Hashcracky Guide

Hashcracky is a free social training platform for hash recovery. Players and teams compete in time-limited events to recover as many plaintext passwords as possible from curated hash lists - all in a safe, ethical environment.

Important: Every hash on the platform is artificially generated for educational purposes. We never use real-world hashes or actual leaked credentials. Each hash is carefully crafted to teach specific concepts and techniques while ensuring a safe learning environment.

Whether you are a seasoned professional or just starting out, Hashcracky gives you a place to develop your skills, compete with peers, and have fun doing it.

Registration requires only a username and password. No email, no real name, no tracking. Your privacy is a core principle of the platform.

After registering, you can immediately browse games, download hash lists, and start submitting recovered plaintexts.

1. Head to the Home page and find an Active game.
2. Click the game card to open the Game Page.
3. Go to the Lists tab and download a hash list.
4. Use your favourite hash recovery tool (e.g. Hashcat, John the Ripper) to crack as many hashes as you can.
5. Upload your results through the Submit button on the same Lists tab, or use the provided curl command available next to each list for API submissions.
6. Watch your name climb the Leaderboard in real time!

Tip: If you are on a team, your team captain can submit results on your behalf using the ?credit=USERNAME query parameter - this is the recommended method for teams since it lets the captain handle all submissions centrally while individual players focus on cracking.

1. Upcoming: Competition announced but not yet active. Hash lists are not yet available for download. Teams can be created and organized during this stage - use this time to recruit members and plan your strategy.
2. Active: Hash lists available for download, submissions accepted. A live countdown timer shows the remaining time. This is when the boss encounter is live and milestones can be triggered.
3. Idle (8-hour freeze): When an event ends, an 8-hour freeze period begins. The final leaderboard snapshot is locked, winners are determined, and crowns are awarded. No submissions are accepted during this window.
4. Past: Archived. Submissions are accepted again for practice, but placements and crowns are already finalized. Your recoveries still count toward your personal stats and seasons data.

Each competition may contain one or more hash lists, each with up to 450,000 hashes. Events typically run for 5 days but can vary. Hash lists may include a mix of hash types and difficulty levels within the same game.

Points are awarded based on the total value of hashes recovered. Each hash in a list has a point value determined by its algorithm and difficulty. Leaderboards update in real time as submissions are processed. Click any player's name to expand and view their per-list recovery progress, including per-algorithm breakdowns of what they have cracked.

Each game's leaderboard has two modes: Current (live standings reflecting all submissions including post-event practice) and Event End (the snapshot taken when the competition ended, which determines final placements and crowns).

Teams on the leaderboard: Teams appear as separate entries alongside individual players. A team's score is the union of all members' found hashes - duplicates across team members are automatically deduplicated. This means individual players keep their own stats while the team gets credit for every unique hash any member finds.

The top five players in each competition receive crowns that persist on their profiles. The winner receives two crowns instead of one.

Crowns are awarded after the 8-hour idle freeze when the game transitions to the completed state, based on the event-end leaderboard snapshot. Crowns are permanent and visible on the Seasons Dashboard.

Every game features a Boss - a shared challenge that all players work together to defeat. Check the Boss tab on any game page to see the boss's health bar, current milestones, and damage stats.

Boss health is calculated as the total number of hashes across all lists multiplied by 10 (minimum 1,000 HP). For example, a game with 5,000 hashes has a boss with 50,000 HP.

Damage tiers: Each accepted hash deals damage based on whether it is new to the whole game or just to you:

• Game-unique hashes (no one in the game has found them before) deal the full damage per submission value, which starts at 1 and rises with milestone progression.
• Player-unique hashes (already found by another player but new to you - for example, when you crack a list a teammate has already worked on) deal a flat 1 damage per hash, plus your equipped item's rarity bonus (see the Items section below).
• Bounty board progress applies a global multiplier to every submission's damage, scaling linearly with how many of the game's bounties have been credited (capped at +5% when all bounties are found). See the Bounty Board section for details.

The Boss tab shows a live formula breakdown - (game-unique × DPS + player-unique × 1 (+item bonus)) × (1 + bounty progress × 5%) - so you can see exactly how a submission converts to damage.

Milestones: There are 15 milestones across three categories - total submissions, unique hashes recovered, and number of distinct players who have submitted. Each milestone reached permanently increases the global damage per submission for everyone. Milestones stack, so reaching all of them significantly boosts how quickly the boss takes damage.

When the boss is defeated, a hidden bonus hash list of 50,000 MD4 hashes is unlocked in the Lists tab. These bonus hashes are generated from the same plaintexts used across the game's other lists, re-hashed with MD4. They are worth extra points and can reveal helpful information about the other event lists (e.g. shared plaintext patterns).

Strategy tip: The boss is designed to be difficult to defeat without community effort. Think carefully about timing - coordinate with other players to trigger milestones and defeat the boss before the event ends. If no one submits before the event ends, the bonus list is lost forever. Getting more players to submit even a few hashes helps trigger player-count milestones and increase damage globally.

Each game's Bounty tab shows a curated set of bounty hashes sampled from every list. Bounties are sampled at game-creation time using stratified bucket sampling across the score distribution, so the pool contains a balanced mix of low-, mid-, and high-value targets - up to 500 bounties per list.

Bounties are hidden until the game becomes active. Once the game starts, the bounty hashes (and their algorithm) are revealed in the Bounty tab and every newly credited bounty raises the global boss damage boost for the rest of the game.

Bounty board boost is a global multiplier on every submission's tier damage, scaling linearly with completion of the bounty board: boost = (bounties found / total bounties) × 5%. So if a game has two lists with 500 bounties each (1,000 total) and 100 have been claimed, every submission gets +0.5%; at 500 claimed it is +2.5%; at 1,000 claimed the full +5% cap is unlocked. The boost rewards the entire team for collective bounty completion, regardless of who actually cracked which bounty.

Plaintexts and finder credit are shown next to each bounty in the table once it has been claimed, giving you a live view of which bounty hashes are still up for grabs and which players are picking them off.

Each game has its own Items tab where players can earn and equip items that boost the damage they personally deal to the boss. Items are scoped to the game they were rolled in - they do not carry over between games.

Earning reroll credits: Every 10,000 hashes you find in a game earns one reroll credit. Progress accumulates across all of your submissions, so many small batches earn credits at the same rate as one large batch.

Rolling an item: Spending one credit generates a preview of 5 candidate items (a credit is consumed at this step - the act of rolling is what costs a credit, not the equip click). Pick one candidate to equip and the others are discarded. If you do not like any of the candidates you can spend another credit to roll a fresh set of 5.

Rarity tiers and damage bonus: Each candidate is independently rolled with a weighted rarity distribution (weights 100 / 10 / 5 / 1 out of 116, giving the approximate odds shown below). The equipped item's rarity adds a flat bonus to the damage of every player-unique hash you find (it does not apply to game-unique hashes, which already deal the milestone-scaled damage per submission):

• Common (~86.2%): +1 damage per player-unique hash.
• Uncommon (~8.6%): +2 damage per player-unique hash.
• Rare (~4.3%): +4 damage per player-unique hash.
• Legendary (~0.9%): +8 damage per player-unique hash.

Items also have a randomly rolled element (Fire, Water, Earth, Shadow, Light or Arcane), class (Melee, Magic or Ranged), and a generated display name. These are flavour and visuals only - only the rarity affects damage.

The Seasons Dashboard tracks player performance across every game. It shows total cracks, points, games played, per-list recovery percentages, and crown counts. Use it to explore the community, track your own progress over time, and see how you compare to other players across all events.

Each game page has several tabs:

• Overview: Game description, status, countdown timer, and recognition statistics showing top players and list recovery rates.
• Lists: Download hash lists (with remaining-hash filtering), submit founds via file upload, and copy pre-built curl commands for API submissions.
• Leaderboard: Player and team rankings with per-list progress drill-down. Click any entry to see detailed per-list and per-algorithm recovery breakdowns.
• Boss: Boss health bar, milestone progress cards with live tracking, the per-tier damage breakdown for your next submission, and bonus list reveal status.
• Bounty: Curated bounty hashes for each list. Each newly credited bounty during an active game raises a global boss damage boost (capped at +5% when all bounties are claimed).
• Items: Per-game items that you earn reroll credits for as you submit hashes. The equipped item's rarity adds a flat bonus to the damage of each player-unique hash you find.
• Announcements: Real-time feed of submission events, first-bloods, and notable achievements.
• Teams: Create, join, manage, and leave teams. View team rosters and join policies.
• Scores: Time-series chart showing found counts over time for each player, useful for analyzing pacing and strategy.

At the bottom of every game page, a scrolling Event Ticker displays notable game events such as lead changes and lifecycle transitions.

The Lists tab provides a download option for each hash list. By default, the download is dynamic - it automatically excludes hashes you (or your team, if applicable) have already found. This lets you focus your cracking effort on unrecovered hashes without wasting time on duplicates.

You can also download the full original list by toggling off the dynamic filter. This is available via the API with the ?dynamic=false query parameter on the hashes endpoint.

Submissions use hash:plaintext format, one per line. For salted hashes, include the salt:

# Unsalted: Hash:Plaintext
5f4dcc3b5aa765d61d8327deb882cf99:password

# Salted (concatenated): Hash:SaltPlaintext
e16b2ab8d12314bf4efbd6203906ea6c:testpassword

# Salted (separated): Hash:Salt:Plaintext
e16b2ab8d12314bf4efbd6203906ea6c:test:password

The platform attempts multiple salt arrangements when validating your submission, so either format is accepted as long as the correct salt value is present. Values encoded as $HEX[...] (common in Hashcat output) are automatically decoded before validation.

• Web Interface: Upload a file through the Lists tab on the game page using the Submit button.
• API: POST to /api/game/GAME_ID/LIST_ID/submit with your auth token. Each list on the game page provides a pre-built curl command you can copy and use directly.
• Captain credit submission: Team captains can submit on behalf of teammates by appending ?credit=USERNAME to the submission URL. This is the recommended method for teams - the captain handles all submissions centrally while teammates focus on cracking.

Accepted content types:

• multipart/form-data - File uploads (web interface and curl with -F)
• text/plain - Raw text body (curl with --data-binary)
• application/json - JSON payload with lines array

Each submission can contain up to 500,000 lines. Break larger sets into batches if needed.

1. Lines are deduplicated within the submission.
2. $HEX[...] encoded values are automatically decoded.
3. Each line is validated against the game's hash list to confirm the hash:plaintext pair is correct.
4. Lines already found by you are rejected as duplicates - you cannot submit the same hash twice.
5. Valid, new hashes are recorded as your founds and your points update immediately.
6. Each accepted hash also deals damage to the boss based on the current damage-per-submission value.

After each submission, a summary is returned showing how many lines were accepted, rejected, and the specific reason for each rejection (invalid pair, duplicate, already found, decode failure). When using the API, this is returned as a JSON response.

Submissions are accepted during Active and Past game states only. During the 8-hour idle freeze after an event ends, all submissions are blocked - this ensures the final leaderboard is fair and no last-second submissions can change placements.

Post-freeze submissions (in Past state) count toward your personal stats, seasons data, and per-list progress, but they do not affect event-end placements or crown awards. Past games are a great way to practice without time pressure.

Every list on the game page provides a copy-able curl command pre-configured with the correct game ID, list ID, and endpoint. Simply paste your auth token and point it at your output file.

Note: All POST/PUT/PATCH/DELETE requests to the API must include the X-Requested-With: XMLHttpRequest header (a CSRF defense-in-depth check on top of SameSite=Strict cookies). Read-only GET requests do not need it. The copy curl buttons on the game page already include this header for you.

Basic submission:

curl -X POST \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "X-Requested-With: XMLHttpRequest" \
  -H "Content-Type: text/plain" \
  --data-binary @founds.txt \
  "https://hashcracky.com/api/game/GAME_ID/LIST_ID/submit"

Captain credit submission (submit on behalf of a teammate):

curl -X POST \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "X-Requested-With: XMLHttpRequest" \
  -H "Content-Type: text/plain" \
  --data-binary @founds.txt \
  "https://hashcracky.com/api/game/GAME_ID/LIST_ID/submit?credit=teammate_username"

Download remaining hashes (excludes already found):

curl -H "Authorization: Bearer YOUR_TOKEN" \
  "https://hashcracky.com/api/game/GAME_ID/LIST_ID/hashes"

API endpoints are rate-limited to prevent abuse. Exceeding limits returns HTTP 429. Wait for the time specified in the Retry-After header before retrying.

Navigate to the Teams tab on any game page. Each team can have up to 8 members (including the captain). Teams can be created as soon as a game appears on the site, even during the Upcoming state - use this time to organize before the event goes live.

Three join policies:

• Open: Any player can join immediately, no approval needed.
• Request (default): Players send a join request. The team captain must approve or deny each request before the player can join.
• Invite-only: Only players who have received an invite from the captain can join. Players cannot request to join.

Each player can only be on one team per game. If you want to switch teams, you must leave your current team first.

• Each team member submits individually, just like solo players.
• Team founds are the union of all members' founds - if two members both crack the same hash, it only counts once for the team.
• Team scores are dynamically recalculated as members submit, join, or leave.
• Individual stats are maintained separately - being on a team does not affect your personal leaderboard position or stats.
• Teams and individual players appear as separate entries on the leaderboard.

Strategy tip: Divide hash lists among team members and assign different attack strategies to each person. Since team scoring uses the union of all founds, there is no penalty for overlap, but maximum coverage gives the best results. Have some members focus on easy wins while others target harder algorithms.

The team captain has special abilities beyond regular team members:

• Invite members: Send invites to specific players to join the team.
• Respond to join requests: Approve or deny players requesting to join (when using Request join policy).
• Credit submissions: Submit hashes on behalf of teammates using the ?credit=USERNAME query parameter.

Credit submission is the recommended method for teams. It allows the captain to act as the central submission point - collect cracked hashes from all team members and submit them, crediting each teammate appropriately. This simplifies coordination and ensures everyone gets proper credit for their work.

# Captain submits on behalf of teammate "alice"
curl -X POST \
  -H "Authorization: Bearer CAPTAIN_TOKEN" \
  -H "X-Requested-With: XMLHttpRequest" \
  -H "Content-Type: text/plain" \
  --data-binary @alice-founds.txt \
  "https://hashcracky.com/api/game/GAME_ID/LIST_ID/submit?credit=alice"

The credited teammate receives all points and found credit as if they submitted directly. The captain must be on the same team as the credited user, and only the captain can use this feature.

Any member can leave at any time. When you leave, the team's found count and score are recalculated dynamically based on the remaining members' contributions. Your individual stats and founds are completely unaffected.

You can join or create a different team within the same game after leaving. If the captain leaves, the role is automatically transferred to another team member.

Note: Because team scores are the union of all members' founds, a departing member's unique contributions are removed from the team total. Plan your team composition carefully during events.

Submissions can be rejected for several reasons: the hash:plaintext pair does not match any entry in the game's hash list, the line was already submitted by you in a previous submission, the line is a duplicate within the current submission, or a $HEX[...] encoded value could not be decoded. The submission summary displayed after each upload shows the specific reason for every rejected line, including counts for each rejection category. Check your output format and ensure you are submitting to the correct list.

When a hash list uses salts, you must include the salt in your submission so the platform can verify the recovery. You can submit in the format hash:salt:plaintext (salt and plaintext separated) or hash:saltplaintext (salt concatenated with plaintext). The platform attempts multiple salt arrangements when validating your submission, so either format will be accepted as long as the correct salt value is present.

Yes. After the 8-hour idle freeze completes and the game transitions to the Past state, submissions are accepted again. Your recoveries will count toward your personal stats and per-list progress, but they will not affect the finalized event-end placements or crown awards. Past games are a great way to practice and develop your skills without time pressure.

Teams are fully dynamic. When you leave a team, the team's found count and score are recalculated based on the remaining members' contributions. Your individual stats and founds are not affected. You are free to join or create a different team within the same game after leaving. If you are the captain and you leave, the captaincy is automatically transferred to another team member.

Team captains can submit on behalf of any teammate by adding ?credit=USERNAME to the submission URL. The credited player receives all points and founds as if they submitted directly. Only the team captain can use this feature, and the target user must be on the same team. This is the recommended way to handle team submissions - the captain collects cracked hashes from all members and submits them centrally, crediting each person appropriately.

Each accepted hash deals damage based on which tier it falls into:

• Game-unique hashes (no one in the game has cracked them before) deal the full damage per submission, which starts at 1 and rises with milestones.
• Player-unique hashes (already cracked by another player but new to you) deal a flat 1 damage, plus your equipped item's rarity bonus if any.
• Bounty board progress applies a global multiplier to the combined tier damage above, scaling linearly with completion of the bounty board (capped at +5% when all bounties are claimed).

There are 15 milestones across three categories (total submissions, unique hashes recovered, and distinct players). All milestone bonuses stack - reaching every milestone significantly increases the global damage rate for everyone. The boss cannot be defeated without community effort and milestone progression.

Bounties are a curated subset of each list's hashes (up to 500 per list, sampled with stratified bucket sampling so a balanced low/mid/high-value mix is selected). The bounty list is hidden until the game becomes active, after which it is shown on the Bounty tab.

While a game is active, every credited bounty raises a global boss damage boost shared by every player. The boost is (bounties found / total bounties) × 5%, applied as a multiplier on every submission's combined tier damage. So 100 of 1,000 bounties found gives every submission +0.5%, 500 of 1,000 gives +2.5%, and finding all bounties unlocks the full +5% cap. Bounty progress benefits the whole team, not just the cracker who happened to land the match.

Each game has its own Items tab. Every 10,000 hashes you find earns one reroll credit. Spending a credit generates a preview of 5 candidate items - the credit is consumed when you roll, not when you equip. Pick one candidate to equip; the others are discarded. If you don't like any of them, spend another credit to roll a fresh set.

Items have a rarity that determines their gameplay impact: the equipped item adds a flat damage bonus to every player-unique hash you find - Common +1, Uncommon +2, Rare +4, Legendary +8. The bonus does not apply to game-unique hashes (which already deal the milestone-scaled damage per submission). Element, class, and the generated display name are flavour only and do not affect damage.

When the boss's health reaches zero, a hidden bonus hash list of 50,000 MD4 hashes is revealed in the Lists tab. These hashes are generated from the same plaintexts used in the game's other lists, re-hashed with MD4. Cracking them earns extra points and can help reveal patterns useful for the other event lists. If the boss is not defeated before the event ends, the bonus list is lost and cannot be recovered.

A GPU is not strictly required. Many players compete successfully with a single dedicated GPU, and CPU-only participants can still place well through effective strategy, thoughtful rule and mask creation, and good analysis of recovered plaintexts. More computing power helps speed up attacks, but it is not the only factor that determines success.

No. There are absolutely no restrictions on what tools, hardware, cloud services, or distributed setups you use. Hashcat, John the Ripper, custom tools, cloud GPU instances, multi-machine rigs - anything goes. Get creative and have fun.

The project started as Jabbercracky and started from a workshop I created. The workshop had an "skills test" list and I enjoyed cracking CTFs and was a big fan of using CMIYC lists for learning. Hashpwn and HashMob helped with early community efforts and collaboration. Users like Tycho, Flagg, JP, Phurtim, Stealthsploit, A1131, Partly, Fordy, Kpd, Chick3nman, and countless others helped give suggestions and feedback. After DEFCON33, we transitioned to making a more collaborative experience and rebranded to Hashcracky. We stand on the shoulders of giants and without the community, hashcracky would not exist. In memoriam Flagg.

Email contact@hashcracky.com to start a conversation. We will work with you to understand your goals, select a theme and difficulty, and schedule an event that fits your needs.

Hashcracky is designed to operate with minimal data collection. The platform does not require or store email addresses, real names, or other personally identifiable information. Account data is limited to a username, an encrypted password, and competition activity (submissions, scores, achievements). Technical data such as IP addresses and user-agent strings is processed temporarily in memory for rate-limiting and anti-abuse purposes and is not persistently stored under normal operation.

For full details, please review our Privacy Policy.

We expect all participants to maintain a positive, respectful environment:

• Do not engage in any form of cheating or generally uncool behavior.
• Do not attempt to disrupt the event or the experience of other players.
• Do not use any form of offensive language in public names or communications with other players and organizers.
• Do not solicit or accept help from external parties while an event is active.

Violations may result in warnings, temporary suspensions, or permanent bans.

Nested algorithms apply multiple hash functions in sequence. The innermost function is applied first and its output is fed into the next. Some nested variants also incorporate a salt at various positions in the chain.