KoreLogic's Password Cracking Contest at DEF CON

The Details:


Zoogleta has been scheming to corporatize and enshittify the Internet through regulatory capture, squashing indy devs, and commodifying users.

You've been contacted by journalists and whistleblowers who need help sifting through some big dumps of encrypted data and password hashes.

Help them so they can publish the smoking gun, crash Zoogleta's stock price, and get their leadership and the corrupt politicians they own arrested by exposing their internal dirt, for great justice.

Time is of the essence! You will have 48 hours to crack as many files and hashes as possible.


Prior to the start of the contest, KoreLogic will disseminate large encrypted file(s), that teams should pre-download. The decryption key(s) will be published once the contest starts.

More files might be released once the contest starts.

If you are entirely new to password cracking, check out the Password Village at DEF CON, and then come back.

The goal of the contest is simple: score the most points.

Types of Teams:

You have a choice of how you compete:

  • "Pro" Teams: Teams of people who want to compete for all the glory of being the best password cracking team on the Internet.
  • "Street" Teams: Individuals or groups who are more casual. People who want to play around, small teams of 1-3 people who want to compete but don't want to be competing with the "big guns". Or big GPUs, whatever the case may be.
A winning team from each category will be announced at DEF CON closing ceremonies... and be featured on the next CMIYC shirt.

Scoring Points:

Points are earned by cracking hashes and submitting plaintexts.

Teams should plan to submit their new cracks often / promptly, and check the stats page (once available) frequently.

Teams are encouraged to pre-register. See the registration HOWTO for instructions on generating a PGP keypair and registering a team.

Once registered, see the submission HOWTO for instructions on exactly what and how to submit cracks.


For everyone competing, besides following the directions about how to register and submit:
  • You MAY use as many systems/cores/GPUs/CPUs as you wish.
  • You MAY use systems NOT located at DEF CON.
  • You MAY work with other team members not attending DEFCON.
  • You MUST ONLY use systems that you are authorized to use.
  • You MUST ONLY use software that you/your team developed, or which is publicly available.
  • You MUST NOT attempt to gain unauthorized access to any system used by KoreLogic or another team.
  • You MUST NOT attempt to interfere with the efforts of another team.
  • You MUST NOT trade/share plain-texts between teams.
  • You MUST NOT attempt to steal passwords from or techniques/methods used by another team.
  • You MUST NOT be on multiple teams, or switch teams during the contest - we will assume you stole all the cracks from one or the other.
  • KoreLogic employees are not eligible for the contest.
For Pro Teams:
  • To be eligible to be named as a "Winner", you MUST agree to share your techniques / methodologies and describe the resources/tools used to crack the passwords afterwards.
  • Pro teams' roster of members must be FIRM before the start of the contest.
We do not necessarily require the member lists of Pro teams before the contest starts, but teams should not combine (or split apart) during the contest; we may disqualify one or more parties in such a situation.

Any violation of the rules can result in immediate disqualification from the contest. Any illegal activity will be reported.

Differences from previous contests:

Watch this space...


During the contest, KoreLogic will publish status and statistics.

After the contest ends, KoreLogic staff will validate final submissions and will announce the winning teams on Sunday, (time TBD, but certainly before the DEFCON C&E Awards Ceremony). The eligible team with the highest score will be the winner.

We invite all teams that participate to write up a post-event report. The teams with the most points will be required to write up their techniques/methodologies, describe the resources/tools used to crack the passwords, and describe any lessons learned, in order to be officially declared winners.
After the contest concludes, KoreLogic will:
  • Announce the winners.
  • Release some details about the plaintexts' composition.
  • Provide statistics on successful cracks.
Good luck!

Please watch this site and @CrackMeIfYouCan@infosec.exchange for updates. You can also contact defcon-2024-contest@korelogic.com with any questions, but we may not be able to respond if we do not have time or if we can't answer you directly without giving an unfair hint.