Banner object (1)

Hack and Take the Cash !

684 bounties in database
29/05/2018

Reward

4096 $ 

1Password Game | LIVE NOW!

Program News

November 10, 2018. 2SB5OP3G has been cracked.

We have a third place winner! Challenge 2SB5OP3G has been cracked by the same team to take first place and second place. The password was "befell car granary". Participants should no longer pursue this one.

November 7, 2018. SFELTO3W has been cracked.

We have a second place winner! Challenge SFELTO3W has been cracked by the same team to take first place. The password was "faint bust perturb". Participants should no longer pursue this one.

October 14, 2018. DOHB6DC7 has been cracked.

We have a first place winner! Challenge DOHB6DC7 has been cracked by a team. The password was mansard humpback unbutton. Participants should no longer pursue that one.

September 24, 2018. 2 bit hints.

We are publishing the first two bits of the SHA256 hash of the unsalted solutions. These, when published, will be at

https://github.com/agilebits/crackme/tree/master/password-day-2018-2bit- hints.json)

August 23, 2018. 1 bit hints.

We are publishing the first bit of the SHA256 hash of the unsalted solutions. These, when published, will be at

https://github.com/agilebits/crackme/blob/master/password- day-2018-1bitHints.json

July 26, 2018: We have doubled again the total prize offerings.

As of July 26, 2018 we are doubling again the total amount we are rewarding for this program. To help make this worthwhile for a greater number of participates we are quadrupling the 4th place prize (from $1024 to $4096) and increasing the 1st place prize by 1.5 (from $8192 to $12288). See details below for all prizes.

June 11, 2018: We have doubled the prizes

As of June 11, 2018 we have doubled the prizes. The top prize is now $8192. We have also added a fourth prize with a $1024 award.

May 3, 2018. This program is LIVE

As of World Password Day , May 3, 2018 this program is live. The challenges are available here: https://github.com/agilebits/crackme/tree/master/password-day-2018.json


Password Cracking Challenges

Our (1Password's) goals in offering these challenges is to gain a better sense of the resistance of various types of user Master Passwords to cracking if 1Password data is captured from a user's device.

Background:

Our use of Two Secret Key Derivation (2SKD) protects users from Master Password cracking attempts in the event that data is captured from our servers, but 2SKD does not offer that protection if data is captured from the user's own device. Thus the strength of user Master Passwords remains an important part of user security for 1Password.

We need to encourage users to use Master Passwords of which:

  1. people can remember
  2. people can reasonably enter on their devices
  3. are sufficiently strong

We are creating these challenges to help us better understand (3).

Challenges can't be too hard (or too easy):

We would love for people to use 1Password Master Passwords that are simply too hard to crack in the event that data is captured from their local devices. But if we present cracking challenges that are too hard to win, nobody will take the challenge. Instead, we are offering what we hope are winnable challenges with sufficient prizes that many of them will be won.

Let us emphasize this point for when results come in: These challenges are intended to be winnable. A success does not indicate any weakness in 1Password.

This means that the passwords we present here are weaker than we recommend as 1Password Master Passwords. The prizes we offer should be worth the effort that the participants need to put in.

At the same time we want the attempts to take some real effort so that we can get more data on that effort. In any cracking effort, there are some fixed costs of simply setting up the cracking run (preparing the data, configuring the software, etc), we want those costs to be dominated by the actual cracking.

How we help the participants:

Our interest is to understand cracking efforts in terms of the strength of a test Master Password under the assumption that an attacker fully knows the details of key derivation and password generation scheme. Therefore we try to provide everything a participant will need to know to set up their systems prior to the beginning of the competition. Thus we make available

  1. The source for the scripts used to generate the challenge passwords
  2. Sample challenges (some with "answers") published prior to the official challenge.
  3. The KDF we use for these challenges is stripped of many of the idiosyncracies of the 1Password KDF that are not relevant for the difficulty of cracking locally captured data.

Individual challenges will look something like this, but see the source for generating them and the sample docs for more detail.

{
    "id": "aXw39qx7a5kt",
    "hint": "3 words",
    "prf": "HMAC-SHA256",
    "rounds": 100000,
    "salt": "697c37f6ac7b6b992d12c8eab3269af6",
    "derived": "3e0f1903cc73b07a7070a661f8450d495cc99151ae67bcdf69a80d0391e7d62f"
}

Administration:

To ensure fair handling of the contest itself and the award of payments, we are asking BugCrowd to administer this. This is a natural choice, as they both have the experience with delivering bounties, and have earned a reputation as a trusted party in dealing both with those offering bounties and those seeking them.

Prizes:

  • For the first person or team to crack a three word password, we offer ~~4096 USD~~ ~~8192~~ 12288 USD. [this line and the associated, cracked hash will be updated when this objective has been completed]

  • For the second person or team to crack a different three word password, we offer ~~2048 USD~~ ~~4096~~ 8192 USD. [this line and the associated, cracked hash will be updated when this objective has been completed]

  • For the third person or team to crack yet a different three word password, we offer ~~1024 USD~~ ~~2048~~ 6144 USD. [this line and the associated, cracked hash will be updated when this objective has been completed]

  • For the fourth person or team to crack yet a different three word password, we offer ~~1024~~ 4096 USD. [this line and the associated, cracked hash will be updated when this objective has been completed]

If no correct submission has been submitted within one month, we may increase the prizes. However, such an increase and the timing of it (if it occurs) will be unpredictable. Do not delay a submission in the hope of an increased prize.

Rules:

  1. No employee of AgileBits or BugCrowd can win.
  2. Social engineering, or gaining the solutions through penetration is not allowed. This is a cracking-only exercise.
  3. Participants may only use systems with the owner's permission. You may not steal computing resources in your cracking efforts.
  4. Winners must provide a write-up of what they did, with estimations of total cost to crack, guesses per second, and the systems used. The write-up need not be submitted at the same time as a successful crack, which only needs to include the ID of the particular challenge and the successful password. The detailed report can be uploaded after the fact, but must be received before a reward will be disbursed.
  5. If you've successfully cracked one of the passwords, please use the "submit report" button in the upper right corner, and provide the cracked password. All reports are timestamped, so the first valid submission will be the winner in this regard.
  6. Submissions must contain the ID of the specific item and include only a single candidate password for that item.

Related blog: How strong should your Master Password be? For World Password Day we’d like to know

Related discussion on the Agilebits (1Password) discussion forums). Please follow that discussion for news, and well, discussion.

Possible hints

On August 23, we are publishing hints that include the first bit of the unsalted SHA256 hash of the solutions. Those will appear in https://github.com/agilebits/crackme/blob/master/password- day-2018-1bitHints.json once published.

See this comment on our discussion forums for more details about the hints with references to how they were generated.

The challenge are available at: https://github.com/agilebits/crackme/tree/master/password-day-2018.json

Contest status

The challenges have been published and the race is on!

Last update: 2018-11-07:20:36:03 UTC

ID | Status | Successful password | Hint | Submission date | By whom | Place | Write-up location
---|---|---|---|---|---|---|---
3UOKUEBO | Sample | governor washout beak | 0b01 | N/A | Sample | 0th | N/A
AJPYJUTN | Sample | glassy ubiquity absence | 0b11 | N/A | Sample | 0th | N/A
IV2DL67Q | Sample | splendor excel rarefy | 0b01 | N/A | Sample | 0th | N/A
NO4VRU4S | Not found | | 0b10 | | | Nth |
33YRS77A | Not found | | 0b01 | | | Nth |
J6J4QUWQ | Not found | | 0b01 | | | Nth |
SFELTO3W | Found | faint bust perturb | 0b00 | 2018-11-07 | TBA | 2nd | TBA
DOHB6DC7 | Found | mansard humpback unbutton | 0b00 | 2018-10-14 | TBA | 1st | write up
2SB5OP3G | Found | befell car granary | 0b00 | 2018-11-10 | | 3rd |
5BSLBTKR | Not found | | 0b10 | | | Nth |

The target will be finding passwords which generate the non-sample challenges in the file to be published as described in the brief. Nothing else is in scope. Social engineering, or gaining the solutions through penetration is not allowed. This is a cracking-only exercise.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

Thanks
Gift
Hall of Fame
Reward


List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2018