Korelogic Logo Team hashcat has won CMIYC 2015! contact
12:01AM Las Vegas Time - Sunday August 9th 2015.


We hope everyone had a good time this year. This is our 6th year running the Crack Me If You Can contest and we are happy that the community continues to grow and enjoy the contest. KoreLogic is happy to continue to support the contest as long the community wants us to.

We figured we would take a little time to explain this year's contest. Every year, our goal is to test the skills of the world's best password crackers. There are certain skills that we think every password cracker should have. Every year, it gets harder and harder for us to come up with ideas to test the password cracking community.

In previous years, some of the themes have been:

  • The ability to create wordlists based on certain categories
  • Create custom rules based on cracks
  • Non-hash formats such as zip, rar, pdf, xls, doc, docx, etc
  • Newer hash formats such as Sun MD5 Crypt, SCrypt
  • Passphrases
  • The ability to CREATE complex passwords (2014)
That leads us to this year's theme, "International". If you look around at most wordlists, wordlist creators, they are geared toward English languages. As are a majority of the rule files that are now widely distributed (including the ones we contributed back in 2010).

During the course of various penetration tests, KoreLogic has noticed that in non-US countries, passwords in native non-English alphabets can be UTF-8. The common tools that we all love support UTF-8, but do the password crackers know how to use them? As a community, do we have rulesets that are based on UTF-8? Do we have statistics of common UTF-8 words from various languages? Do we have 'markov' chains for other languages? Do we have rules that can turn a lower case letter into its upper case equivilant for languages that aren't [a-zA-Z]? Do we have keyboard-patterns for non-QWERTY (or Dvorak) keyboards? Hopefully, after this years contest the answer is "we do now".

This was the primary goal of 2015 CMIYC. We want the tools - and the people who use them - to better support UTF-8, and rule sets and wordlists to be more diverse as well.

We do not know what 2016 will be like; we continue to be grateful to DEFCON for allowing us to run the contest. Trying to come up with another theme to challenge this community is quite difficult. We would love to ditch the teams, and require 1-person "teams" only. But that would be impossible to enforce.

As always we try to make the contest not be about having the most computing power. Crack, analyze, innovate, customize, complain to the CMIYC team, crack some more. Repeat.

We highly encourage _all_ teams to do a write up about your thought process this year. We also highly encourage all teams to publish wordlists and rule sets this year as well. This will greatly benefit the password cracking community as well.

Thanks also to the PasswordsCon team as well. We highly encourage all password crackers to support and attend all PasswordsCon events.

I assure you, we are just as tired as you all are. Let's all go to sleep and talk about this in a week or two ;)

- Minga and the entire CrackMeIfYouCan team at KoreLogic.
Please contact us if you would like more information about our services, tools, or careers with us.
Privacy Policy : Copyright 2024. KoreLogic Security. All rights reserved