05-28-2013, 06:29 PM
I was actually going to play the devil's advocate but did not had the time to write it properly. Since that Hashrunner has replied, I will just give my views on the contests.
First, let's face it, unless each team is gathered in an enclosed building (which will not happen even if it would be fun), there is no way to control how many people and how much hardware there is per team. Judging by the experience of the previous CMIYC contests, one of the thing that you realize is that even if you have lots of people and/or GPUs in your team, they have to be managed properly or you don't get any advantage from it. So I think that there is no point trying to control/compensate this. At best, if you want the contest to be "enjoyable" for everyone's includind unexperienced cracker, each algo should have multi-layered difficulty passwords so that each algo contains a certain amount of easy to crack password like... "password".
About hints, I am not a pentester so I cannot judge by that but by working on large leak hashlist, it's true that you get patterns and that you can/have to build attack on your first finds to get increasingly more complex passwords. Including puzzles or things to think about for me spices up the contest and personally like it a lot but it's true that it deviates from a strictly hash cracking contest. But every contest, including CMIYC, was like that thus far. To be succesful, you had to figure out what were the wordlist and rules that the organizer used to generate the password for every hash type.
One thing that I think was better than CMIYC is that you submit password with their respective hashes. In CMIYC, sometimes you would crack passwords from easy algorithm and get undeserved points for a complex algorithm also. I think that it makes more sense that the teams have at least to try using their previous finds on other algo to deserve the points.
As a suggestion for next year, adding bonuses point for the team that cracked the most hashes in each hash type is a good incentive to force the team to work on every hash type instead of focusing solely on the highest worth algorithms.
Finally, are you going to disclose the full list of passwords for every hash types? If you do, please give us a link here. I am sure most of us would like to know what was the pattern(s) for the SHA256(unix).
First, let's face it, unless each team is gathered in an enclosed building (which will not happen even if it would be fun), there is no way to control how many people and how much hardware there is per team. Judging by the experience of the previous CMIYC contests, one of the thing that you realize is that even if you have lots of people and/or GPUs in your team, they have to be managed properly or you don't get any advantage from it. So I think that there is no point trying to control/compensate this. At best, if you want the contest to be "enjoyable" for everyone's includind unexperienced cracker, each algo should have multi-layered difficulty passwords so that each algo contains a certain amount of easy to crack password like... "password".
About hints, I am not a pentester so I cannot judge by that but by working on large leak hashlist, it's true that you get patterns and that you can/have to build attack on your first finds to get increasingly more complex passwords. Including puzzles or things to think about for me spices up the contest and personally like it a lot but it's true that it deviates from a strictly hash cracking contest. But every contest, including CMIYC, was like that thus far. To be succesful, you had to figure out what were the wordlist and rules that the organizer used to generate the password for every hash type.
One thing that I think was better than CMIYC is that you submit password with their respective hashes. In CMIYC, sometimes you would crack passwords from easy algorithm and get undeserved points for a complex algorithm also. I think that it makes more sense that the teams have at least to try using their previous finds on other algo to deserve the points.
As a suggestion for next year, adding bonuses point for the team that cracked the most hashes in each hash type is a good incentive to force the team to work on every hash type instead of focusing solely on the highest worth algorithms.
Finally, are you going to disclose the full list of passwords for every hash types? If you do, please give us a link here. I am sure most of us would like to know what was the pattern(s) for the SHA256(unix).