

Cracking Passwords on an Intel Celeron CPU - 16s
http://16s.us/16crack/defcon_2012/

======
16s
This was my 3rd year as a one man team. All the historic results and my source
code can be found online. I'm not sure what else I could do to _prove_
anything.

Efficiency is just so under-appreciated these days and many people (even
experienced programmers) don't realize just how easy it is to crack some
password hashes (nt, md4, etc). It's so easy, that with a smart approach, even
a Celeron can do it adequately.

~~~
spitfire
I'm not sure about now, but back in the day a Celeron was just a Pentium with
2nd level cache disabled. So if your algorithm wasn't memory access intensive
(like, say password cracking) it was just as fast as a Pentium at a fraction
of the price.

I'm sure now a Celeron/Atom/Pentium/Core-whatever are all differentiated by
more than just cache and core counts.

~~~
Klinky
Actually the Pentium & Celeron brands aren't really whole lot different than
their higher end counterparts like Core i3/i5/i7. The main difference still is
core count, cache and clock. Minor things also apply now such as hardware
threads & TurboBoost, but the underlying architecture is quite similar.

The Celeron 430 used in the tests is based off the Conroe core which is what
Core/Core2 products used. Just with less cache and slower front side bus.

I think the point was that a CPU which retailed for $50 5 years ago, beat out
a bunch of exotic and more costly setups.

~~~
spitfire
I do remember at one point the celeron had a very locked (like 66mhz while the
good stuff was 133mhz) front side bus.

But again, if you don't need FSB performance, it's not actually a loss but a
net gain - same calculations for less money.

~~~
Klinky
Yeah the original Celeron was absolutely horrible without any L2 cache and the
slower bus. Once the Celeron 300A hit the scene, it became pretty respectable.

~~~
PakG1
I think mostly because that thing was so easily overclockable. I remember
running my dual 366A on an Abit BP6 to 550, perfectly stable on Windows XP
with stock cooling.

------
DanBC
I noticed the commonly used words list. Is this perhaps a failing of Diceware?
I feel like people choose a passphrase, but then they tinker with it because
they don't think they'll remember it, which leaves some words much more likely
to be chosen and some words much less likely to be chosen.

So, instead of the 7776 words you end up with (well, still very many words)
fewer.

I'm keen to see further work in optimisations (such as yours) and also into
the psychology of choosing passphrases.

I agree that there comes a point where more GPUs is just "Meh, so what?"

------
kylemaxwell
I'm sitting at the airport to leave DEFCON and regretted not participating
this weekend. I can think of a few ways for a one-man team to compete
effectively, mostly involving the GPU instances at EC2. While the competition
is over, the files are still available, so I hope to poke at this idea this
week and see how it goes.

~~~
16s
It seems that the focus this year was pass phrases. Notice the final note I
just added to the website. I should have realized this based on the hints
provided at the end of the contest. Anyway, I gave an example on how to crack
some.

------
rmc
Interesting, but I wish the author gave more details for a bold claim.

~~~
nl
The author links to the official results page[1] where the 7th place
contestant is called "16Systems" (the domain name of the author is 16s.us, and
the blog is "Copyright 2012 16 Systems".

Clicking on the PGP key of the 7th placed contestant[2] shows that person did
things that match what the blog claimed.

Additionally, the software the author used is linked in the blog post.

Exactly what "more details" do you require?

[1] <http://contest-2012.korelogic.com/stats.html>

[2]
[http://contest-2012.korelogic.com/stats_CCDF04C80A00F55B.htm...](http://contest-2012.korelogic.com/stats_CCDF04C80A00F55B.html)

~~~
patdennis
I, for one, am curious about the details of how he did it.

------
pixie_
... This is my last year participating in the contest as a one man team. The
same big teams always win and the little guys stand no real chance. Here are
my suggestions for future contests:

1\. Create team divisions so that big teams with dozens of members and dozens
of GPUs would only compete with each other. Sort of similar to divisions in
boxing (heavy weights, middle weights, light weights). That would make for a
more evenly balanced contest and ensure that small teams have just as much of
a chance to win as the big teams.

2\. Provide bonus points to teams that use software they wrote themselves or
hardware they built themselves from scratch. Anyone can download and execute
other people's software and/or buy lots of high-priced video cards. Neither of
those require much thought or creativity and neither of those are a cool hack
suitable for Defcon.

------
havemurci
Meh. The Celeron was just a gateway to his home network. What machines was he
running there?

~~~
kamkha
I believe he meant that the machine was _usually_ used as a gateway to his
home network, but he repurposed it for the competition.

