1. It’s fifteen characters or longer

2. Contains one or more words contained in the English dictionary

3. Some minor complexity.

Prize for Challenge #3 for the first person to email me the plaintext equivalent

1. Your name in my InfoWorld column

2. $100 out of my pocket (my wife is going to love me)

3. A free copy of my latest book, Professional Windows Desktop and Server Hardening (WROX, 2006)

4. A free copy of my next sole author book, Windows Vista Security: Preventing Malicious Attacks (Wiley, 2007), when it comes out.

(or you can substitute any of these books for my latest co-author book, MCSE Core Electives in a Nutshell (O’Reilly, late 2006) when it comes out.

——

Rules:

1. I solely determine winners and all rules

2. You can only claim one challenge prize. Send me the passwords if you break them, but if you win both challenges #1 and #2, I’ll give you all the prizes listed in #2, but I’ll give prizes in #1 to the next closest winner.

All password hashes can easily be cracked with the right tool and dictionary. I expect the first challenge to be cracked first. I suspect all three can be cracked. In the real world, the attacker would not be given the clues I have given. But I want readers to understand how hard this would be to do even if you had all the clues a real cracker would need to begin the attack.

This is proof of concept of password length over complexity. If someone breaks Challenges #2 or #3 before #1, I’ll know I’m wrong.

Have fun and enjoy.