KoreLogic's Password Cracking Contest at DEF CON

The Details:


This year's contest is a targeted attack against 12 individuals. We've obtained a stockpile of their previous and current password hashes. As time went on, these users became more and more aware of password complexity requirements and guidelines. In turn, they have started making more and more complex passwords. But, like most users, they hardly even changed their principle method for password creation. Your challenge is to deduce the users' tricks/methods for password creation, and use those to crack all their passwords.

The Street teams will be cracking the older passwords, and the Pro teams will be struggling with the more recent passwords.


Probably similar to last year, but subject to change:

Prior to the start of the contest, KoreLogic will disseminate a set of files encrypted with a long random string as direct downloads, torrents, or both. Once the contest starts, KoreLogic will publish the decryption strings to unpack the files. This way, competitors can pre-download the contest files (some of which may be quite large) so that they are ready to go when the contest starts.

These will contain files of hashes and various encrypted files. Only cracks of the primary hashes are worth any points in the contest. However, cracking the encrypted files will provide information that will be valuable in attempting to crack the primary hashes.

The passwords will range from being "easy" to extremely difficult to crack. Passwords will be of varying lengths, patterns, and complexity. Creative password cracking techniques, rules, dictionaries, and tools will be needed. The teams who are smart about the methods they use (i.e., teams who can crack more, with less work) will most likely be the most successful.

If you are entirely new to password cracking, check out the Password Village at DEF CON, and then come back.

What to Submit: There will be different hash sets for Street teams and Pro teams; teams should submit all cracks for their class's hashes. However, it would also be in Pro teams' best interests to crack all Street hashes. Not to submit them, just... because.

Password Changes: As the contest progresses, some users will change their passwords, at which time their old hash will become worthless. If your team has cracked and submitted that user's password and gotten credit already, you are done. But any team that hasn't cracked that user's password yet won't get any points for their old password, only for cracking their new hash once it is released. Therefore, it is in teams' best interest to submit cracks as soon as possible!

The goal of the contest is simple: score the most points.

Types of Teams:

You have 2 choices in choosing how you compete:

  • "Pro" Teams: Teams of people who want to compete for all the glory of being the best password cracking team on the Internet.
  • "Street" Teams: Individuals or groups who are more casual. People who want to play around, small teams of 1-3 people who want to compete but don't want to be competing with the "big guns". Or big GPUs, whatever the case may be.
A winning team from each category will be announced at DEF CON closing ceremonies... and be featured on next year's shirt.

Scoring Points:

Points are earned by cracking hashes and submitting plaintexts.

Teams should plan to submit their new cracks often / promptly, and check the stats page frequently.

Teams are encouraged to pre-register. See the registration HOWTO for instructions on generating a PGP keypair and registering a team.


For everyone competing, besides following the directions about how to register and submit:
  • You MAY use as many systems/cores/GPUs/CPUs as you wish.
  • You MAY use systems NOT located at DEF CON.
  • You MAY work with other team members not attending DEFCON.
  • You MUST ONLY use systems that you are authorized to use.
  • You MUST NOT attempt to gain unauthorized access to any system used by KoreLogic or another team.
  • You MUST NOT attempt to interfere with the efforts of another team.
  • You MUST NOT attempt to steal passwords from or techniques/methods used by another team.
  • You MUST NOT be on multiple teams or switch teams during the contest - we will assume you stole all the cracks from one or the other.
  • KoreLogic employees are not eligible for the contest.
For Pro Teams:
  • To be eligible to be named as a "Winner", you MUST agree to share your techniques / methodologies and describe the resources/tools used to crack the passwords afterwards.
  • Pro teams' roster of members must be FIRM before the start of the contest. There is NO trading of plain-texts between teams.
We do not necessarily require the member lists of Pro teams before the contest starts, but teams should not combine (or split apart) during the contest; we may disqualify one or more parties in such a situation.

Any violation of the rules can result in immediate disqualification from the contest. Any illegal activity will be reported.

Differences from previous contests:

This year will be mostly like the 2019 contest, the biggest difference so far announced is:
  • Start/Stop times are Noon US/Pacific (Las Vegas) time, rather than midnight or 10PM which is what we have typically done in the past.


During the contest, KoreLogic will publish status and statistics.

After the contest ends, KoreLogic staff will validate each submission and will announce the winning teams on Sunday, (time TBD, but certainly before the DEFCON C&E Awards Ceremony). The eligible team with the highest score will be the winner.

We invite all teams that participate to write up a post-event report. The teams with the most points will be required to write up their techniques/methodologies, describe the resources/tools used to crack the passwords, and describe any lessons learned, in order to be officially declared winners.
After the contest concludes, KoreLogic will:
  • Announce the winners.
  • Release details about the hints and plaintexts.
  • Provide statistics on which types of passwords were cracked vs missed.
Good luck!

Please watch this site and @CrackMeIfYouCan for updates. You can also contact defcon-2020-contest@korelogic.com with any questions, but we may not be able to respond if we do not have time or if we can't answer you directly without giving an unfair hint.