World Password Day cracking challenge



  • The flip side of that is that even if someone has a password solved, they may elect to hold onto it in the expectation that 1Password will increase the reward again (as it has several times in the past), thereby holding out on $10k cash now in the hopes of receiving >>$10k in the future (provided nobody else beats the astronomical odds and cracks a password).

    We were worried about this when we first discussed prize increases. And so we just hinted that there might be and hoped that we are vague enough to discourage people from trying to game things that way. Also of one person has found a password, then unless they were really lucky (say only searched a tiny portion of the space before getting it) then they should know that they might not be the only ones. It would be a risky game to play.

    Of course, if they co-ordinate with each other, then they can look at dividing the 1st and 2nd place prize among them. But you will notice that in our last prize increase the combined prizes for 1st and 2nd place did not double. We spread things out give larger proportional increases to 3rd and 4th place.

    If 1P makes a clarification that it will never raise the rewards again, I'd wager the probability distribution (of seeing a password release over time) shrinks and moves closer to the present.

    I can say with a great deal of confidence that the approximately $32,000 we are now committed to spending in prizes is as much as we want to go. All future changes will be in the form of additional hints. I expect that our second bit of hint will be released either later this month or near the beginning of October.

    On the one hand, it would be nice to just release two or three additional bits of hint now to help wrap this up, but I do want to "reward" people who have been working on this from before the hints were offered, so we are dribbling out the hints more slowly.

    A digression

    If I can put it in Econ-101 terms, it's that even if the incentives we offer are sufficient for covering the cost of the cracking effort, there is still a larger opportunity cost that we can't realistically match.


    You got it. If you offered $30-100k for a single solution, it would be an absolute no-brainer and the passwords would be cracked before any of us (forum users) even got the chance to see the announcement.

    The fact that the price of cryptocurrencies differs so much from the cost of mining is really disappointing. If they didn't differ then we wouldn't have to be competing this way against an opportunity cost.

    One of the things that I really liked about the design of these is the control of the money supply without a central bank. Mining incentives should have smoothed out the prices, making them less volatile. I would really like to see some of these actually work as an efficient medium of exchange instead of just a means for holding (speculative) value. Money needs to do both, but a highly volatile currency in which only a tiny portion of transactions are for goods and services, is a failure as a currency. Maybe someday we will get this right.

  • TuxToasterTuxToaster
    Community Member

    You got it. If you offered $30-100k for a single solution, it would be an absolute no-brainer and the passwords would be cracked before any of us (forum users) even got the chance to see the announcement.

    I'd have to disagree. Sure, you'd have more people participating, or possibly even those who are dedicating more time/resources/etc. to attempting it, but a higher reward doesn't negate the technical challenges involved in actually cracking the password. You'd definitely have more people with massive multi-GPU rigs participating as well as those who are willing to front the costs of paying for cloud instances hoping to recoup the costs with the reward payout, but there's still a fair amount of risk playing that game as many factors from luck to pure timing could impact who would capture and submit first.

  • Two bit hints are now published.

    As of a few minutes ago, we now publish the first two bits of the unsalted SHA256 hash of the solutions.

    See earlier discussion for both the rationale for these hints and the details of how they were generated. Now with two bits of hints you should be able to quickly eliminate three out of every four guesses.

    ID Status Successful password Hint
    3UOKUEBO Sample governor washout beak 0b01
    AJPYJUTN Sample glassy ubiquity absence 0b11
    IV2DL67Q Sample splendor excel rarefy 0b01
    NO4VRU4S Not found 0b10
    33YRS77A Not found 0b01
    J6J4QUWQ Not found 0b01
    SFELTO3W Not found 0b00
    DOHB6DC7 Not found 0b00
    2SB5OP3G Not found 0b00
    5BSLBTKR Not found 0b10
  • jpgoldbergjpgoldberg

    Team Member

    Just a word of advice when using the hints. We are talking about the first bits of a sequence of bytes; so make sure that however you are handling your SHA256 hashes that you do not strip away leading zeros.

    At least one participant ran into this problem; so I thought I would warn others.

  • jpgoldbergjpgoldberg

    Team Member

    In the process of trying to get my 2012 Mac Pro to run macOS Mojave I had to, among other things, replace the graphics card with one that fully supports Apple's [Metal 2 API]. It has been a long time since I've shopped for a video card, and so had a whole new set of things to (re)learn. What I also had to adjust was my expectation of how costly this upgrade would be.

    The relevant point: Had I shopped for video cards prior to setting up this contest and seen their prices, I might not have made such a large error in my estimate of what what prizes would be necessary. I'd have had a better sense of what cryptocurrency mining has done to the market.

  • EnerJiEnerJi
    Community Member

    I take it that it would be posted here quickly if anyone had successfully cracked any of the passwords? It's amazing that more than five months into the contest it appears that no one has cracked any of them...

    Is there any indication as to how many people are still active in the challenge, and what sort of equipment they are using? Unless I'm mistaken, no registration is required with Bugcrowd (unless you succeed and wish to claim a prize?) so I suppose any estimate would be based on people who have reached out to 1PW for clarification or contest-related discussion in cracking forums and such.

  • jpgoldbergjpgoldberg

    Team Member

    You are exactly right that we really don't know how many people are participating, @EnerJi. A few people have tweeted about their set ups, and some participants have posted here. But we do no really have a good sense of whether its half a dozen or dozens.

    And yes. Once there is a confirmed hit, we and Bugcrowd will try to get that information out there.

  • jpgoldbergjpgoldberg

    Team Member

    Challenge DOHB6DC7 has been found

    We have a first place winner. At 6:10 UTC, October 14 the password mansard humpback unbutton was submitted.

    I have since verified that it indeed produces to the associated derived key using the given salt. Note that anyone can verify this, as it does not require access to the original passwords.

    Congratulations to the first place winner (I do not yet know how they wish to be identified). Pending the write-up they win 12288 USD.

  • jpgoldbergjpgoldberg

    Team Member

    A first cost estimate

    Based on the write-up from the crack of DOHB6DC7, I've done some back of the envelope calculations to help me assess the cost of cracking one of these three word passwords.

    The team (s3inlc, winxp5421, blazer, and hops) only joined the effort after the second hint was offered,

    After seeing that the second bit hint was released for the challenge, we calculated that worse case it would take us under 100 days to recover a single challenge hash. This made the challenge feasible and economically viable.

    This makes some of the calculations much easier. Also note that their consideration did correctly include the risk of losing the race to someone else. They needed the prize to be worth much more than their actual costs, given the uncertainty of winning.

    Keeping time, time, time in a sort of runic rhyme

    We can simply multiply the amount of time it took them to find a result by 4 in order to see what the time would be without the hints. (Yes, there was some cost in making use of the hints, but I'm going to ignore those). They also found the password after searching through 18.71% of the keyspace, while on average a search of 50% of the keyspace is required. So I can multiply their total time by by 50/18.71 (2.67). So without the hints and without their good luck in finding a hit "early" I will multiply the work that they did by 10.69 (4 * 2.67).

    So their cracking time of 17d 16:33:53 (424.5 hours) can be multiplied by our 10.69 to get the average time without the hints. So 4538 hours, which I will round down to 4500. (I tend to round in favor of the attacker as part of just being conservative as a defender.) This works out to be 187 days, which nicely rounds down to half a year.

    Running costs

    These rigs costed us approximately $16.24 per day to run.

    I will take that "approximately" and round to 16USD per day.

    Turning fixed costs into running costs

    As they correctly say in their write-up there are fixed costs having to do with the gaining the expertise and experience needed to be able to do this. But like these winners, I am going to not include that in the calculations. It's certainly true that not anyone could do what they did, but there are probably enough organizations out there that could if they wanted to, that from a defender's point of view, I should ignore that cost.

    Their estimate of the purchase price of the GPUs was 11,550 USD. But it's not as if they purchased those for this challenge and throw them away afterwards. We have to come to some guess at some amortization of that fixed cost to come up with some cost per day. Now we could go and examine prices of GPUs and their power over a period of time to try to figure that out. And if someone would like to do that, I will be very happy for what they come up with.

    Until we have a more principled and data-driven number to go on, I'm just going to linearly amortize high-end GPUs over three years. So that makes the daily cost of those 11550/(3 * 365.4), which works out to $10.54 per day.

    Total costs

    If we add that to the other running costs, we get a total running cost of $26 per day (again rounding down).

    If we take our average time to crack no-hint passwords fo this form at the 187 days we estimate above, that makes this $4862 to crack the average three word password generated from our list. With the hints, that total cost is cut in 4. But as the winners correctly said,

    This may seem like a rather large difference in cost vs reward but, you must assess the risk of the challenge. Our group decided to select a single hash to attack instead of multiple. We are “putting all of our eggs into one basket” it's totally possible another group would find the same hash we are attacking and end up with nothing for our efforts.

    This is why we tried to price the prizes at above what we (incorrectly) thought the costs would be.

    To be continued

    That is one way to do back of the envelope calculations on this. Next (in a separate comment) I will work on costs per N guesses. (Where N is a suitably large number that gives reasonable guesses.

  • nils_enevoldsennils_enevoldsen
    Community Member

    Congratulations to s3inlc, winxp5421, blazer, and hops!

  • jpgoldbergjpgoldberg

    Team Member

    Costs per (lots of) guesses

    s3inlc, winxp5421, blazer, and hops report in their write-up of their successful cracking of challenge DOHB6DC7 that they maintained and average cracking rate of 209.85 kH/s. I'm not sure whether "kH" is 1000 hashes (guesses) or 1024 guesses. I'm going to go with the latter unless told otherwise.

    This works out to about 2^34.11 guesses per day. Using the daily cost computation from my previous post, this makes the cost of making that many guesses $26. Now 2^34.11 isn't a very nice number, so let's pick a nearby round number like 2^32, which is 4.32, 2^(34.11 - 32), times smaller. This puts the cost of 2^32 guesses at $6.

    There are 18328 words on our word list and we have three word passwords, so that means that there are 18328^3 possible solutions to go through. That is roughly 2^42.49. But on average an attacker should only have to go through half of those, so 2^41.49 guesses gives the attacker a 50% chance of finding the right one.

    We want to know how many times 2^32 goes into 2^41.49 to how many times over the attacker needs to do 6 dollars of work. And we are reminded of why we look using logarithms so much; we can just subtract the exponents to do our division, and end up with 2^9.49. If it costs $6 to go through 2^32 guesses, it costs 6 times 2^9.49 dollars to go through half of the total search space.

    So approximately $4300. This is within the same order of magnitude of the other computation, which involved different rounding at different points. This $6 per 2^32 guesses is tied to the specific key derivation method of 100,000 rounds PBKDF2-HMAC-256.

    A reminder

    And let me remind everyone that this challenge simulates the cost to an attacker who captures 1Password data from your own machine. This sort of attack is not feasible against data captured from Without your Secret Key, part of our Two-Secret Key Derivation (2SKD), there is simply no way to launch a password guessing attack. Your Secret Key cannot be stolen from us (as we never have it in any form whatsoever), but it can be stolen from your systems by an attacker who gets the data from your system. This is why your Master Password remains important.

    Another word

    Now let's use the results above to see the cost of cracking a four word password. That keyspace would be 18328^4, or 2^56.65. Half of that keyspace (which the attacker would need to go through on average) is 2^55.65. 2^32 goes into that 2^23.65 times. And so at a cost of $6 for every 2^32 guesses, we would have the cost of an average guessing attack be $78,978,821. So roughly $79 million to guess a four word Master Password.

  • TuxToasterTuxToaster
    Community Member

    I believe Hashcat uses 1,000 as the base, at least according to what has been previously mentioned on their forums. For those attempting multiple hashes, note that this value is typically divided among the number of uncracked unique salts being attempted.

  • s3inlcs3inlc
    Community Member

    @jpgoldberg nice calculations, it's interesting to see the other side. But surprising that you have a dictionary of 18328 words, we used one with 18436 (maybe an older one with all the bad words which you removed later).
    As far as I know, @TuxToaster is right that Hashcat uses 1'000 as base for the hash speed.

  • jpgoldbergjpgoldberg

    Team Member

    Hashcat uses 1,000 as the base,

    Thank you @TuxToaster and @s3inlc. I will go with 1000. It probably doesn't make a difference given the rounding I'm doing anyway.

    But surprising that you have a dictionary of 18328 words, we used one with 18436 (maybe an older one with all the bad words which you removed later).

    I think I failed to make it clear in the initial documentation that the wordlist is the one in the doc folder in the repo. So you did search a larger space than necessary. Sorry about that.

    We do, on occasion, remove words from the list, and so I wanted to include the list that was used to generate the challenges publicly. It would have been really unfortunate if one of the solutions had a word that we removed after a participant fetch the list. Fortunately, it's been a very long time since we ever added a word, but the next time I retrieve the solution file (it's kept securely on removable media) I will have to check that none of the (very few) words that we've added are among the solutions.

    I almost didn't keep a copy of the solutions at all. But it turns out that it is good that I did, as I wouldn't have been able to create the hints without it. I really couldn't see us doubling the prizes another two times.

  • Challenge SFELTO3W has been found!

    The password was "faint bust perturb". It was found on November 7, 2018.

    It was found by the same team that took first place. So they get to take home even more money. Congratulations!

    I have verified the solution, as can anyone using the tools provided as part of the challenge repository or of your own devising.

    $ chcreator -t < SFELTO3W-check.json 
    0 bad derived keys out of 1 tested

    Note, to fully verify see that the salt and derived key in SFELTO3W-check.json are the same as in the original, signed, challenge. password-day-2018.json.

  • s3inlcs3inlc
    Community Member

    Thanks again for hosting this challenge, we were enjoying it.
    There is a funny story about working on challenge SFELTO3W to come in the report ;)

  • There is a funny story about working on challenge SFELTO3W to come in the report ;)

    I'm looking forward to it.

  • nils_enevoldsennils_enevoldsen
    Community Member

    Congrats again!

  • Challenge 2SB5OP3G has been found

    The password was "befell car granary" and was found on November 10, 2018.

    Congratulations again to @s3inlc and team!

    The repository has been updated, and everyone can verify the found password as they wish.

  • nils_enevoldsennils_enevoldsen
    Community Member

    The writeup from SFELTO3W is super interesting, and I loved the idea of renting GPUs to simplify the cost calculations. Brilliant work. I look forward to reading about 2SB5OP3G.

  • s3inlcs3inlc
    Community Member

    Thanks, nice to hear that you liked the writeup. Regarding challenge 2SB5OP3G there won't be a full writeup, because we proceeded the same way as for the previous one (except that there was no mistake with the hash import).

  • KoueasuKoueasu
    Community Member

    World password cracking day, good to share, I used to read an article about hackers cracking passwords, involving too wide range of computer skills, but I have tried some simple skills on my computer,the first time it took me 10h to crack the password (I know it was stupid),similar to command prompt,this is not an easy job.

  • AGAlumBAGAlumB
    1Password Alumni

    Amen to that! Kudos to the winning team, and to everyone who participated in the challenge. :chuffed: :+1:

  • KoueasuKoueasu
    Community Member

    I've found five different password cracking ways on Google, and I've tested all of them on Windows 7 and Windows 10 computer, but only two of them work for me.i suspect that the reason for the failure may be the requirement of computer skills.(I'm not a professional)
    Tow mothods that work
    I also look forward to more sharing.

  • AGAlumBAGAlumB
    1Password Alumni

    Indeed, it's fascinating stuff, even though I don't fully understand all of the implementation details. :)

  • jpgoldbergjpgoldberg

    Team Member
    edited January 2019

    New and final winners

    Our fourth place winners, ninjalikecheese and groozavu, found the solution to challenge ID 5BSLBTKR to be "minute judd obedient" on January 10. The Bugcrowd bounty brief and the github repository with the official tracking was updated the same day, but I didn't have a chance to write much about this until now.

    What is really interesting about their description of their efforts is that they are new to password cracking. They made a couple of false starts (generating candidates too slowly, not realizing that the word list was made public), but did get there in the end. They take home 4096 USD.

    I've take a brief look, and I don't think that this changes estimates of costs. (See previous discussion of estimates.)

    I will be traveling in the second half of January. So I will either be able to write stuff up in coming week, or my analysis will have to wait until February.

    A huge "thank you" to all!

    This has been an amazing learning experience for everyone. Although no further prize will be on offer, I will see if I can produce some more hints so that people can continue to play with the remaining three for their own learning.

    I hope to have more to say "soon", but that might be sometime into February.

  • hollerghollerg
    Community Member

    I think it would be useful to revisit what time for a four word password is expected to take now that you have real world data. At the nominal cost, what is the break even cost for the cracker for four words, for five? Finally with things being appropriated remotely, are those remote crackers likely to have better hardware and thus significantly shorter time than this challenge forecasts?

  • While your traveling, perhaps a blog post summary reviewing the findings and impressions of the current state of what is secure and what this current effort means???? That would be nice, if you have nothing else to do and are stuck in an airport somewhere with literally nothing else to do!

    Just read their decryption... maybe next time more folks with gear will participate. They are not evil masterminds and seems they were just curious and optimistic ($$) how it would work... and really? 6 GTX 1070 so about 30 GPU months with the hints? (I wonder if that is a fair metric)

  • KeysarecoolKeysarecool
    Community Member
    edited February 2019

    So I am a little late to the party... but what the... I just started today and thought I would try to crack one of the passwords that have already been cracked. My issue is that I can not seem to get the combinator to work in Hashcat for more than two dictionaries. I have installed the required files am using the following to test

    hashcat64.exe -a 6 -m 1450 -w 3 -O hashDocument.txt Test_Wordlist.txt Test_Wordlist2.txt Test_Wordlist3.txt

    I have tried it with -a 1 and -a 7 as well as what is in the script. Any pointers would be greatly appreciated.

This discussion has been closed.