KoreLogic's Password Cracking Contest at DEF CON

User Password Creation

The general theme this year was users forced to change their passwords over time with stricter policies being enforced for each change. Nevertheless, the users continue making poor decisions about password choice. For all of these users' passwords, cracking their oldest/weakest history entries would reveal hints into their more recent passwords. Some iterated over previous passwords making incremental adjustments. Others used new passwords or phrases, but with similar inspiration or source material. They also attended security awareness training courses in big groups, so lots of them made similar decisions about how to l33t5p34k up their passwords.

Some other accounts had randomly generated passwords, but with the plaintexts stored in other account attributes in Active Directory, because admins and developers can make bad decisions too. This has been seen in the "wild" where the information was leaked via LDAP queries against the domain.

Here is a breakdown of themes, the percentage of all passwords of that type that were cracked by any Pro team, and the percentage of history0 (the current, and hardest) iteration of those passwords cracked by any Pro teams:

Idea Overall Pro Cracks history0 Cracks Description
Numbers 99.9% 100% Mix of digits and written-out numbers. Examples of a single user's passwords with increasing difficulty:
eightsix 22fiftynine Fortytw2 Twelve1992? Fortyeight1990_ Hundredthirty1990( Fiftythousand2010_
Games 82.2% 58.3% Words related to various (mostly video) games. A certain .rules file was used to generate manipulations. Example:
iaraamed WFortnite FIFA_180l 2.Family! Cruis:nU0A928 Dance_Ae098obics 30TheWonde!ful101
DEFCON 95.8% 88.3% Words related to us going to Vegas for an event. Example source words: Defcon, Paris, LasVegas, Password, Nevada, KoreLogic, etc.
Months 100% 100% Users love using months in their passwords. Example passwords from a single user:
moctay 530AuGust 38JuLy05 June%7992 fEBrUary^7837 1992September DecEMber*8073
Names 99.9% 99.7% A corpus of variations of names. The source name list was pulled from real data. Most of the manipulation involved either prepending or appending special characters and numbers.
Latin America 96.8% 98.2% Latin American place names, with relatively simply manipulations. Examples:
currency Leiva2021 RiodeJan#4 Ecatepec2021# M@iqueti@19## M@drid202188$ #Oporapa20212
Doubles 99.6% 99.4% Simple word, then mutated, then doubled. Or, simple word, doubled, then manipulated. Example of a single user's passwords:
cester retsehcP 1Chester Chester2021# @1Chester@1Chester 1ChesterChester@ 2011Chesterchester!
Zack Ulloa generated (KoreLogic intern) 100% 100% Simple words that are manipulated using rules and the current year (21!). Example of a single user's passwords:
excruciating excruciating21 Excruciating21! eXCRuCiaTiNG21! Excruc1at1ng21! Excruc1at1ng21!#! _!Excruc1!at1ng21!
Mexico 88.6% 98.0% Place names in Mexico. The users change their locations for each password change. Simple numbers appended to the end of each location.
Training 100% 100% Random plains, stuck in the users' Description field in AD.
Webpage 0% 0% Random plains, stuck in the users' Webpage field in AD. The "webpage" or "homepage" field in AD should have been visible via LDAP dumps, or NTDS.dit extraction. Example command when the users were added:
dsadd user cn=website-18475,CN=Users,dc=crackmeifyoucan,dc=com -samid website-18475 -mustchpwd no -webpg https://18475:8jmD3o612mDRdaTy@www.crackmeifyoucan.com/ -pwd 8jmD3o612mDRdaTy
CMIYC2011 94.4% 87.9% Previously-published plaintexts from CMIYC 2011. This list contained all the BonJovi and Obsessiveness plains.
MyHeritage 99.9% 100% Cracked passwords from the recent MyHeritage data breach.
Song Lyrics 68.2% 8.0% An artist/band name, short quotes from one work, then shuffled words. Example user:
Garcia1 "Jerry Garcia1" shine2 "sun will shine1" "shine in my1" "door my shine day one will" "d00r my 5h1n3 d4y 0n3 w1!!"
Ferengi RoA 85.1% 0% Rules of Aquisition number, then quoted, then shuffled words. Example user:
266. "Rule #266." doubt, "When in doubt,1" "doubt, lie.1" "When lie. in doubt," "WhEn 1:E. :n d.ub%,"
King James Bible 96.0% 86.5% Book of the KJB, then add chapter:verse, then quoted/shuffled words. Examples:
Chronicles1 "Chronicles 2:51" "Bethgader" "father of Bethgader." "the of Hareph Salma father" "t53 0f H@r3p5 S@lm@ f@t53r"

User-Idea Mappings

Here are mappings from individual users to which source they used for inspiration:


Cracked Hashes

All of the hashes, and their plaintexts, that were successfully cracked by at least one Pro team, and by at least one Street team:


UnCracked Hashes

All of the hashes that were not cracked by any Pro team, or by any Street team: