Monday, May 07, 2012

Challenge received

[Picture from - I'm a Star Wars fan!]

"Accept the challenge I do, your Highness". (Yoda, Star Wars)

Kirsi Helkala gave presentations at both Passwords^10 and Passwords^11. Her work on passwords is fascinating, now working as a associate professor at Gjøvik University College in Norway. See her list of publications to understand what I'm talking about. She has given me a challenge - nine in fact - all being unsalted MD5s. I need help! :-)

Oh, and before you ask; yes, I am allowed to ask for help. Not too many restrictions really, as long as we do not fallback to XKCD 538.

Lets get to work.

Kirsi is doing research into passwords, in areas such as "creating strong passwords that are easy to remember". Personally I think that is pretty important research that more people should do as well.

Kirsi has created 9 different passwords, in three groups. Each group has one "easy", one "medium" and one "hard" password.

First password category is WORD based: dictionary words have been put together (xkcd 936?), where leet language may have been applied. Example: K1RS1L1KerSoMMer ("Kirsi likes summer")

Second password category is MIX:  Dictionary words put together with other characters, and the words may also be modified. Example: #K1RS1#L1KeR#SoMMer! (Still "Kirsi likes Summer")

Third password category is NON-WORDS:  No "readable" words. Example: #K1#L1#So!

Kirsi really needs information on: 
  • What kind of methodology we used
  • In which order
  • How much time spent pr task / in total (of possible)

Here are the unsalted MD5 hashes, no info given on which group is which category from above:




I've taken a few rounds using oclhashcat-plus, with various dictionaries and tested several rulesets. Nothing found so far, after the first 15-20 minutes trying. Absolutely something different from the best64.rule competition. (Perhaps Kirsi should contribute to @crackmeifyoucan?) :-)


  1. Remember you can not crack most of the hashes since oclHashcat-plus supports only passwords < length 16.

  2. I fed the hashes to JulGor's (it checks common hash databases online) with negative result...

  3. Hey Per,
    Sounds fun. You know I always love a challenge. I don't have much time to spend on it, (heck I still owe you an e-mail), but that's the joy of password cracking. As long as I can set up an initial attack I can let it run while doing other things ;p

    My main question is if those examples, (such as 'K1RS1L1KerSoMMer') came from Kirsi herself, or was it your interpretation of the rules? This matters a lot since I'll be prioritizing changing 'i's to 'l's then, along with some other rules, (no spaces, make sure the first letter is capitalized, etc).

    I expect the capitalization to be the biggest pain for cracking the first set. Three to Four words with MD5 hashes is relatively easy, but when you throw in weird capitalization, it starts getting really difficult.

    Of course, difficult is fun ;p

    Oh, finally is "L1Ker" a typo of likes or am I missing something?

  4. Atom: thx. Additional info from Kirsi: some of the 9 passwords are <16, most of them are longer. Will use oclhashcat-lite & multiforcer (and others perhaps).

    Stein: Thx! Didn't think of that one, but I am not surprised you didn't find anything.

    Matt: all examples are directly from Kirsi, no translations from me. L1Ker is "likes", with digit 1 as 1337 replacement for letter i.

    1. Thanks Per. I guess I wasn't confused by the 1 as a replacement for i so much as the 'r' as a replacement for 's' ;p

  5. Also does "words have been put together" mean randomly (à la XKCD) or as in a valid phrase, as seems implied by the sample ?

    1. My guess is valid phrase, as this is research from Kirsi into creating memorable passphrases. While XKCD 936 is definitely on to something, four random words is still not that memorable imho, and can be made even easier.

  6. The paper from Kirsi that gives the full scientific explanation of her research is now online:

    Unfortunately it is payware, although not that much. What we - you - are attacking is explained in that paper.

  7. Additional information received from Kirsi Helkala today, Wednesday May 23, 2012:


    If we label passwords with numbers 1 to 9 from top to down, the following might help:

    Passwords 1, 4 and 7 are based on associations on academics.

    Password 2 is based on associations on holidays.

    Password 3 is based on associations on hunting.

    Password 5 is based on associations on health services.

    Password 6 is based on associations on Finnish time.

    Password 8 is based on associations on goldsmith and watchmaker.

    Password 9 is based on associations on middle age.

    In most cases, Norwegian and English (alone or mixed) are used but also Finnish (mixed). You can skip Finnish dictionnaires, because here are the Finnish associations you need: akoru, erä and Suomi.

  8. e231227ca23c28910d562399c51b9a83 ACADEMYB230
    just a quick request to one of the online "hashes lookup" services, so seems like somebody actually cracked it before but was too shy :)


All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.