Hashcracky Guide

What is Hashcracky?
How Do Games Work?
Code of Conduct
What is Hash Cracking?
Why Hash Cracking Matters
Core Terminology
Hashing Foundations
Getting Started with Hash Cracking
- Identify the Hash Type
- Start Cracking
Understanding Attack Types
Understanding Rules
Understanding Masks
Introduction to Analysis
FAQ
Contact

What is Hashcracky?

Hashcracky is a community hash-cracking site designed for people of all skill levels to level up in the skill of cryptographic hash recovery. We provide challenges and events for players to solve hash-cracking puzzles in a fun and educational way. Hash cracking is a fundamental cybersecurity skill that is difficult to practice and gain experience with. Hashcracky offers a platform for all individuals to advance in a sociable and engaging manner.

All hashes generated for the event are artificial and are not genuine. The hashes are made with learning themes that come from real-life cryptography ideas and experiences. Under no circumstances would we use real hashes in the event. We take extra care to guarantee that every hash is distinct and offers every player an enjoyable yet difficult experience. Our objective is to give every player a secure and instructive learning environment.

Disclaimer: Hashcracky is a fictional event that is not based on any real-world event. Any similarities to real-world events are purely coincidental. Hashcracky is intended for entertainment, educational, and research purposes only. View our Privacy Policy.

How Do Games Work?

Hashcracky hosts games throughout the year. Each game contains several hash lists available for cracking. Games are created with a start and end date. Downloading and submitting hashes is prevented until the game starts. Games have three statuses: active, upcoming, and past. When a game is active, the eligible winners are constantly updated on the leaderboard. When a game ends, winners are locked in, and the game becomes idle for eight hours. After the idle period, the game becomes available for submissions again, the leaderboard will update, but the winners are locked in. The top five players will be awarded crowns on the leaderboard that also persist on their account to show off in future events.

Code of Conduct

We expect all players to promote a positive environment. Treat others with respect. Cheating or unsportsmanlike behavior may lead to disqualification.

Do not engage in any form of cheating or generally uncool behavior.
Do not attempt to disrupt the event or the experience of other players.
Do not use offensive language in public names or communications.
Do not share answers with other players while an event is active.
Do not share materials from an event with non-players while the event is active.
Do not solicit or accept help from non-players while an event is active.

What is Hash Cracking?

Hashes are the result of a one-way algorithm that transforms data into a fixed-length string of characters. Hashes are commonly used in cybersecurity to store authentication information, such as passwords. If the output of the hash function is the same for two inputs, then we likely have a match. Hashes are used to protect sensitive information by ensuring that the original value cannot be easily read or recovered but can still be verified. Hashes are different from encryption, as they are not designed to be decrypted. This makes “decrypted” the wrong term to use when referring to cracking hashes.

Hash cracking is the process of recovering the original value of a hash. This is done by comparing the hash to guessed plaintext values until a match is found. In cybersecurity, hash cracking is a popular technique for recovering secret information from hashed values. It frequently uses wordlists, dictionaries, masks, and rules to produce possible plaintext values. Recovering the plaintext relies on computation to generate and evaluate candidates efficiently.

Concept of hash cracking

Why Hash Cracking Matters

Understanding hash cracking helps security professionals evaluate how well passwords and secrets are protected. By simulating realistic attacks, defenders can recommend stronger policies, detect weak credential reuse, and validate configurations (like algorithm selection, iteration counts, and salt usage).

Ethical practice focuses on controlled, permission-based contexts. Learning these techniques responsibly raises awareness, promotes better password hygiene, and encourages use of password managers and multi-factor authentication.

Security Auditing: Identify weak or guessable credentials.
Defense Improvement: Justify adopting slower, memory-hard algorithms.
Education: Demonstrate the impact of wordlists, rules, masks, and strategy.
Research: Explore patterns in human-generated secrets.
Resilience: Encourage layered defenses beyond just hashing (MFA, rate limiting, secret rotation).

Always apply these skills within ethical and legal boundaries. Hashcracky provides an environment where experimentation is safe, controlled, and oriented toward learning.

Core Terminology

A shared vocabulary accelerates learning and collaboration. These terms appear throughout the guide and in tooling.

Plaintext: The original secret value (e.g., a password) before hashing.
Hash: Fixed-length output of a one-way function.
Algorithm (Mode): A specific hash function or construction (e.g., bcrypt, sha256crypt, HMAC-SHA256).
Salt: Random value added per password to prevent large-scale reuse and rainbow table attacks.
Pepper: Secret value (not stored with the hash) applied in hashing, often via HMAC or app logic.
Iterations / Rounds: Repeated application of the function to slow brute force.
Keyspace: Total number of candidate combinations an attack must explore.
Candidate: A generated plaintext guess tested against one or more hashes.
Wordlist / Dictionary: File of base words or phrases used in straight or hybrid attacks.
Rule: Transformation instruction applied to a base candidate to generate variants.
Mask: Positional pattern defining allowed character classes per position.
Hybrid Attack: Wordlist plus mask (prefix or suffix expansion).
Throughput: Rate of candidate evaluation (often measured in H/s).
GPU Acceleration: Parallel processing hardware significantly increasing hash evaluation speed.
Memory-Hard: Algorithm characteristic that increases memory demands (e.g., scrypt, Argon2).
Recovered / Cracked: A hash for which the original plaintext has been found.
False Positive: A mismatched candidate erroneously assumed correct (rare with strong verification).

These concepts underpin the strategic choices later in the guide (rulesets, masks, hybrid refinement, and analysis).

Hashing Foundations

Hashing is a fundamental concept in cybersecurity and are the result of a one-way algorithm to transform plaintext into ciphertext.

Salts and Peppers

Salts and peppers are additional data added to the hashing process to enhance security. A salt is a random value added to the plaintext before hashing, while a pepper is a secret value applied outside the stored hash (often via application logic or HMAC). Salts ensure identical passwords produce different hashes; peppers raise effort for attackers missing server-side secrets.

$ password="password"
$ salt="test"
$ echo -n "${salt}${password}" | openssl dgst -sha256
SHA2-256(stdin)= 9f735e0df9a1ddc702bf0a1a7b83033f9f7153a00c29de82cedadc9957289b05

Iterations

Iterations increase the security of hashes by increasing the number of times the hashing algorithm is applied. This raises the computational cost to crack. For example, the rounds parameter in sha256crypt determines how many times the SHA-256 hashing algorithm is repeatedly applied to the password and salt.

$ mkpasswd --method=sha256crypt --rounds=1000 --salt=12324566 password
$5$rounds=1000$12324566$9KqrHsJ9mSQJMYBJ0iBLSN4gZaOOPWGbD2NuKz4K1XC

$ mkpasswd --method=sha256crypt --rounds=2000 --salt=12324566 password
$5$rounds=2000$12324566$UpQkGap2msCkdYtu21Va3uEX4Va7vAbyHtX22psDFn7

Hash-Based Message Authentication Code (HMAC)

HMAC creates a keyed hash of data. It is often used to verify integrity and authenticity. In the password context, HMAC is a common way to apply peppers so that computing the hash requires a secret key in addition to the password.

$ message="The quick brown fox jumps over the lazy dog"
$ key="key"
$ printf "%s" "$message" | openssl dgst -sha256 -hmac "$key"
HMAC-SHA256(stdin)= f7bc83f430538424b13298e6aa6fb143ef4d59a14946175997479dbc2d1a3cd8

Nested Algorithms

Some hashing algorithms use multiple rounds of different hashing algorithms to increase security. For example, sha512crypt uses multiple rounds of SHA-512 to create a more secure hash. Sometimes developers will nest algorithms in an attempt to increase security. This is not recommended, as it can lead to unexpected vulnerabilities with little benefit.

$ plaintext="password"; hash="$plaintext"; for i in {1..5}; do hash=$(printf %s "$hash" | md5sum | awk '{print $1}'); printf "Iteration %d: %s\n" "$i" "$hash"; done
Iteration 1: 5f4dcc3b5aa765d61d8327deb882cf99
Iteration 2: 696d29e0940a4957748fe3fc9efd22a3
Iteration 3: 5a22e6c339c96c9c0513a46e44c39683
Iteration 4: e777a29bee9227c8a6a86e0bad61fc40
Iteration 5: 7b3b4de00794a247cf8df8e6fbfe19bf

Getting Started with Hash Cracking

We highly recommend learning the basics of command line interfaces (CLI). Many tasks are easier via CLI, and it’s the fastest way to iterate on cracking strategies. We recommend Hashcat:

Hashcat — powerful, open-source, supports a wide range of algorithms
Hashcat Utils — companion utilities

Identify the Hash Type

$ hashcat hashes.left --identify

Start Cracking

Choose an attack based on the pattern being replicated. Hash cracking is cyclical—incorporate new data, tune attacks, and maximize work sent to the GPU.

$ hashcat -m 1300 -a 0 hashes.left wordlist.txt
$ hashcat -m 17300 -a 0 hashes.left rules.txt
$ hashcat -m 17700 -a 3 hashes.left ?l?l?l?l?l?l

Understanding Attack Types

There are many ways to reach the same plaintext, but only a subset are efficient. Focus on the methodology and patterns; tools are a means to enact strategy.

Dictionary (Straight) Attacks

Use a wordlist of base words, known plaintexts, or common passwords. Often paired with rules to transform candidates. In Hashcat, this is -a 0.

$ hashcat -m 0 -a 0 hashes.txt wordlist.txt
$ hashcat -m 0 -a 0 hashes.txt wordlist.txt -r rule-file.txt

Combination Attacks

Concatenate two lists (optionally apply rules to each side). In Hashcat, this is -a 1. See also combinator from hashcat-utils for writing combined lists to disk.

$ hashcat -m 0 -a 1 hashes.txt wordlist1.txt wordlist2.txt
$ hashcat -m 0 -a 1 hashes.txt wordlist1.txt wordlist2.txt -j "\$\$a\$n\$d\$ :"
$ hashcat -m 0 -a 1 hashes.txt wordlist1.txt wordlist2.txt -k "sa4se3so0"

Brute Force (Mask) Attacks

Try all candidates in a keyspace. In Hashcat, this is -a 3. Use masks and custom charsets to constrain and accelerate search.

$ hashcat -m 0 -a 3 hashes.txt ?l?l?l?l?l?l
$ hashcat -m 0 -a 3 hashes.txt ?d?d?d?d?d?d
$ hashcat -m 0 -a 3 hashes.txt ?u?u?u?u?u?u
$ hashcat -m 0 -a 3 hashes.txt ?a?a?a?a?a?a -i
$ hashcat -m 0 -a 3 hashes.txt ?1?1?1?1?1?1 -1 \?l\?d
$ hashcat -m 0 -a 3 hashes.txt short.mask

Hybrid Attacks

Combine dictionary and mask. In Hashcat this is -a 6 (right) and -a 7 (left).

$ hashcat -m 0 -a 6 hashes.txt wordlist.txt ?d?d?d?d
$ hashcat -m 0 -a 7 hashes.txt ?d?d?d?d wordlist.txt
$ hashcat -m 0 -a 6 hashes.txt wordlist.txt ?l?l?l?l
$ hashcat -m 0 -a 7 hashes.txt ?l?l?l?l wordlist.txt
$ hashcat -m 0 -a 6 hashes.txt ?1?1?1?1?1?1 -1 \?l\?d
$ hashcat -m 0 -a 7 hashes.txt ?1?1?1?1?1?1 wordlist.txt -1 \?l\?d
$ hashcat -m 0 -a 6 hashes.txt wordlist.lst ?a?a?a -i
$ hashcat -m 0 -a 7 hashes.txt ?a?a?a wordlist.lst -i

Understanding Rules

Rules are run on the GPU and maximize throughput. They can be stacked for complex transforms. In Hashcat, apply with -r.

$ hashcat -m 0 -a 0 hashes.txt wordlist.txt -r best64.rule
$ hashcat -m 0 -a 0 hashes.txt wordlist.txt -r OneRuleToRuleTheMall.rule
$ hashcat -m 0 -a 0 hashes.txt wordlist.txt -r append.rule -r toggle.rule
$ hashcat -m 0 -a 0 hashes.txt wordlist.txt -r prepend-toggle.rule -r leetspeak.rule
$ hashcat -m 0 -a 0 hashes.txt wordlist.txt \
  --generate-rules=50000 --generate-rules-func-min=3 --generate-rules-func-max=3 \
  --generate-rules-func-sel=ioyrzZ+[]{}* --loopback

Common rule primitives:

: Do nothing (pass through).
l Lowercase candidate.
u Uppercase candidate.
c Capitalize first letter, lowercase rest.
Tn Toggle case at position n.
^x Prepend x.
$x Append x.
[ Truncate left.
] Truncate right.
inx Insert x at position n.
onx Overwrite at position n with x.
sxy Substitute x with y everywhere.
'n Truncate to n characters.
@n Purge all instances of character n.
E (ex) Title case after every space or every character x.
Dn Delete character at position n.
d Duplicate candidate.

Example to add "TEST" to the front and back of each candidate:

^T ^E ^S ^T
$T $E $S $T

Understanding Masks

Masks specify a character class at each position. They’re ideal for modeling structures and narrowing keyspaces.

?l abcdefghijklmnopqrstuvwxyz
?u ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d 0123456789
?h 0123456789abcdef
?H 0123456789ABCDEF
?s space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
?a ?l?u?d?s
?1 0x00–0xff (custom when defined)

Examples for “Hashcracky123!”:

?u?l?l?l?l?l?l?l?l?l?l?l?d?d?d?s
Jabber?l?l?l?l?l?l?l?l?l?d?d?d?s
Hashcracky?d?d?d?s
Hashcracky?1?1?1?s -1 \?d
?1?1?1?1?1?1?1?1?1?1?1?1?d?d?d?s -1 \?l\?u\?d\?s
?1?1?1?1?1?1?1?1?1?1?1?1?2?2?2?2 -1 \?l\?u -2 \?d\?s

Introduction to Analysis

Analysis identifies patterns, trends, and anomalies. In Hashcracky, analysis can help reveal common sources or theme patterns per list. Capture Hashcat debug output to see which rules and candidates perform the best.

$ hashcat -m 0 -a 0 hashes.txt wordlist.txt --debug-mode=1 --debug-file=data.debug

Hashcat debug modes:

1: Finding-Rule
2: Original-Word
3: Original-Word:Finding-Rule
4: Original-Word:Finding-Rule:Processed-Word
5: Original-Word:Finding-Rule:Processed-Word:Wordlist

Frequency sort to find common entries:

awk '{freq[$0]++} END {for (line in freq) print freq[line], line}' data.debug | sort -nrk1

FAQ

How do I change or reset my password?
Use the password reset feature at /request-password-reset with the reset token provided at registration and after password resets.

Can I recover my password reset token?
No. If you lose your token, you will not be able to reset your password.

Can I change my username?
No. To change your username, create a new account with the desired name.

Do you sell my data?
We do not store sensitive user data, and we do not sell user data. See the Privacy Policy.

How are user passwords stored?
HMAC-Bcrypt with 8192 iterations.

How is the authentication secret generated?
RSA 4096 is used to generate the authentication secret.

How long is the authentication token valid?
30 days.

What submission formats are accepted?

multipart/form-data
application/json

Are there rate limits?
Yes, rate limits are in place to prevent abuse. The limits are implemented per API endpoint and will return HTTP 429 if exceeded.

How can I keep family and friends safe from password attacks?
We recommend:

Use a password manager to generate and store unique passwords per account.
Enable Two-Factor Authentication (2FA) where available.
Prefer strong Multi-Factor Authentication (MFA), such as hardware tokens or passwordless.
For memorized passwords, use a multi-word passphrase with separators, numbers, and special characters.

What is Hashcracky built with?
Go, HTML, and JavaScript.

Contact

Email contact@hashcracky.com. Hashcracky is a one-person operation—thanks in advance for your patience.