Hashcracky Guide

Hashcracky is a free social training platform for hash recovery. Players and teams compete in time-limited events to recover as many plaintext passwords as possible from curated hash lists - all in a safe, ethical environment.

Important: Every hash on the platform is artificially generated for educational purposes. We never use real-world hashes or actual leaked credentials. Each hash is carefully crafted to teach specific concepts and techniques while ensuring a safe learning environment.

Whether you are a seasoned professional or just starting out, Hashcracky gives you a place to develop your skills, compete with peers, and have fun doing it.

Registration requires only a username and password. No email, no real name, no tracking. Your privacy is a core principle of the platform.

After registering, you can immediately browse games, download hash lists, and start submitting recovered plaintexts.

1. Head to the Home page and find an Active game.
2. Click the game card to open the Game Page.
3. Go to the Lists tab and download a hash list.
4. Use your favourite hash recovery tool (e.g. Hashcat, John the Ripper) to crack as many hashes as you can.
5. Upload your results through the Submit button on the same Lists tab, or use the provided curl command available next to each list for API submissions.
6. Watch your name climb the Leaderboard in real time!

Tip: If you are on a team, your team captain can submit results on your behalf using the ?credit=USERNAME query parameter - this is the recommended method for teams since it lets the captain handle all submissions centrally while individual players focus on cracking.

1. Upcoming: Competition announced but not yet active. Hash lists are not yet available for download. Teams can be created and organized during this stage - use this time to recruit members and plan your strategy.
2. Active: Hash lists available for download, submissions accepted. A live countdown timer shows the remaining time. This is when the boss encounter is live and milestones can be triggered.
3. Idle (8-hour freeze): When an event ends, an 8-hour freeze period begins. The final leaderboard snapshot is locked, winners are determined, and crowns are awarded. No submissions are accepted during this window.
4. Past: Archived. Submissions are accepted again for practice, but placements and crowns are already finalized. Your recoveries still count toward your personal stats and seasons data.

Each competition may contain one or more hash lists, each with up to 450,000 hashes. Events typically run for 5 days but can vary. Hash lists may include a mix of hash types and difficulty levels within the same game.

Points are awarded based on the total value of hashes recovered. Each hash has a point value set by its algorithm and difficulty, and leaderboards update in real time. Click a player's name to expand their per-list recovery progress. While a game is underway, your per-algorithm breakdown only shows algorithms you have already cracked, so a list's full algorithm set is never leaked early; the complete breakdown is shown to everyone once the game ends. In team games each team's breakdown reflects only that team's own recoveries, so every team sees its own recovered counts and percentages.

Each game's leaderboard has two modes: Current (live standings reflecting all submissions including post-event practice) and Event End (the snapshot taken when the competition ended, which determines final placements and crowns).

Teams on the leaderboard: Teams appear as separate entries alongside individual players. A team's score is the union of all members' found hashes, with duplicates deduplicated automatically. While a game is active, each found hash is credited to the member who submitted it. Once the game ends, any member who leaves keeps credit for the team's full deduplicated found set (see Leaving a Team), so collaborating no longer costs you founds.

The top five players in each competition receive crowns that persist on their profiles. The winner receives two crowns instead of one.

Crowns are awarded after the 8-hour idle freeze when the game transitions to the completed state, based on the event-end leaderboard snapshot. Crowns are permanent and visible on the Seasons Dashboard.

Every game features a Boss - a shared challenge that all players work together to defeat. Each boss has a randomly generated name (for example "Vorlokk, The Ashen"). Check the Boss tab on any game page to see its name, health bar, current milestones, and damage stats.

Boss health is calculated as the total number of hashes across all lists multiplied by 35 (minimum 1,875 HP). For example, a game with 5,000 hashes has a boss with 175,000 HP.

Damage tiers: Each accepted hash deals damage based on whether it is new to the whole game or just to you:

• Game-unique hashes (no one in the game has found them before) deal the full damage per submission value, which starts at 2 and rises with milestone progression.
• Player-unique hashes (already found by another player but new to you - for example, when you crack a list a teammate has already worked on) deal a flat 1 damage per hash, plus your equipped item's rarity bonus (see the Items section below).
• Bounty board progress applies a global multiplier to every submission's damage, scaling linearly with how many of the game's bounties have been credited (capped at +3% when all bounties are found). See the Bounty Board section for details.

The Boss tab shows a live formula breakdown - (game-unique × DPS + player-unique × 1 (+item bonus)) × (1 + bounty progress × 3%) - so you can see exactly how a submission converts to damage.

Teams and damage: Joining a team never reduces, delays, or hides your boss damage. Every hash you are the first in the game to recover counts as a game-unique hit at full damage, whether you are solo or on a team.

The rune scrying pool: Below the health bar, a pool of runes re-rolls every 10 minutes. When runes align, the boss takes a small amount of damage, with bigger alignments dealing more. The roll is decided on the server, so everyone sees the same outcome. It chips away only a little, but because it fires on its own schedule it makes the exact killing blow harder to time.

Milestones: Over 25 milestones span four categories: total submissions, unique hashes recovered, distinct players who have submitted, and active teams. Each milestone reached permanently increases the global damage per submission, and the bonuses stack, so milestone progress is the main way the boss takes damage faster.

When the boss is defeated, a hidden bonus hash list of 50,000 MD4 hashes is unlocked in the Lists tab. These bonus hashes are generated from the same plaintexts used across the game's other lists, re-hashed with MD4. They are worth extra points and can reveal helpful information about the other event lists (e.g. shared plaintext patterns).

Strategy tip: The boss is meant to be hard to defeat without community effort. Coordinate to trigger milestones and defeat it before the event ends; if no one lands the final blow in time, the bonus list is lost forever. Even players who submit a few hashes help trigger player-count milestones and raise damage globally.

Each game's Bounty tab shows a curated set of bounty hashes sampled from every list. Bounties are sampled at game-creation time using stratified bucket sampling across the score distribution, so the pool contains a balanced mix of low-, mid-, and high-value targets - up to 888 bounties per list.

Bounties are hidden until the game becomes active. Once the game starts, the bounty hashes (and their algorithm) are revealed in the Bounty tab and every newly credited bounty raises the global boss damage boost for the rest of the game.

Bounty board boost is a global multiplier on every submission's tier damage, scaling linearly with completion of the bounty board: boost = (bounties found / total bounties) × 3%. So if a game has two lists with 888 bounties each (1,776 total) and roughly 178 have been claimed, every submission gets +0.3%; at half claimed it is +1.5%; at full completion the full +3% cap is unlocked. The boost rewards the entire team for collective bounty completion, regardless of who actually cracked which bounty.

Plaintexts and finder credit are shown next to each bounty in the table once it has been claimed, giving you a live view of which bounty hashes are still up for grabs and which players are picking them off.

Each game has its own Items tab where players can earn and equip items that boost the damage they personally deal to the boss. Items are scoped to the game they were rolled in - they do not carry over between games.

Earning reroll credits: Every 10,000 hashes you find in a game earns one reroll credit. Progress accumulates across all of your submissions, so many small batches earn credits at the same rate as one large batch.

Rolling an item: Spending one credit generates a preview of 8 candidate items (a credit is consumed at this step - the act of rolling is what costs a credit, not the equip click). Pick one candidate to equip and the others are discarded. If you do not like any of the candidates you can spend another credit to roll a fresh set of 8.

Rarity tiers and damage bonus: Each candidate is independently rolled with a weighted rarity distribution (weights 100 / 10 / 5 / 1 out of 116, giving the approximate odds shown below). The equipped item's rarity adds a flat bonus to the damage of every player-unique hash you find (it does not apply to game-unique hashes, which already deal the milestone-scaled damage per submission):

• Common (~86.2%): +1 damage per player-unique hash.
• Uncommon (~8.6%): +2 damage per player-unique hash.
• Rare (~4.3%): +3 damage per player-unique hash.
• Legendary (~0.9%): +5 damage per player-unique hash.

Items also have a randomly rolled element (Fire, Water, Earth, Shadow, Light or Arcane), class (Melee, Magic or Ranged), and a generated display name. These are flavour and visuals only - only the rarity affects damage.

The Seasons Dashboard tracks player performance across every game. It shows total cracks, points, games played, per-list recovery percentages, and crown counts. Open any player to expand their Game Participation and Per-List Recovery breakdowns, which stay readable on phones and tablets by scrolling sideways when a row is too wide for the screen. Use it to explore the community, track your own progress over time, and see how you compare to other players across all events.

Each game page has several tabs:

• Overview: Game description, status, countdown timer, and recognition statistics showing top players and list recovery rates.
• Lists: Download hash lists (with remaining-hash filtering), download your own founds or just your unique founds, submit founds via file upload, and copy pre-built curl commands for API submissions.
• Leaderboard: Player and team rankings with per-list progress drill-down. Click any entry to see detailed per-list and per-algorithm recovery breakdowns.
• Boss: Boss health bar, the rune scrying-pool slot machine that periodically deals small bonus damage, milestone progress cards with live tracking, the per-tier damage breakdown for your next submission, and bonus list reveal status.
• Bounty: Curated bounty hashes for each list. Each newly credited bounty during an active game raises a global boss damage boost (capped at +3% when all bounties are claimed).
• Items: Per-game items that you earn reroll credits for as you submit hashes. The equipped item's rarity adds a flat bonus to the damage of each player-unique hash you find.
• Announcements: Real-time feed of submission events, first-bloods, and notable achievements.
• Teams: Create, join, manage, and leave teams. View team rosters and join policies.
• Scores: Time-series chart showing found counts over time for each player, useful for analyzing pacing and strategy.

At the bottom of every game page, a scrolling Event Ticker displays notable game events such as lead changes and lifecycle transitions.

The Lists tab provides a download option for each hash list. By default, the download is dynamic - it automatically excludes hashes you (or your team, if applicable) have already found. This lets you focus your cracking effort on unrecovered hashes without wasting time on duplicates.

You can also download the full original list by toggling off the dynamic filter. This is available via the API with the ?dynamic=false query parameter on the hashes endpoint.

Submissions use hash:plaintext format, one per line. For salted hashes, include the salt:

# Unsalted: Hash:Plaintext
5f4dcc3b5aa765d61d8327deb882cf99:password

# Salted (concatenated): Hash:SaltPlaintext
e16b2ab8d12314bf4efbd6203906ea6c:testpassword

# Salted (separated): Hash:Salt:Plaintext
e16b2ab8d12314bf4efbd6203906ea6c:test:password

The platform attempts multiple salt arrangements when validating your submission, so either format is accepted as long as the correct salt value is present. Values encoded as $HEX[...] (common in Hashcat output) are automatically decoded before validation.

• Web Interface: Upload a file through the Lists tab on the game page using the Submit button.
• API: POST to /api/game/GAME_ID/LIST_ID/submit with your auth token. Each list on the game page provides a pre-built curl command you can copy and use directly.
• Captain credit submission: Team captains can submit on behalf of teammates by appending ?credit=USERNAME to the submission URL. This is the recommended method for teams using external platforms - the captain handles all submissions centrally while teammates focus on cracking.

Accepted content types:

• multipart/form-data - File uploads (web interface and curl with -F)
• text/plain - Raw text body (curl with --data-binary)
• application/json - JSON payload with lines array

Each submission can contain up to 500,000 lines. Break larger sets into batches if needed.

1. Lines are deduplicated within the submission.
2. $HEX[...] encoded values are automatically decoded.
3. Each line is validated against the game's hash list to confirm the hash:plaintext pair is correct.
4. Lines already found by you are rejected as duplicates - you cannot submit the same hash twice.
5. Valid, new hashes are recorded as your founds and your points update immediately.
6. Each accepted hash also deals damage to the boss based on the current damage-per-submission value.

After each submission, a summary is returned showing how many lines were accepted, rejected, and the specific reason for each rejection (invalid pair, duplicate, already found, decode failure). When using the API, this is returned as a JSON response.

To keep the activity feed readable, repeated submission announcements from the same player on the same list are aggregated into a single entry when they occur within a 30-minute window - even when other players' submissions are interleaved. Aggregated entries show the original time of the first submission alongside the updated aggregation time, plus the number of submissions folded together, so a couple of very active players no longer flood the feed.

Every submission is also recorded to a personal submission log shown under the profile section of your account page. It keeps your most recent submissions with their accepted and rejected totals and an outcome, and you can sort, filter, and link back to each game - handy for tracing issues with your submission tooling.

Submissions are accepted during Active and Past game states only. During the 8-hour idle freeze after an event ends, all submissions are blocked - this ensures the final leaderboard is fair and no last-second submissions can change placements.

Post-freeze submissions (in Past state) count toward your personal stats, seasons data, and per-list progress, but they do not affect event-end placements or crown awards. Past games are a great way to practice without time pressure.

Every list on the game page provides a copy-able curl command pre-configured with the correct game ID, list ID, and endpoint. Simply paste your auth token and point it at your output file.

Note: All POST/PUT/PATCH/DELETE requests to the API must include the X-Requested-With: XMLHttpRequest header (a CSRF defense-in-depth check on top of SameSite=Strict cookies). Read-only GET requests do not need it. The copy curl buttons on the game page already include this header for you.

Basic submission:

curl -X POST \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "X-Requested-With: XMLHttpRequest" \
  -H "Content-Type: text/plain" \
  --data-binary @founds.txt \
  "https://hashcracky.com/api/game/GAME_ID/LIST_ID/submit"

Captain credit submission (submit on behalf of a teammate):

curl -X POST \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "X-Requested-With: XMLHttpRequest" \
  -H "Content-Type: text/plain" \
  --data-binary @founds.txt \
  "https://hashcracky.com/api/game/GAME_ID/LIST_ID/submit?credit=teammate_username"

Download remaining hashes (excludes already found):

curl -H "Authorization: Bearer YOUR_TOKEN" \
  "https://hashcracky.com/api/game/GAME_ID/LIST_ID/hashes"

Download your founds for a list:

curl -H "Authorization: Bearer YOUR_TOKEN" \
  "https://hashcracky.com/api/game/GAME_ID/LIST_ID/found"

Download only your unique founds (hashes no other player or team recovered):

curl -H "Authorization: Bearer YOUR_TOKEN" \
  "https://hashcracky.com/api/game/GAME_ID/LIST_ID/found/unique"

API endpoints are rate-limited to prevent abuse. Exceeding limits returns HTTP 429. Wait for the time specified in the Retry-After header before retrying.

Navigate to the Teams tab on any game page. Each team can have up to 8 members (including the captain). Teams can be created as soon as a game appears on the site, even during the Upcoming state - use this time to organize before the event goes live.

Two join policies:

• Request (default): Players send a join request. The team captain must approve or deny each request before the player can join.
• Invite-only: Only players who have received an invite from the captain can join. Players cannot request to join.

Each player can only be on one team per game. If you want to switch teams, you must leave your current team first.

• Each team member submits individually, just like solo players.
• Team founds are the union of all members' founds - if two members both crack the same hash, it only counts once for the team.
• Team scores are dynamically recalculated as members submit, join, or leave.
• During an active game your personal stats reflect only the hashes recorded under your own account; teammates' founds count toward the team total but not your individual total.
• After the game ends, leaving the team credits your account with the team's full deduplicated found set, so coordinating with teammates does not reduce your personal founds.
• Teams and individual players appear as separate entries on the leaderboard.

Strategy tip: Divide hash lists among team members and assign different attack strategies to each person. Since team scoring uses the union of all founds, there is no penalty for overlap, but maximum coverage gives the best results. Have some members focus on easy wins while others target harder algorithms.

The team captain has special abilities beyond regular team members:

• Invite members: Send invites to specific players to join the team.
• Respond to join requests: Approve or deny players requesting to join (when using Request join policy).
• Credit submissions: Submit hashes on behalf of teammates using the ?credit=USERNAME query parameter.

Credit submission is the recommended method for teams using external platforms. It allows the captain to act as the central submission point - collect cracked hashes from all team members and submit them, crediting each teammate appropriately. This simplifies coordination and ensures everyone gets proper credit for their work. If you are not using an external platform, Hashcracky will handle rolling up individual account founds into teams.

# Captain submits on behalf of teammate "alice"
curl -X POST \
  -H "Authorization: Bearer CAPTAIN_TOKEN" \
  -H "X-Requested-With: XMLHttpRequest" \
  -H "Content-Type: text/plain" \
  --data-binary @alice-founds.txt \
  "https://hashcracky.com/api/game/GAME_ID/LIST_ID/submit?credit=alice"

The credited teammate receives all points and found credit as if they submitted directly. The captain must be on the same team as the credited user, and only the captain can use this feature.

Any member can leave at any time. When you leave, the team's found count and score are recalculated dynamically based on the remaining members' contributions.

Leaving after the game ends: If the game has already completed, leaving the team credits your personal account with the team's full deduplicated found set for that game. This means you keep credit for every unique hash the team recovered while you were a member, so collaborating never penalizes your personal founds. (During an active or upcoming game, leaving only keeps the founds recorded under your own account - this prevents mid-event team hopping.)

You can join or create a different team within the same game after leaving. If the captain leaves, the role is automatically transferred to another team member.

Note: Because team scores are the union of all members' founds, a departing member's unique contributions are removed from the team total. Plan your team composition carefully during events.

Submissions can be rejected for several reasons: the hash:plaintext pair does not match any entry in the game's hash list, the line was already submitted by you in a previous submission, the line is a duplicate within the current submission, or a $HEX[...] encoded value could not be decoded. The submission summary displayed after each upload shows the specific reason for every rejected line, including counts for each rejection category. Check your output format and ensure you are submitting to the correct list.

When a hash list uses salts, you must include the salt in your submission so the platform can verify the recovery. You can submit in the format hash:salt:plaintext (salt and plaintext separated) or hash:saltplaintext (salt concatenated with plaintext). The platform attempts multiple salt arrangements when validating your submission, so either format will be accepted as long as the correct salt value is present.

Yes. After the 8-hour idle freeze completes and the game transitions to the Past state, submissions are accepted again. Your recoveries will count toward your personal stats and per-list progress, but they will not affect the finalized event-end placements or crown awards. Past games are a great way to practice and develop your skills without time pressure.

Teams are fully dynamic. When you leave a team, the team's found count and score are recalculated based on the remaining members' contributions. If you leave while the game is still running, you keep the founds recorded under your own account (this keeps mid-event team hopping from being abused). If you leave after the game has ended, your account is credited with the team's full deduplicated found set, so you retain credit for everything the team recovered. You are free to join or create a different team within the same game after leaving. If you are the captain and you leave, the captaincy is automatically transferred to another team member.

Team captains can submit on behalf of any teammate by adding ?credit=USERNAME to the submission URL. The credited player receives all points and founds as if they submitted directly. Only the team captain can use this feature, and the target user must be on the same team. This is the recommended way to handle team submissions with external platforms - the captain collects cracked hashes from all members and submits them centrally, crediting each person appropriately. If you are not using an external platform, Hashcracky will handle rolling up individual account founds into teams.

Each accepted hash deals damage based on which tier it falls into:

• Game-unique hashes (no one in the game has cracked them before) deal the full damage per submission, which starts at 2 and rises with milestones.
• Player-unique hashes (already cracked by another player but new to you) deal a flat 1 damage, plus your equipped item's rarity bonus if any.
• Bounty board progress applies a global multiplier to the combined tier damage above, scaling linearly with completion of the bounty board (capped at +3% when all bounties are claimed).
• Rune scrying pool deals a small amount of damage on its own 10-minute cycle, independent of submissions, whenever its runes align. It is intentionally minor, just enough to nudge the timing of a planned kill.

There are over 25 milestones across four categories (total submissions, unique hashes recovered, distinct players, and active teams). All milestone bonuses stack - reaching every milestone significantly increases the global damage rate for everyone. The boss cannot be defeated without community effort and milestone progression.

Bounties are a curated subset of each list's hashes (up to 888 per list, sampled with stratified bucket sampling so a balanced low/mid/high-value mix is selected). The bounty list is hidden until the game becomes active, after which it is shown on the Bounty tab.

While a game is active, every credited bounty raises a global boss damage boost shared by every player. The boost is (bounties found / total bounties) × 3%, applied as a multiplier on every submission's combined tier damage. So 100 of 1,000 bounties found gives every submission +0.3%, 500 of 1,000 gives +1.5%, and finding all bounties unlocks the full +3% cap. Bounty progress benefits the whole team, not just the cracker who happened to land the match.

Each game has its own Items tab. Every 10,000 hashes you find earns one reroll credit. Spending a credit generates a preview of 8 candidate items - the credit is consumed when you roll, not when you equip. Pick one candidate to equip; the others are discarded. If you don't like any of them, spend another credit to roll a fresh set.

Items have a rarity that determines their gameplay impact: the equipped item adds a flat damage bonus to every player-unique hash you find - Common +1, Uncommon +2, Rare +3, Legendary +5. The bonus does not apply to game-unique hashes (which already deal the milestone-scaled damage per submission). Element, class, and the generated display name are flavour only and do not affect damage.

When the boss's health reaches zero, a hidden bonus hash list of 50,000 MD4 hashes is revealed in the Lists tab. These hashes are generated from the same plaintexts used in the game's other lists, re-hashed with MD4. Cracking them earns extra points and can help reveal patterns useful for the other event lists. If the boss is not defeated before the event ends, the bonus list is lost and cannot be recovered.

A GPU is not strictly required. Many players compete successfully with a single dedicated GPU, and CPU-only participants can still place well through effective strategy, thoughtful rule and mask creation, and good analysis of recovered plaintexts. More computing power helps speed up attacks, but it is not the only factor that determines success.

No. There are absolutely no restrictions on what tools, hardware, cloud services, or distributed setups you use. Hashcat, John the Ripper, custom tools, cloud GPU instances, multi-machine rigs - anything goes. Get creative and have fun.

The project started as Jabbercracky and started from a workshop I created. The workshop had an "skills test" list and I enjoyed cracking CTFs and was a big fan of using CMIYC lists for learning. Hashpwn and HashMob helped with early community efforts and collaboration. Users like Tycho, Flagg, JP, Phurtim, Stealthsploit, A1131, Partly, Fordy, Kpd, Chick3nman, and countless others helped give suggestions and feedback. After DEFCON33, we transitioned to making a more collaborative experience and rebranded to Hashcracky. We stand on the shoulders of giants and without the community, hashcracky would not exist. In memoriam Flagg.

Email contact@hashcracky.com to start a conversation. We will work with you to understand your goals, select a theme and difficulty, and schedule an event that fits your needs.

Hashcracky is designed to operate with minimal data collection. The platform does not require or store email addresses, real names, or other personally identifiable information. Account data is limited to a username, an encrypted password, and competition activity (submissions, scores, achievements). Technical data such as IP addresses and user-agent strings is processed temporarily in memory for rate-limiting and anti-abuse purposes and is not persistently stored under normal operation.

For full details, please review our Privacy Policy.

We expect all participants to maintain a positive, respectful environment:

• Do not engage in any form of cheating or generally uncool behavior.
• Do not attempt to disrupt the event or the experience of other players.
• Do not use any form of offensive language in public names or communications with other players and organizers.
• Do not solicit or accept help from external parties while an event is active.

Violations may result in warnings, temporary suspensions, or permanent bans.

There are no restrictions on tooling, but two tools cover most of what you will need on Hashcracky:

• Hashcat: A fast, GPU-accelerated password recovery tool. The Algorithm Reference below lists the Hashcat mode for every supported hash type.
• MDXfind: A CPU/GPU tool that is strong at identifying and cracking the nested and composite hashes that often appear on the platform.

Nested algorithms apply multiple hash functions in sequence. The innermost function is applied first and its output is fed into the next. Some nested variants also incorporate a salt at various positions in the chain.