KoreLogic's Password Cracking Contest at DEF CON

Submitting Results

The contest has ended! We are no longer taking submissions.

Once you have cracked some passwords, submit them to us in a PGP signed & encrypted email.

Password hashes

Every time you submit cracked passwords, send us the new cracks as hash:plaintext, each on one line by itself. Don't include anything else on the lines such as usernames. Normally Hashcat's potfile or --output-mode 3 output, including possibly $HEX[] encoded plaintexts, or John the Ripper's potfile format will work. But hashcat's scrypt format flavors do not include django-scrypt, so you may need to do some massaging.

Note that only cracks of the main django-scrypt hashes should be submitted. There are various encrypted files and alternate hash files; these are worth zero points and you should not submit cracks of them to us.

Like last year, we only want new cracks. We will verify them, and update the stats page, and provide some feedback/mechanisms for teams to confirm that we've verified their cracks.

Initially, re-submitting repeated cracks will only be a warning, not an error that might cause a team to be blocked. Sometime as the contest goes along, that will change, but only enforced if a team is sending a large proportion of repeats.

If you keep sending us junk that's not correct cracks, we will assume you are spewing /dev/random at us and may shun all future mail from you.

Submit often

You should submit new cracks frequently. We encourage teams to work out some shared and/or automated way to submit cracks.

For teams that are small and/or can't automate their submissions, you may not be able to submit for some long stretches due to sleep, etc. But a team that suddenly submits a big jump in cracks/points after a long silence could mean that a team has stolen cracks from another team. If a team goes more than 12 hours without an update, we may decide you gave up or died of alcohol poisoning.

In particular, this year some users are changing their passwords while you are in the middle of trying to crack them! Watch the downloads page for updates. If you succeed in cracking and submitting a user's password before they changed it, then good - you're done with that user. If you're too late, submitting the expired password is worthless. But it might still be valuable if you get that user's updated hash later...

But not too often

Do not flood us with submissions. We will assume you are trying to DoS us. We may throttle submissions from a team sending faster than once per minute, especially if you are also sending repeats.

Repeatedly sending us multiple submissions per minute may get your team temporarily or permanently banned.

In past years we had fairly strict throttling (postgrey, fail2ban, iptables rate limiting) in place. We are going to try without such limits, but if we see abuse we may change that.

Submission feedback

Like last year, there is some feedback teams can use to verify we digested your submission.

The auto-responder will reply to a submission (unless it is complete garbage) with a short summary showing the successful cracks received, and the types of errors encountered if any.

As always, we will try to contact teams whose submissions we see fail, but no guarantees if or when we will have time to do so.

Example submission

Here is what a submission process might look like.
$ cat cracked

$ gpg -a -o submission-email.pgp.asc -r sub-2019@contest.korelogic.com \
-se cracked
$ mail -s "cracked" sub-2019@contest.korelogic.com \
< submission-email.pgp.asc
Or attach the file submission-email.pgp.asc to an empty email to sub-2019@contest.korelogic.com, such as if you are using Gmail.

Don't forget to use --local-user 0xDEADBEEF if you created a dedicated PGP key just for this event.