Hashcracky Guide

Choose a section to get started

Quick Navigation

1. Hashcracky Application Guide

Learn how to use the Hashcracky platform and participate in competitions

What is Hashcracky?
Competitions and Events
Leaderboards and Scoring
Team Play
Making Submissions
Understanding the Game Page
Global Features
API Usage
Privacy and Data Collection
Code of Conduct

What is Hashcracky?

Hashcracky is a competitive cryptographic hash recovery platform designed for security professionals and enthusiasts of all skill levels. We provide challenges and events where players solve hash-cracking puzzles in a fun, educational, and competitive environment.

Important: All hashes used in competitions are artificially generated for educational purposes. We never use real-world hashes or actual leaked credentials. Each hash is carefully crafted to teach specific concepts and techniques while ensuring a safe learning environment. Hashcracky is intended for entertainment, educational, and research purposes only. Always practice ethical hacking and respect legal boundaries.

Competitions and Events

Competitions progress through several stages:

Upcoming: Competition announced but not yet active. Hash lists are not yet available for download and submissions are not accepted. Teams can be created during this stage so players can organize before the event begins.
Active: Hash lists available for download, submissions accepted. A live countdown timer is displayed on the game page showing the remaining time.
Idle (8 hours): When an event ends, an 8-hour freeze period begins. During this window, the final leaderboard snapshot is locked, winners are determined, crowns are awarded, and no submissions are accepted. This ensures a fair determination of placements.
Past: Competition archived. Submissions are accepted again for practice purposes, but placements and crowns have already been finalized from the event-end snapshot. Players can continue to work on remaining hashes at their own pace to develop their skills.

Each competition may contain one or more hash lists, each with its own set of hashes to recover. Hash lists contain at most 450,000 hashes and events are normally 3 days. Competitions can vary in duration, difficulty, and the types of hash algorithms used. Check the game description for details specific to each event.

You can participate in multiple competitions simultaneously. Your progress is tracked independently for each game.

Leaderboards and Scoring

Points are awarded to individual players based on the total value of hashes they recover. Leaderboards update in real-time as submissions are processed. If a user is on a team, their founds are dynamically compared to the entire team to update team scores.

Each game's leaderboard can be viewed in two modes: Current shows the live standings, and Event End shows the snapshot taken when the competition ended. Click on any player's name in the leaderboard to expand and view their per-list recovery progress, including the number of hashes recovered and the total available for each list.

Crown System

The top five players in each competition receive crowns that persist on their profiles. The winner receives two crowns instead of one. Crowns are visible across all leaderboards.

Crowns are awarded after the 8-hour idle freeze completes when the event transitions to the completed state. They are based on the event-end leaderboard snapshot, ensuring fair and final placements.

Per-List Progress

Your recovery progress is tracked per list within each game. This means you can see exactly how many hashes you have recovered out of the total for each individual list, along with how many of those recoveries are unique (not also found by teammates if you are on a team). This breakdown is accessible by clicking on a player name in the leaderboard.

Team Play

Hashcracky supports team-based competition, allowing groups of players to collaborate and compete together within a game. Teams appear on the leaderboard alongside individual players.

Team Size

Each team can have a maximum of 8 members by default, including the captain. The player who creates the team is automatically designated as the captain and is added as the first member.

Creating a Team

To create a team, navigate to the Teams tab on any game page. You must be logged in and not already on a team for that game. Teams can be created as soon as a game appears on the site, regardless of its current state, allowing players to organize before an event begins. When creating a team, you will provide:

Team Name: Must be unique within the game. Team names are validated against a blocklist and cannot contain offensive language.
Invite Members (optional): You can invite other registered users by username. They will receive a pending invite that they can accept or decline. Invited users are not added until they accept.
Join Policy: Controls how other players can join your team after creation.

Join Policies

When creating a team, you choose one of three join policies:

Open: Any player can join the team immediately without approval, as long as the team is not full.
Request: Players can request to join. The captain will see pending join requests and can approve or deny them. This is the default policy.
Invite-only: Only players who have received an invite from the captain can join. Players without an invite will be denied.

Joining a Team

How you join depends on the team's join policy:

For Open teams, clicking "Join" adds you immediately.
For Request teams, clicking "Join" sends a request to the captain. If you have a pending invite, you are added immediately instead.
For Invite-only teams, you can only join if you have a pending invite.

You can only be on one team per game. If you are already on a team, you must leave it before joining another.

Leaving a Team

Any member can leave a team at any time using the Teams tab on the game page. After leaving, you are free to join or create a different team within that game. Team scores and found counts are always calculated dynamically based on current membership, so when a member leaves, the team totals adjust to reflect only the remaining members' contributions. The departing player retains their individual stats.

Team Scoring and Unique Founds

Team scoring works as follows:

Each team member submits their recovered hashes individually, just like a solo player. Submissions are always made to your own account.
The team's total found count is computed by aggregating all members' founds with deduplication. If two members both recover the same hash, it only counts once for the team.
Team scores update dynamically as members submit. The team's leaderboard entry reflects the union of all unique founds across its members.
Individual players still maintain their own personal found counts and per-list progress, even while on a team.

This means coordination matters: splitting up hash lists among team members and focusing on different targets will maximize your team's overall recovery rate.

Captain Responsibilities

The team captain can invite additional members and respond to join requests (for teams using the "Request" join policy). The captain manages the team through the Teams tab on the game page.

Crediting Submissions to Teammates

Team captains can optionally attribute a submission to a specific teammate by appending the ?credit=<USERNAME> query parameter to the submit endpoint. When used, the found hashes, points, stats, and announcements are all recorded under the credited teammate's account instead of the captain's own account.

Only the team captain can use this parameter. Non-captains will receive a 403 Forbidden error.
The credited user must be a current member of the captain's team.
The credited user must be a registered account on the platform.
If the parameter is omitted or set to the captain's own username, the submission is credited to the captain as normal.
The response JSON will include a "credited_to" field when credit is redirected to another user.

Example using curl:

curl -X POST \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: text/plain" \
  --data-binary @founds.txt \
  "https://hashcracky.com/api/game/GAME_ID/LIST_ID/submit?credit=teammate_username"

Example JSON response when credit is redirected:

{
  "added_count": 42,
  "total": 150,
  "new_hashes": ["..."],
  "rejected_hashes": ["..."],
  "credited_to": "teammate_username"
}

This is useful when a captain is consolidating and submitting cracked hashes on behalf of a teammate who performed the recovery work. The team's aggregate score will update automatically as it always reflects the union of all members' founds.

Making Submissions

Submission Format

Submissions can be made in multiple formats depending on the hash type. For unsalted hashes, provide the hash and plaintext separated by a colon. For salted hashes, the salt must be included so the platform can verify the recovery. The following formats are accepted:

# Unsalted: Hash:Plaintext
5f4dcc3b5aa765d61d8327deb882cf99:password

# Salted (concatenated): Hash:SaltPlaintext
e16b2ab8d12314bf4efbd6203906ea6c:testpassword

# Salted (separated): Hash:Salt:Plaintext
e16b2ab8d12314bf4efbd6203906ea6c:test:password

The platform accepts all three formats and will attempt to match your submission against the known hash list using multiple salt arrangements. If the hash uses a salt, you must include it in one of the formats above so the submission can be validated.

Submission Methods

Web Interface: Upload through the submission page
API: POST to /api/submit with authentication

Accepted Content Types

multipart/form-data - File uploads
application/json - API submissions
text/plain - Raw text body

Submission Limits

Each submission can contain up to 500,000 lines. Submissions exceeding this limit will be rejected. You can make multiple submissions, so feel free to break larger sets into batches.

How Submissions Are Processed

When you submit hashes, the following steps occur:

Lines are deduplicated within the submission to remove exact duplicates.
$HEX[...] encoded values are automatically decoded.
Each line is validated against the game's hash list to confirm it is a legitimate match.
Lines already found by you in a previous submission are rejected as duplicates.
Remaining valid, new hashes are recorded as your founds.

After a submission, you will see a summary showing how many new hashes were accepted and which lines were rejected, along with the reason for rejection.

Submission Timing

Submissions are accepted during Active and Past game states. During the 8-hour idle freeze after an event ends, all submissions are blocked. Submissions made after the freeze (in the Past state) will count toward your personal stats and per-list progress, but will not affect the finalized event-end placements or crown awards.

Understanding the Game Page

Each game has a dedicated page with several tabs that provide different views of the competition. Here is what each tab offers:

Overview

The Overview tab displays the game's description, current status, and recognition statistics. Recognition includes aggregate metrics such as total recovery counts, highest and average recovery rates across lists, and the top players. Use the "Copy Game Link" button to share the game page with others.

Lists

The Lists tab shows all hash lists attached to the game. For each list, you can download the remaining (unsolved) hashes, download your found hashes, submit new founds, and copy curl commands for programmatic access. The interface provides helpful curl snippets for downloading, viewing your founds, and submitting via the command line.

Leaderboard

The Leaderboard tab shows player and team rankings. Both individual players and teams appear in the same leaderboard, sorted by found count with join time used as a tiebreaker. Click on any player or team name to expand their entry and view per-list recovery progress.

Announcements

The Announcements tab shows a real-time feed of notable submission events. You can filter announcements by username or by list. First submissions on a list are highlighted separately from regular submission updates.

Teams

The Teams tab is where you can create a new team, join existing teams, manage invites, respond to join requests, or leave your current team. Each team displays its members, join policy, and captain.

Scores

The Scores tab displays a time-series chart of found counts over time for players and teams. You can filter the chart to show players only, teams only, or both. This provides a visual history of how the competition unfolded.

Event Ticker

At the bottom of every game page, a scrolling event ticker displays notable game events such as lead changes, new list leaders, and lifecycle transitions (game start and end).

Global Features

Seasons

The Seasons Dashboard is a community exploration tool where you can browse player performance across every game. It shows total cracks, points, games played, per-list recovery percentages, and crown counts. Use the Players tab to drill into any individual's history or the Games tab to see how the community performed on each event.

Analyzer

The Analyzer tool lets you analyze plaintexts to understand their composition, character sets, and patterns. This can be helpful when studying the structure of recovered passwords to inform your cracking strategies.

Resources

The Resources page provides downloadable files that may be useful for competitions, such as wordlists and rule files.

API Usage

curl -H "Authorization: Bearer YOUR_TOKEN" \
     https://hashcracky.com/api/endpoint

Rate Limits

API endpoints are rate-limited to prevent abuse. Exceeding limits returns HTTP 429. Wait for the time specified in the Retry-After header.

Privacy and Data Collection

Hashcracky is designed to operate with minimal data collection. The platform does not require or store email addresses, real names, or other personally identifiable information. Account data is limited to a username, an encrypted password, and competition activity (submissions, scores, achievements). Technical data such as IP addresses and user-agent strings is processed temporarily in memory for rate-limiting and anti-abuse purposes and is not persistently stored under normal operation.

For full details, please review our Privacy Policy. Organizations in regulated industries can reference this policy to assess compatibility with their compliance requirements.

Code of Conduct

We expect all participants to maintain a positive, respectful environment:

Do not engage in any form of cheating or generally uncool behavior.
Do not attempt to disrupt the event or the experience of other players.
Do not use any form of offensive language in public names or communications with other players and organizers.
Do not solicit or accept help from external parties while an event is active.

Violations may result in warnings, temporary suspensions, or permanent bans.

2. Hashcracky Hash Recovery Guide

Master the fundamentals of cryptographic hash recovery techniques

Hashing Foundations
Supported Algorithms Reference
Getting Started with Hash Cracking
Understanding Attack Types
Understanding Rules
Understanding Masks
Introduction to Analysis
Defending Applications

Note: This guide focuses on getting started with basic techniques. For advanced strategies, we recommend the In.security Password Cracking 101+1 Training.

Hashing Foundations

Hashing is a fundamental concept in cybersecurity and is the result of a one-way algorithm to transform plaintext into ciphertext. The act of hash cracking is replicating the one-way transformation with known plaintexts to identify a match in ciphertext. If the ciphertext matches the known hash, the plaintext is considered recovered.

There are many different types of hashing algorithms, each with its own characteristics and uses. It is important to understand the type of hash to determine the best approach for recovering the plaintext.

The primary tools used for hash cracking are Hashcat, John the Ripper, and various scripts or utilities for specialized algorithms.

Message Digest (MD)

Message Digest algorithms (MD4, MD5) are fast but lack collision resistance. Commonly found in legacy systems; generally unsuitable for new applications but prevalent in hash-cracking exercises.

$ printf 'password' | md5sum
5f4dcc3b5aa765d61d8327deb882cf99

Secure Hash Algorithm (SHA)

SHA-1 and SHA-2 are widely used. SHA-256 is common in modern contexts. Understand the bit width (e.g. 128, 256, 512) to identify the algorithm from the hash length.

$ printf 'password' | sha256sum
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

bcrypt and scrypt

These adaptive functions use salts and configurable cost factors, making large-scale cracking expensive. Understanding their structure helps gauge expected throughput.

$ python3 -c "import bcrypt; print(bcrypt.hashpw(b'password', bcrypt.gensalt(rounds=10)))"
$2b$10$...

Salting and Iterations

Salts are random data appended or prepended before hashing, preventing identical plaintexts from producing the same hash. Iterations (key stretching) increase computational cost.

$ mkpasswd --method=sha256crypt --rounds=1000 --salt=12324566 password
$5$rounds=1000$12324566$9KqrHsJ9mSQJMYBJ0iBLSN4gZaOOPWGbD2NuKz4K1XC

$ mkpasswd --method=sha256crypt --rounds=2000 --salt=12324566 password
$5$rounds=2000$12324566$UpQkGap2msCkdYtu21Va3uEX4Va7vAbyHtX22psDFn7

Hash-Based Message Authentication Code (HMAC)

HMAC creates a keyed hash of data. It is often used to verify integrity and authenticity. In the password context, HMAC is a common way to apply peppers so that computing the hash requires a secret key in addition to the password.

$ message="The quick brown fox jumps over the lazy dog"
$ key="key"
$ printf "%s" "$message" | openssl dgst -sha256 -hmac "$key"
HMAC-SHA256(stdin)= f7bc83f430538424b13298e6aa6fb143ef4d59a14946175997479dbc2d1a3cd8

Why HMAC-Bcrypt?

Bcrypt is already a strong adaptive hash function, and its cost factor can be increased to resist offline attacks. However, wrapping bcrypt with an HMAC provides additional security properties that are worth considering.

Pepper as a separate secret: The HMAC key effectively acts as a pepper applied to every created hash. Without the pepper, cracking the hashes becomes exceedingly difficult even if the hash database is compromised. The pepper is stored outside the database and should require compromising additional assets to obtain. In the case of a runtime vulnerability like SQL injection, an attacker may have access to the database table but would need additional effort to access other resources where the pepper is stored.

This makes HMAC-Bcrypt a strong and easy to implement hashing approach that combines the strength of bcrypt with beneficial cryptographic concepts. Developers can continue to use the same code patterns in various implementations while gaining meaningful additional protection.

Iterated Hashing (Chained Rounds)

Iterated hashing refers to the practice of hashing a plaintext and then feeding the result back into the same (or a different) hash function for multiple rounds. This is a form of key stretching, a technique used to increase the computational cost of recovering a plaintext from a hash. Not to be confused with purpose-built key derivation functions (KDFs) like PBKDF2, bcrypt, scrypt, or Argon2, which combine controlled iterations with unique salts for stronger security guarantees. Simple iterated hashing without a proper design can lead to unexpected vulnerabilities with little benefit.

$ plaintext="password"; hash="$plaintext"; for i in {1..5}; do hash=$(printf %s "$hash" | md5sum | awk '{print $1}'); printf "Iteration %d: %s\n" "$i" "$hash"; done
Iteration 1: 5f4dcc3b5aa765d61d8327deb882cf99
Iteration 2: 696d29e0940a4957748fe3fc9efd22a3
Iteration 3: 5a22e6c339c96c9c0513a46e44c39683
Iteration 4: e777a29bee9227c8a6a86e0bad61fc40
Iteration 5: 7b3b4de00794a247cf8df8e6fbfe19bf

Hash Shucking

Hash shucking is a technique where an attacker bypasses a slow or computationally expensive outer hash function by exploiting the structure of a nested algorithm. When a composite hash wraps a fast inner hash without incorporating a salt or pepper at the outer layer, an attacker can strip away the outer function entirely and attack the faster inner hash directly.

Consider a scheme like bcrypt(md5($pass)). The intent is to benefit from bcrypt's slow cost factor, but the inner md5($pass) produces an unsalted, deterministic output. An attacker who possesses or can build a lookup table of MD5 hashes (from prior breaches or precomputation) can compare the inner MD5 digest against that table. If a match is found, the plaintext is recovered without ever needing to run the expensive bcrypt computation. The outer bcrypt layer has been "shucked" off like a shell.

Why Salts and Peppers Prevent Shucking

Adding a salt or pepper to the inner hash defeats shucking by making the intermediate digest unique per user and unpredictable without the secret material. For example, bcrypt(hmac-sha256($pass, $pepper)) produces an inner value that cannot be looked up in any precomputed table because the pepper is unknown to the attacker. Even bcrypt(sha256($pass.$salt)) forces the attacker to compute the inner hash per salt, eliminating the benefit of precomputed lookups.

Supported Algorithms Reference

The following algorithms may appear in Hashcracky competitions. Each entry includes the corresponding Hashcat mode number and the formula used to produce the digest. Competitions may use one or more of these algorithms across their hash lists. The algorithm label shown in each list identifies the exact configuration used. Hashcracky currently supports 47 distinct algorithm configurations.

Base Algorithms (Unsalted)

Algorithm	Hashcat Mode	Formula
MD4	900	`md4($pass)`
MD5	0	`md5($pass)`
SHA-1	100	`sha1($pass)`
SHA-224	1300	`sha224($pass)`
SHA-256	1400	`sha256($pass)`
BLAKE2b-256	34800	`blake2b256($pass)`
bcrypt	3200	`bcrypt($pass)`

Salted Algorithms

Algorithm	Hashcat Mode	Formula
md5($pass.$salt)	10	`md5($pass.$salt)`
md5($salt.$pass)	20	`md5($salt.$pass)`
sha1($pass.$salt)	110	`sha1($pass.$salt)`
sha1($salt.$pass)	120	`sha1($salt.$pass)`
sha224($pass.$salt)	1310	`sha224($pass.$salt)`
sha224($salt.$pass)	1320	`sha224($salt.$pass)`
sha256($pass.$salt)	1410	`sha256($pass.$salt)`
sha256($salt.$pass)	1420	`sha256($salt.$pass)`
BLAKE2b-256($pass.$salt)	34810	`blake2b256($pass.$salt)`
BLAKE2b-256($salt.$pass)	34820	`blake2b256($salt.$pass)`

Nested and Composite Algorithms

Nested algorithms apply multiple hash functions in sequence. The innermost function is applied first and its output is fed into the next. Some nested variants also incorporate a salt at various positions in the chain.

Algorithm	Hashcat Mode	Formula
md5(md5($pass))	2600	`md5(md5($pass))`
md5(md5($pass.$salt))	2630	`md5(md5($pass.$salt))`
md5(md5(md5($pass)))	3500	`md5(md5(md5($pass)))`
md5(md5(md5($pass)).$salt)	3610	`md5(md5(md5($pass)).$salt)`
md5($salt.md5($pass))	3710	`md5($salt.md5($pass))`
md5($salt.$pass.$salt)	3800	`md5($salt.$pass.$salt)`
md5(md5($pass).md5($salt))	3910	`md5(md5($pass).md5($salt))`
md5($salt.md5($salt.$pass))	4010	`md5($salt.md5($salt.$pass))`
md5($salt.md5($pass.$salt))	4110	`md5($salt.md5($pass.$salt))`
md5(sha1($pass))	4400	`md5(sha1($pass))`
md5(sha1($pass).$salt)	4410	`md5(sha1($pass).$salt)`
md5(sha1($pass.$salt))	4420	`md5(sha1($pass.$salt))`
md5(sha1($salt.$pass))	4430	`md5(sha1($salt.$pass))`
sha1(sha1($pass))	4500	`sha1(sha1($pass))`
sha1(sha1($pass).$salt)	4510	`sha1(sha1($pass).$salt)`
sha1($salt.sha1($pass))	4520	`sha1($salt.sha1($pass))`
sha1($salt.$pass.$salt)	4900	`sha1($salt.$pass.$salt)`
sha1(sha1($salt.$pass.$salt))	5000	`sha1(sha1($salt.$pass.$salt))`
sha1(md5(md5($pass)))	18500	`sha1(md5(md5($pass)))`
sha256(sha256($pass).$salt)	20710	`sha256(sha256($pass).$salt)`
sha256($salt.sha256($pass))	20720	`sha256($salt.sha256($pass))`
sha256(sha256($pass.$salt))	20730	`sha256(sha256($pass.$salt))`
sha256(md5($pass))	20800	`sha256(md5($pass))`
sha1(md5($pass.$salt))	21100	`sha1(md5($pass.$salt))`
md5(sha1($salt).md5($pass))	21200	`md5(sha1($salt).md5($pass))`
md5($salt.sha1($salt.$pass))	21300	`md5($salt.sha1($salt.$pass))`
sha256($salt.$pass.$salt)	22300	`sha256($salt.$pass.$salt)`
md5($salt.md5($pass).$salt)	33100	`md5($salt.md5($pass).$salt)`
sha224(sha224($pass))	34400	`sha224(sha224($pass))`
sha224(sha1($pass))	34500	`sha224(sha1($pass))`

Tips for Identifying Algorithms

Hash length is a strong indicator: 32 hex characters suggests MD5-family or MD4 output, 40 characters suggests SHA-1, 56 characters suggests SHA-224, 64 characters suggests SHA-256 or BLAKE2b-256.
bcrypt hashes are immediately recognizable by their $2b$ prefix and 60-character length.
Nested algorithms produce the same output length as their outermost function, so a 32-character hash could be md5(sha1($pass)) just as easily as plain MD5.

Getting Started with Hash Cracking

Identify the Hash Type

Before attempting recovery, identify the algorithm. Hash length, character set, and any prefix (e.g. $2b$ ) are clues. Tools such as hashcat can help, although manual verification is recommended. Refer to the Supported Algorithms Reference for hash lengths and Hashcat mode numbers.

Select the Right Tool

Hashcat is GPU-accelerated and ideal for most modern algorithms. John the Ripper supports many niche formats. For best results, use the tool that supports your hardware and algorithm combination most efficiently.

Quick First Steps

Download the hash list from the game's Lists tab.
Identify the hash algorithm.
Run a quick dictionary attack with a popular wordlist.
Apply rules to mutate your wordlist candidates.
Use masks for targeted brute-force of remaining hashes.
Submit your recovered hashes through the web interface or API.

Understanding Attack Types

Dictionary / Wordlist Attack

Hash each word in a list and compare against the target hashes. Effectiveness depends on the quality and relevance of your wordlist.

hashcat -m 0 -a 0 hashes.txt wordlist.txt

Combinator Attack

Concatenates words from two wordlists. Useful for compound passwords like "sunshine" + "2024".

hashcat -m 0 -a 1 hashes.txt left.txt right.txt

Brute-Force / Mask Attack

Systematically generates all possible candidates within a defined character space and length. Masks let you constrain the search space.

hashcat -m 0 -a 3 hashes.txt ?u?l?l?l?l?d?d?d

Rule-Based Attack

Applies transformation rules to wordlist candidates. Rules can capitalize, append, prepend, substitute, and more. See the rules section below.

hashcat -m 0 -a 0 hashes.txt wordlist.txt -r rules.rule

Understanding Rules

Rules are single-character or short-code instructions that transform each candidate word before hashing. They are a powerful way to multiply the effectiveness of a wordlist without increasing its size on disk.

Common rules include:

l / u - Lowercase / uppercase entire word
c / C - Capitalize first letter / lowercase first, uppercase rest
$X - Append character X
^X - Prepend character X
d - Duplicate entire word
r - Reverse the word
sXY - Replace all instances of X with Y

Rules can be chained together on a single line to perform multiple transformations in sequence. The Hashcat rule documentation is the definitive reference for all available functions.

Understanding Masks

Masks define a positional pattern for brute-force generation. Each position in the mask specifies a character set:

?l - Lowercase letter (a-z)
?u - Uppercase letter (A-Z)
?d - Digit (0-9)
?s - Special character
?a - All printable ASCII

For example, the mask ?u?l?l?l?l?d?d would generate candidates like "Hello12" or "World99". Masks are especially effective when analysis reveals consistent patterns in the target data.

Custom character sets can be defined with -1, -2, -3, and -4 flags to create masks tailored to specific patterns you observe.

Introduction to Analysis

Analysis is the study of recovered plaintexts to discover patterns that guide future attacks. After recovering a portion of hashes, look for recurring themes.

Questions for Formats and Masks

If all characters were masks, what would be the most common formats?
If all of certain characters were masks, what would be the most common formats?
What formats can be enumerated with brute force attacks and which cannot?
Is there a minimum length or complexity requirement for the data set?
Are there any unique character sets being used?

Questions for Common Words and Tokens

If all non-alpha were removed, what tokens would remain?
What are the most frequent base words?
Are there locale-specific or thematic words?

Hashcracky's Analyzer can help with some of these questions by breaking down the composition of your recovered plaintexts.

Defending Applications

Understanding hash cracking is valuable for defenders, too. Knowing how attacks work helps you choose stronger protections.

Use Modern, Slow Hash Functions

Prefer bcrypt, scrypt, or Argon2id for password storage. Their configurable cost factors make brute-force impractical at scale. If FIPS-140 compliance is required use PBKDF2.

Enforce Password Quality

Use estimators like zxcvbn rather than simple complexity rules. Length is the single most effective control.

zxcvbn

Password Blocklists: Effective as a layered control with other mitigations from guessing common metadata such as company names, years, 123's, and others.

Local Administrator Password Solution (LAPS): Effective control at rotating high-value hashes and ensuring secure creation within Windows environments. Ensure users who can see the LAPS managed attributes are also tightly controlled. Relevant LAPS-managed attributes include:

ms-Mcs-AdmPwd: Stores the clear text local administrator password.
ms-Mcs-AdmPwdExpirationTime: Determines when the password should be changed next.

Enforce Strong Authentication Mechanisms

Please use Multi-Factor Authentication (MFA) when possible. Please consider using multiple authentication mechanisms and have preference for stronger methods such as hardware tokens, passkeys, certificate based, and others.

Using code to enforce compliance can help alleviate many issues with passwords such as length, complexity, setting known breach passwords, and password filters consistently. Personally suggest passwords requirements with length 16 or greater and complexity requirements. Understand the interactions between user behavior and code requirements, such as setting too frequent of a password rotation. Code-based compliance combined with training is an effective strategy.

3. Frequently Asked Questions

Why was my submission rejected?

Submissions can be rejected for several reasons: the hash:plaintext pair does not match any entry in the game's hash list, the line was already submitted by you in a previous submission, the line is a duplicate within the current submission, or a $HEX[...] encoded value could not be decoded. The submission summary displayed after each upload shows the specific reason for every rejected line.

How do salted hashes work in submissions?

When a hash list uses salts, you must include the salt in your submission so the platform can verify the recovery. You can submit in the format hash:salt:plaintext (salt and plaintext separated) or hash:saltplaintext (salt concatenated with plaintext). The platform attempts multiple salt arrangements when validating your submission, so either format will be accepted as long as the correct salt value is present.

Can I participate in a game after it ends?

Yes. After the 8-hour idle freeze completes and the game transitions to the Past state, submissions are accepted again. Your recoveries will count toward your personal stats and per-list progress, but they will not affect the finalized event-end placements or crown awards. Past games are a great way to practice and develop your skills without time pressure.

What happens if I leave a team mid-competition?

Teams are fully dynamic. When you leave a team, the team's found count and score are recalculated based on the remaining members' contributions. Your individual stats and founds are not affected. You are free to join or create a different team within the same game after leaving.

Do I need a GPU to compete?

A GPU is not strictly required. Many players compete successfully with a single dedicated GPU, and CPU-only participants can still place well through effective strategy, thoughtful rule and mask creation, and good analysis of recovered plaintexts. More computing power helps speed up attacks, but it is not the only factor that determines success.

Are there restrictions on tooling or hardware?

No. There are absolutely no restrictions on what tools, hardware, cloud services, or distributed setups you use. Get creative and have fun.

How do I request a custom event for my organization?

Email contact@hashcracky.com to start a conversation. We will work with you to understand your goals, select a theme and difficulty, and schedule an event that fits your needs. See the Organizations and Custom Events for full details.

Contact

Questions, suggestions, or need help? Email us at contact@hashcracky.com

Hashcracky is a one-person operation; thank you for your patience with response times.