Each time I teach my Security class, I give a month-long lab to crack as many passwords as possible. For this fall’s contest (opened on October 4, 2021), I used two different hash types: MD5 and SHA-512. The contest closed on November 5th at 11:59 PM EST. The password hashes (16 total):


105 submissions across two classes. The answers:

  • (MD5) papabear:ishikariense => 94 students cracked this
  • (MD5) bluebear:Leto => 99 students cracked this
  • (MD5) carebear:panthers => 104 students cracked this
  • (MD5) polarbear:931592 => 52 students cracked this
  • (MD5) sisterbear:QHVRMHG => 1 student cracked this
  • (MD5) barneybear:hUYBW5tB => 0 student cracked this
  • (MD5) grizzlybear:WwdQUyJdXb => 0 student cracked this
  • (MD5) mamabear:nwf_eBB{Bm => 0 student cracked this
  • (SHA-512) brotherbear:hedleyite => 63 students cracked this
  • (SHA-512) pandabear:41255066 => 71 student cracked this
  • (SHA-512) cozybear:jacket025 => 53 students cracked this
  • (SHA-512) fancybear:letmein123 => 97 students cracked this
  • (SHA-512) teddybear:IDQhVo => 1 student cracked this
  • (SHA-512) blackbear:zL8sYNSY => 0 student cracked this
  • (SHA-512) yogibear:9ewmgtGJv6 => 0 student cracked this
  • (SHA-512) jackbear:^/h5AVNH=b => 0 student cracked this

To earn all 10 / 10 points for the lab, students had to crack 6 or more passwords. The final distribution:

8 (x15)
7 (x29)
6 (x30)
5 (x13)
4 (x10)
3 (x4)
2 (x2)

The winner’s methodology and haul:

Passwords Cracked (10):



carebear    : found in rockyou.txt (MySpace leak)
polarbear   : bruteforced all 1-8 length digit combinations
papabear    : found in crackstation's password dictionary
bluebear    : found in crackstation's password dictionary
pandabear   : found in crackstation's password dictionary
fancybear   : found in crackstation's password dictionary
brotherbear : found in crackstation's password dictionary
cozybear    : found in the Hashmob Combined Full wordlist
sisterbear  : bruteforced length-7 all upercase
teddybear   : bruteforced length-6 uppercase-lowercase combinations

General details:

Since did not have enough power to brutforce longer password,
I decided to bruteforce smaller keyspaces using the mask feature of Hashccat
starting small (eg. only lowercase) and working my way up to harder ones.
Additonal Hashcat flags I like to use:

    -O : optimized kernel
    -w4 : using as many resources as possible. I turn this down to
          w3 if I'm doing something else on my computer.

Methodologies used by students:

Used john the ripper, ran simple "john file.txt" for 3.5 days and
found 3 passwords so far that way. Also ran john with password lists
from danielmeissler using --format== sha512crypt to get fancy bear,
and --format== HMAC-SHA256 for cozy bear.

carebear: panthers

bluebear: Leto

polarbear: 931592

fancybear: letmein123

cozybear: jacket025

pandabear: 41255066



Used wordlists: 
    - darkc0de.txt
    - Common-Credentials/500-worst-passwords.txt
    - Common-Credentials/100k-most-used-passwords-NCSC.txt
    - unkown-azul.txt
    - Keyboard-Combinations.txt
    - darkweb2017-top10000.txt
    - xato-net-10-million-passwords.txt

I mainly used John the Ripper, and let it run in the background 
while I did other work. Specifically I looked for LONG wordlists,
that are MB long, so that I minimized the amount of time that I
spent picking/setting up/running the commands.

I also let my computer run overnight, changing the screen display 
to never time out. I hear that's bad for my battery, but my 
battery is already pretty bad, so I always make sure to have my
charger with me.
carebear: panthers, I cracked this password using john without adding
my own wordlist.

bluebear: Leto, I cracked this password by passing the first 8 into
john using the 10 million most common passwords as the wordlist.

fancybear: letmein123, I cracked this password by passing the last 8
into john using the 10 million most common passwords as the wordlist.

pandabear: 41255066, I cracked this password by passing the last 8
into john using the 10 million most common passwords as the wordlist.

cozybear: jacket025, I cracked this password by passing the last 8
into john using the 2020-200_most_used_passwords.txt

papabear: ishikariense, I cracked this password by passing the first 8
into john using the darkc0de.txt as the wordlist.








I divided the given set of hashes into two files based on hash
type. Then, I concatenated all of the text files in the outermost
directory of the SecLists Password folder into one large files of
passwords. I did the same for each directory within Passwords. Then I
ran John-Jumbo with each of these lists on each of the two files of
hashes. I also ran the MD5 passwords with a larger list from







For the MD5 hashes, I primarily used John the Ripper to crack the
passwords. I went through all files in SecLists and also went online
for additional lists such as Kaonashi. For the SHA512 hashes, I used
hashcat because I realized it would be faster after John the Ripper
took too long. I reran hashcat with the largest text files in SecLists
to search for SHA512, which is how I managed to find the 3 SHA512
hashes listed as the bottom 3 from the list above.  
Passwords Cracked:



It did not take much time to realize that password cracking takes a
lot of time. Before starting I did a bit of research on john and
hashcat to understand how to efficiently use them. Additionally, I
searched the web for more wordlists other than those in SecLists to
download and run with the password crackers.

After doing a bit of research I tried split the given passwords into
two separate files, one file contained the md5 typed passwords and the
other contained the sha512 typed passwords. I then tried to use
hashcat, but after spending some time on it and reading tutorials, I
was not able to get the correct settings and kept get warnings, so I
resorted to using john.

My first run of john I ran without any arguments on the file
containing the md5 passwords. I quickly got carebear's password this
way, (carebear:panthers), after which john then began its incremental
password cracking strategy. I left john running on this mode for quite
some time (about 2 days) and was unsuccessful in cracking anymore
passwords, so I decided to terminate the process and try more

With this methodology I was able to crack a number of passwords. Using
the bt4-password.txt wordlist, I cracked bluebear's password
(bluebear:Leto). Using the darkc0de.txt wordlist, I cracked
papabear}'s password (papabear:ishikariense). Using a wordlist that I
had downloaded from the internet, kaonashi.txt, I cracked polarbear's
password (polarbear:931592).

While john ran to crack these passwords, I was doing more research on
how to crack the password hashes. One strategy was to literally search
for the usernames and hashes in google. To my surprise, I found write
ups to previous CS116 Password Cracking Contests this way. Since any
method other than collaborating with other students in the class was
fair game I looked at the password solutions for every previous
Password contest and made my own wordlist this way. However, even
though I was sure at least L1verpool were to be a password this year
as it had been a password used multiple times in previous semester,
this wordlists did not yield any cracked passwords.

After my wordlist of previous passwords was made, I found that it was
getting a bit tedious having to switch from wordlist to wordlist once
a wordlist had finished.  Additionally, if I were not at my computer
at the time a wordlist finished I lost valuable password cracking
time. To resolve this, I created a simple script in BASH that took in
a file of password hashes to crack, and a directory filled with
password cracking wordlists. The script would then proceed to run john
using each wordlist in the directory with the provided password hash
file. This method saved a lot of time as I would no longer have to
continuously check the progress john was making on a single wordlist
as the next wordlist in the directory would automatically run. I even
installed an application to my computer to prevent my computer from
going to sleep so the script could run continuously.

I let the script run for approximately a week on all the wordlists I
had downloaded, and was able to crack the following passwords:

- fancybear:letmein123 with wordlist 000webhost.txt
- cozybear:jacket025 with wordlist 100k-most-used-passwords-NCSC.txt
- pandabear:41255066 with wordlist
- brotherbear:hedleyite with wordlist bt4-password.txt

Some other methods I used including running a 15GB wordlist on a
separate computer I had available to me. This took a week to complete,
and after it completed, the passwords it cracked were ones I had
already cracked with the methods I used above.  Additionally, I looked
into running a password cracker on a cloud server, however, this
method was not practical for me to use, having really only one other
computer (my laptop) available at this point I was consistently moving
around and losing connection with the cloud server, which would then
stop the process. I attempted to research a way to resolve this issue
but was unsuccessful, likely with more time and experience with cloud
servers I would have been successful in solving this issue.

All in all, this was a great learning experience. In future password
cracking, some ways I would adjust my methods would be to merge all
the wordlists I plan to use into one master wordlist and remove any
intersections that might be found between wordlists.  Having zero
duplicate between wordlists would save a lot of time as it would avoid
processing the same password multiple times. I would also designate a
single computer to run the password cracker and a cloud server at the
same time so I would still have full use of the computer I use for
work. The main lesson learned is that password cracking takes a lot of
time and resources, and the more time and resources you have available
to you, the more successful you will be.  BASH Script


if [ ${#} -lt 2 ]
echo "Usage: ${0} password_hashes wordlist_directory"
exit -1

WORDLISTS=$(ls ${2}/*.txt)

echo "---------------------------------------------------------------------"
echo "Now running john with wordlist: "${LIST##*/}
echo "---------------------------------------------------------------------"
john --wordlist=${LIST} $1