Results of a Password Cracking Contest in My Security Class (Spring 2026)
Each semester in my Security class, I give a month-long lab to crack as many passwords as possible. For this spring’s contest (opened on February 12th), I used two different hash types: MD5 and SHA-512. The contest closed on March 13th at 11:59 PM PDT. The password hashes (16 total):
sisterbear:$1$bLMppy8D$Ip/zpUYbejY8cKWRYPWhN0:1001:1001:,,,:/home/sisterbear:/bin/bash grizzlybear:$1$9WgbJ2S0$Be0gFZb9WsiRrB2A2RQJH.:1002:1002:,,,:/home/grizzlybear:/bin/bash jackbear:$1$c0wO7qkf$Sj9yAbmKwjSHpjeZrcouB.:1003:1003:,,,:/home/jackbear:/bin/bash pandabear:$1$llCdtKFH$XqGUv1hOjJYn1TQBc/8Tt.:1004:104:,,,:/home/pandabear:/bin/bash yogibear:$1$QHGLCAyE$Y/nzbc/CE1MjIEBub5pxv1:1005:1005:,,,:/home/yogibear:/bin/bash mamabear:$1$w4xLCqJc$E8wK7KBnXsVCr.DQPEBkI.:1006:1006:,,,:/home/mamabear:/bin/bash barneybear:$1$r1FdKB30$BH2om/xXUfrfdJfLHiSF30:1007:1007:,,,:/home/barneybear:/bin/bash papabear:$1$imur5ajp$ATQxIMU8IUVmFz7LXnE/a.:1008:1008:,,,:/home/papabear:/bin/bash bluebear:$6$RQ8oZtdnOwR6roav$iK/hQnc7XAegU75/aL9ajwTgzwBEovt6eCVGf0Cklk2vj7SCuECB3UmYN7ggNHYnDFKObpLLW0oIeFL.l9pSb1:1009:1009:,,,:/home/bluebear:/bin/bash cozybear:$6$RV4dVjBXmhVoDYzq$AOY47zToJr7HueyBl4uTDr55ZgB7wxbsIVsWtV9w5UI4kZI3SX6zbKO.zHkg8RyUFwh1UdZevcpaqaQRi.UtG0:1010:1010:,,,:/home/cozybear:/bin/bash polarbear:$6$1eXQAn07cYx1tPcN$B8FMZz79pskMRt4Hdu7Gj2HQmRe2M1KNlGUphROpfdEUq2Jzq6Mg991DIUSL2BLyj4oiIR2IUniZKj8lrFKfA/:1011:1011:,,,:/home/polarbear:/bin/bash teddybear:$6$JZpm2/NpgMR78DY8$EEU6fH.dF.WZUmRHD8BQZ.rHGQ9VCArT89P.u.tpMnltBu4LCq/xyGOVA8NVcwRI9oCH3qawp.qz87Li7MTTz1:1012:1012:,,,:/home/teddybear:/bin/bash carebear:$6$GgnLovTxnqSKZcom$ANKIYkcFW.cRJ2dExckYG9UVWcN16Jz27kvFDle39q2Q/Jl/1rpgrrJR6XXZB4T5kbsehllh9a1uUosGRxSxf0:1013:1013:,,,:/home/carebear:/bin/bash blackbear:$6$YCpm.sL9j1WhSFNH$ry/s.zSc3.d.7vaZtzeUjMpDnzrfmrhAH03sCyPnfvBqkNzOosOZaRG4jp6ul2YO5MF5/B7fKE7/rkUvTsmhx.:1014:1014:,,,:/home/blackbear:/bin/bash fancybear:$6$U6VKpvTk5e0bXgg5$JIt1sfkU8guCVb73mI/OHI8ReKPMcO/DkKURBcUxun8PXz0d/dQ.eHQD10kZSqGbhE0IoDFIDwqloF.N7jYk61:1015:1015:,,,:/home/fancybear:/bin/bash brotherbear:$6$jyy1K9Pbntc34oZ1$kgkhKp8vkbdYX9dFk8mZoWFtRequ/5YBrX33ThZAIAngmZuXOeZhwLPbp11lwygZTFDCJRl6apIsb0Re9eOSH0:/home/brotherbear:/bin/bash
113 submissions across two classes. The answers:
- (MD5) sisterbear:coco => 111 students cracked this
- (MD5) grizzlybear:close-standing => 98 students cracked this
- (MD5) jackbear:h37312059114bic => 97 students cracked this
- (MD5) pandabear:sephiroth => 111 students cracked this
- (MD5) yogibear:fosqrmai => 7 students cracked this
- (MD5) mamabear:6v(&FkO=(}Cq:R\v => 0 student cracked this 😛
- (MD5) barneybear:7WaSEDR629 => 85 students cracked this
- (MD5) papabear:virago1 => 109 students cracked this
- (SHA-512) bluebear:devildog => 108 students cracked this
- (SHA-512) cozybear:petki4a3 => 65 students cracked this
- (SHA-512) polarbear:xlpIBvno => 0 students cracked this
- (SHA-512) teddybear:p3d41312 => 86 students cracked this
- (SHA-512) carebear:SHAW => 100 students cracked this
- (SHA-512) blackbear:R}ZBg_B_-?D!5AEA => 0 student cracked this 😛
- (SHA-512) fancybear:68760747 => 21 students cracked this
- (SHA-512) brotherbear:nerror => 86 students cracked this
To earn all 10 / 10 points for the lab, students had to crack 10 or more passwords. The final distribution:
13 (x5) 12 (x6) 11 (x34) 10 (x47) 9 (x3) 8 (x1) 7 (x1) 6 (x1) 5 (x5) 4 (x5) 3 (x2) 2 (x2) 0 (x1)
Average number of passwords cracked: 9.592920354
Median number of passwords cracked: 10
How I created this spring’s password cracking contest:
- sisterbear’s password => taken from
xato-net-10-million-passwords-10000.txtin Daniel Miessler’s SecLists - grizzlybear’s password => taken from
darkc0de.txtin Daniel Miessler’s SecLists - jackbear’s password => taken from
darkc0de.txtin Daniel Miessler’s SecLists - pandabear’s password => taken from
darkweb2017-top10000.txtin Daniel Miessler’s SecLists - yogibear’s password => randomly generated using all [a-z]
- mamabear’s password => randomly generated using all [a-zA-Z0-9!@#$%^&*()specialcharacters]
- barneybear’s password => taken from
hak5.txtin Daniel Miessler’s SecLists - papabear’s password => taken from
Ashley-Madison.txtin Daniel Miessler’s SecLists - bluebear’s password => taken from
xato-net-10-million-passwords-10000.txtin Daniel Miessler’s SecLists - cozybear’s password => taken from
Lizard-Squad.txtin Daniel Miessler’s SecLists - polarbear’s password => => randomly generated using all [a-zA-Z], less than 8 characters
- teddybear’s password => taken from
darkc0de.txtin Daniel Miessler’s SecLists - carebear’s password =>
- blackbear’s password => randomly generated using all [a-zA-Z0-9!@#$%^&*()specialcharacters]
- fancybear’s password => randomly generated using all [0-9], length 8
- brotherbear’s password => taken from
youporn2012.txtin Daniel Miessler’s SecLists
Selected methodologies and hauls from students:
Student 1:
Separated hashes by type (MD5 vs SHA-512). Used John the Ripper and Hashcat with rockyou.txt, SecLists wordlists (darkc0de.txt, md5decryptor-uk.txt), brute force, and best64 rules.
Student 2:
I used hashcat for the appropriate hash type, looping through a folder of wordlists downloaded from the SecLists repo. Then, I did another pass for each hash type with best66 rules from hashcat.
Student 3:
I separated the crackme-spring2026.txt file into two batches based on hash type: targets_batch1.txt for 1 (MD5-crypt) hashes and targets_batch2.txt for 6 (SHA-512 crypt) hashes. Starting with the rockyou.txt wordlist, I cracked pandabear :sephiroth, sisterbear:coco, and papabear:virago1 from targets_batch1.txt, along with bluebear:devildog from targets_batch2.txt using hashcat -m 500 and hashcat -m 1800 respectively.
When the standard rockyou wordlist yielded no additional results, I switched to darkc0de.txt and ran hashcat -m 1800 -a 0 targets_batch2.txt darkc0de.txt -O, which successfully recovered teddybear:p3d41312 and carebear:SHAW. I then applied the same wordlist to targets_batch1.txt with hashcat -m 500 -a 0 targets_batch1.txt darkc0de.txt -O and obtained grizzlybear:close-standing and jackbear:h37312059114bic.
For the remaining unsolved hashes, I tested openwall.net-all.txt against targets_batch2.txt using hashcat -m 1800 -a 0 targets_batch2.txt openwall.net-all.txt -O, which cracked brotherbear:nerror. Lastly, I created a merged wordlist from multiple leaked password databases in the SecLists repository. and saved it as seclist_passwords.txt. Running hashcat -m 500 -a 0 targets_batch1.txt seclist_passwords.txt -O against the remaining MD5-crypt hashes yielded the final password: barneybear:7WaSEDR629.
A note to self for the fall 2026 contest…
