KoreLogic's Password Cracking Contest at DEF CON

The Details:

Scenario:

This year's contest is going to be totally radical! We are like, totally psyched to be partnering with the Password Village this year. I kid you not, the contest is going to be so easy that even an airhead or a jock could crack these passwords! PYSCH! The challenges are going to be bodacious and like totally dope. This year, it is not about wordlists, rules, patterns, or about forensics. In the past we've asked our teams how passwords have changed over time... now we are going to ask them to go back, to the future of password cracking. Like, totally.

Logistics:

Prior to the start of the contest, KoreLogic will disseminate large encrypted file(s), that teams should pre-download. The decryption key(s) will be published once the contest starts.

More files might be released once the contest starts.

This year, there are a set of encrypted container files (ZIP, 7z, etc.) with password hashes inside them. Teams will need to crack these containers, in order to get the hashes that they should crack and submit. The containers themselves are not worth any points, only the hashes within them.

If you are entirely new to password cracking, check out the Password Village at DEF CON, and then come back.

The goal of the contest is simple: score the most points.

Types of Teams:

You have a choice of how you compete:

  • "Pro" Teams: Teams of people who want to compete for all the glory of being the best password cracking team on the Internet.
  • "Street" Teams: Individuals or groups who are more casual. People who want to play around, small teams of 1-3 people who want to compete but don't want to be competing with the "big guns". Or big GPUs, whatever the case may be.
A winning team from each category will be announced at DEF CON closing ceremonies... and be featured on next year's shirt.

Scoring Points:

Points are earned by cracking hashes and submitting plaintexts.

Teams should plan to submit their new cracks often / promptly, and check the stats page (once available) frequently.

Teams are encouraged to pre-register. See the registration HOWTO for instructions on generating a PGP keypair and registering a team.

Once registered, see the submission HOWTO for instructions on exactly what and how to submit cracks.

Rules:

For everyone competing, besides following the directions about how to register and submit:
  • You MAY use as many systems/cores/GPUs/CPUs as you wish.
  • You MAY use systems NOT located at DEF CON.
  • You MAY work with other team members not attending DEFCON.
  • You MUST ONLY use systems that you are authorized to use.
  • You MUST NOT attempt to gain unauthorized access to any system used by KoreLogic or another team.
  • You MUST NOT attempt to interfere with the efforts of another team.
  • You MUST NOT trade/share plain-texts between teams.
  • You MUST NOT attempt to steal passwords from or techniques/methods used by another team.
  • You MUST NOT be on multiple teams, or switch teams during the contest - we will assume you stole all the cracks from one or the other.
  • KoreLogic employees are not eligible for the contest.
For Pro Teams:
  • To be eligible to be named as a "Winner", you MUST agree to share your techniques / methodologies and describe the resources/tools used to crack the passwords afterwards.
  • Pro teams' roster of members must be FIRM before the start of the contest.
We do not necessarily require the member lists of Pro teams before the contest starts, but teams should not combine (or split apart) during the contest; we may disqualify one or more parties in such a situation.

Any violation of the rules can result in immediate disqualification from the contest. Any illegal activity will be reported.

Differences from previous contests:

This year, hashes are inside within password-protected encrypted container files. Teams will need to crack these in order to extract hashes to crack. The credentials needed to unpack these container files should not be submitted, only cracks of the hashes within them.

Results:

During the contest, KoreLogic will publish status and statistics.

After the contest ends, KoreLogic staff will validate each submission and will announce the winning teams on Sunday, (time TBD, but certainly before the DEFCON C&E Awards Ceremony). The eligible team with the highest score will be the winner.

We invite all teams that participate to write up a post-event report. The teams with the most points will be required to write up their techniques/methodologies, describe the resources/tools used to crack the passwords, and describe any lessons learned, in order to be officially declared winners.
After the contest concludes, KoreLogic will:
  • Announce the winners.
  • Release some details about the plaintexts' composition.
  • Provide statistics on successful cracks.
Good luck!

Please watch this site and @CrackMeIfYouCan for updates. You can also contact defcon-2022-contest@korelogic.com with any questions, but we may not be able to respond if we do not have time or if we can't answer you directly without giving an unfair hint.