KoreLogic's Password Cracking Contest at DEF CON

The Details:

Scenario: [*]

Interpol has contacted you for assistance in helping victims of human trafficking. Law Enforcement obtained data about an active human-trafficking ring. If they recover relevant information fast enough, they can identify and obtain more warrants, and potentially rescue more victims. However, rumors will likely get out about the investigation; you have only limited time.

The data dumps recovered span some years, including old backups, internal communications, etc. However, the only items of value to investigators are users' currently valid credentials.

Password Changes: Some users heard rumors about the site being under investigation, and they are changing their passwords!

Investigators can observe and tell you which users change their passwords, but they can't get their new hashes right away. Check the
downloads page for the latest information on which users have changed their password, and any updated hashes. If you have already submitted a crack for a user before they changed, you do not need to try to crack their new password.


Prior to the start of the contest, KoreLogic will disseminate a set of files encrypted with a long random string as direct downloads, torrents, or both. Once the contest starts, KoreLogic will publish the decryption strings to unpack the files. This way, competitors can pre-download the contest files (some of which may be quite large) so that they are ready to go when the contest starts.

These will contain files of hashes and various encrypted files. Only cracks of the primary hashes are worth any points in the contest. However, cracking the encrypted files will provide information that will be valuable in attempting to crack the primary hashes.

The passwords will range from being "easy" to extremely difficult to crack. Passwords will be of varying lengths, patterns, and complexity. Creative password cracking techniques, rules, dictionaries, and tools will be needed. The teams who are smart about the methods they use (i.e., teams who can crack more, with less work) will most likely be the most successful.

The goal of the contest is simple: score the most points.

Types of Teams:

You have 2 choices in choosing how you compete:

  • "Professional" Teams: Teams of people who want to compete for all the glory of being the best password cracking team on the Internet.
  • "Street" Teams: Individuals or groups who are more casual. People who want to play around, small teams of 2-3 people who want to compete but don't want to be competing with the "big guns". Or big GPUs, whatever the case may be.
A winning team from each category will be announced at DEF CON closing ceremonies... and be featured on next year's shirt.

Scoring Points

Points are earned by cracking hashes and submitting plaintexts.

Teams should plan to submit their new cracks often / promptly, and check the stats page frequently.

Teams are encouraged to pre-register. See the registration HOWTO for instructions on generating a PGP keypair and registering a team.


For everyone competing, besides following the directions about how to register and submit:
  • You MAY use as many systems/cores/GPUs/CPUs as you wish.
  • You MAY use systems NOT located at DEF CON.
  • You MAY work with other team members not attending DEFCON.
  • You MUST ONLY use systems that you are authorized to use.
  • You MUST NOT attempt to gain unauthorized access to any system used by KoreLogic or another team.
  • You MUST NOT attempt to interfere with the efforts of another team.
  • You MUST NOT attempt to steal passwords from or techniques/methods used by another team.
  • You MUST NOT be on multiple teams or switch teams during the contest - we will assume you stole all the cracks from one or the other.
  • KoreLogic employees are not eligible for the contest.
For Professional Teams:
  • To be eligible to be named as a "Winner", you MUST agree to share your techniques / methodologies and describe the resources/tools used to crack the passwords afterwards.
  • Professional teams roster of member must be FIRM before the start of the contest. There is NO trading of plain-texts between teams.
We do not necessarily require the member lists of Pro teams before the contest starts, but teams should not combine (or split apart) during the contest; we may disqualify one or more parties in such a situation.

Any violation of the rules can result in immediate disqualification from the contest. Any illegal activity will be reported.

Differences from previous contests:

Please note the following differences from previous contests, discussed in greater detail in the relevant HOWTOs:
  • There is no "first-to-crack" score difference this year.
  • The only things worth any points are cracks of the current hard hashes. Do not bother submitting anything else.
  • Instead of submitting all cracks every time, we only need new cracks each time. We provide some feedback when a submission is processed, so that teams can detect if their submissions are failing for some reason.
  • Instead of submissions being only one plaintext per line, we want hash:plaintext in "potfile" format. Either hashcat potfile (bare hash:plain or JtR potfile (decorated hash:plain) is acceptable.


During the contest, KoreLogic will publish status and statistics.

After the contest ends, KoreLogic staff will validate each submission and will announce the winning teams on Sunday, (time TBD, but certainly before the DEFCON C&E Awards Ceremony). The eligible team with the highest score will be the winner.

We invite all teams that participate to write up a post-event report. The teams with the most points will be required to write up their techniques / methodologies, describe the resources/tools used to crack the passwords, and describe any lessons learned, in order to be officially declared winners.
After the contest concludes, KoreLogic will:
  • Announce the winners.
  • Release details about the hints and plaintexts.
  • Provide statistics on which types of passwords were cracked vs missed.
Good luck!

Please watch this site and @CrackMeIfYouCan for updates. You can also contact defcon-2019-contest@korelogic.com with any questions, but we may not be able to respond if we do not have time or if we can't answer you directly without giving an unfair hint.

[*] This is entirely fictional; any similarity to actual past, present, or future events are purely coincidental.