Def Con ‘Crack Me if You Can’ Contest Picks Apart Passwords

LAS VEGAS—The annual Def Con Hacking Conference is in full swing this weekend and with it comes all the events and competitions that are core to its existence.

This year one competition in particular really caught my eye is the Crack Me If You Can contest, which is sponsored by KoreLogic Security.

Love them or hate them, passwords are fundamental to the way we interface with the digital world. How many times in recent memory have I read about or reported on, some form of breach at a vendor where passwords were compromised? (short answer: lots).

However, just because a set of passwords are stolen or lost doesn’t mean that an attacker will have instant access to use them.

In the modern world, passwords are not typically stored in plain text. They are encrypted or hashed (as in Cryptographic Hash), in order to provide some degree of obscurity and an additional security for the passwords. There are lots of different hashes in use today, all providing varying degrees of complexity.

The bottom line is that it’s not supposed to be easy to crack the hash and actually get at the password. Then again if it was easy the Crack Me If You Can contest at Def Con wouldn’t be all that interesting.

The groups participating in the Crack Me If You Can Challenge include some ‘interesting’ names such as, the Ralph Wiggums Allstars and the Crakka Lakka Ding Dongs. There is also a team called John_users, referring to their preferred use of the open source John the Ripper password cracking tool.

So why is KoreLogic running this contest?

It’s all about improving the understanding and awareness of password hashing techniques in an effort to help promote the use of strong password systems. The password sets that contestants receive as part of the challenge are fictional and do not represent the actual passwords of any specific organization.

I know full well that it takes a whole lot of computing power to crack password hashes. But I also know that raw computing power is pervasive today. Just go to the Cloud. Graphical Processing Units (GPUs ) further up that ante.

What lessons researchers and industry might learn from this exercise remains to be seen. But given the importance of password hashing in securing our modern world, it’s an important exercise to go through.

The contest runs from 11:59 p.m. PDT on Aug. 1 until 11:59 p.m. PDT on Aug. 3.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist