Alan Kaminsky Password Cracking Competition

Anybody doing this? There's no $$ just glory. It will (maybe) determine if using random words instead of random characters is a better password policy. A few sites use this method, notably which issues the user 12 random words as a password.
There is some doubt's:
I will withhold the reward if in my judgment the paper does not adequately describe how you found the password or if the source code is not publicly available and free software licensed.
There is $$ involved, albeit not anywhere near enough to make it worth anyone's time.

Quote:4 words ― $64.00
5 words ― $80.00
6 words ― $96.00
7 words ― $112.00
8 words ― $128.00

To claim the reward, you must:

Write a paper, following accepted academic research paper standards, listing the correct password and describing how you found the password. The paper must describe, in detail, the hardware you used, the software you used, and the amount of time it took to crack the password. The paper must include a link to the publicly available, free software licensed, source code for the software you used.
Publish the paper in a research conference, a research journal, or the Cryptology ePrint Archive.
Send me a citation or link to the published paper. (See my contact information.)

The bounties and requirements are utterly laughable. Not to mention the fact that the entire premise of the contest is pointless.

This is essentially Diceware -- except actually a lot more secure than Diceware, since it uses a much larger wordlist -- and the security of Diceware was never in question to begin with. You also don't need to hold a contest, the math is pretty indisputable. The weakest passphrase he generated has a keyspace of 65536^4, which is nearly equivalent in strength to a 10-character random password. The strongest passphrase he generated is 65536^8 which is just stronger than a 19-character random password. Due to the improbable-to-impossible keyspaces involved, if someone did manage to crack one of the passphrases, it would be only by sheer luck. It certainly wouldn't prove the Diceware method is insecure, so there really is no point to the contest whatsoever.

I'm also curious as to why he chose raw SHA512 as the hashing algorithm. From his statements it appears that he actually believes it is acceptable for password storage.

In my view, the bounties & requirements are definitely the most troubling part. He seems to have tied the dollar amounts to the entropy of each passphrase. He's equivocally stating "I will give you $128 to crack a 128-bit symmetric key." To me, it just further solidifies the fact that there is a massive disconnect between academia and reality. The only one of those hashes that you even have a remote chance of cracking is the 4-word one, and it damn sure isn't going to be some academic who cracks it. And I highly doubt any one of us would do it for the frankly insulting sum of $64, let alone waste more than 5 minutes writing an academic paper on a process that any password cracker worth his salt already knows about.

Actually, I went ahead and wrote a paper for anyone who does crack one of the hashes. Feel free to publish it.

Just my 0.02฿, but the competition seems utterly pointless and the author seems utterly clueless.
(07-08-2014, 12:51 AM)docder Wrote: which issues the user 12 random words as a password.

12 words completely defeats the purpose of using passphrases.