CMIYC 2013 Encrypted Challenge Files, Password Creation, and Hints

We’ve just published details about the Crack Me If You Can 2013 encrypted file challenges here: the passphrase for each encrypted file, and the hints that are included in each one.

Encrypted File Types Each encrypted file type had an Easy, Medium, and Hard file, with increasingly complex passphrases. As with the main password sets, there were different passphrases for Pro and Street files. We did fewer file types than last year, and they were for fewer points, proportionately, than last time.

As before, we did not try to set point values proportionate to the difficulty of cracking one file type vs another. There be dragons.

We also didn’t enforce strict rules internally about the difficulty of the different passphrases; they get longer and/or have increased character set complexity as you go up, but not all “Easy” passphrases were created equal, etc.

Password Creation

As we do every time, we spent all year generating new sets of plaintexts for the main password hash lists. A bunch of different KoreLogic staff contributed, using many different inspirations for wordlists, mangling rules, or other themes.

This time we took notes about what inspiration we used for each set. Although the plaintexts were split into multiple different “Company” subdirectories (see here for more), we kept each set of similarly-generated plaintexts local to a given company.

This sort of simulates the cultural biases that can cause an organization to have similarities in their plaintexts:

• Staff working in a given industry may commonly gravitate towards industry-related terms
• A bunch of users will embed the names of the local sports teams, such as the city where a company has its headquarters
• Enterprise-wide user training and examples can lead to users following similar patterns in plaintext manipulation/modification

We also avoided a big problem from 2012: last year, we used many phrases from songs, books, and movies—including so many from current works that were still under copyright, that we were afraid to release the full corpus of plaintexts afterwards. Oops! We will be publishing all the plaintexts for 2013 in a little while.

Hints

Some of those notes then became hints that were embedded as the contents of the encrypted challenge files: crack a file, learn something that’ll help crack some of the password hashes. There were typically 10+ differently-inspired sets of plaintexts that went into each Company, and we only released hints about one (at most) set per Company. So knowing the hints would give a team an advantage, but not a huge one.

We had another, hidden purpose for doing these groupings and hints, which I will write more about later. Wild speculation in comments to this post are encouraged ;)

Encrypted File & Hint Results

I think we just generally made the challenge files too hard—and/or it was so non-obvious that their contents were useful hints that, coupled with the relatively low point value, teams did not bother much with them.

Some teams do mention figuring out some common patterns among plaintexts they cracked, relevant wordlists, etc. Which is great, but I wish there had been more challenges cracked so there were more hints “in circulation” during the contest.