Our (1Password's) goals in offering these challenges is to gain a better sense of the resistance of various types of user Master Passwords to cracking if 1Password data is captured from a user's device.

Our use of Two Secret Key Derivation (2SKD) protects users from Master Password cracking attempts in the event that data is captured from our servers, but 2SKD does not offer that protection if data is captured from the user's own device. Thus the strength of user Master Passwords remains an important part of user security for 1Password.

We need to encourage users to use Master Passwords which

1. people can remember
2. people can reasonably enter on their devices
3. are sufficiently strong

We are creating these challenges to help us better understand (3).

We would love for people to use 1Password Master Passwords that are simply too hard to crack in the event that data is captured from their local devices. But if we present cracking challenges that are too hard to win, nobody will take the challenge. Instead, we are offering what we hope are winnable challenges with sufficient prizes that many of them will be won.

Let us emphasize this point for when results come in: These challenges are intended to be winnable. A success does not indicate any weakness in 1Password.

This means that the passwords we present here are weaker than we recommend as 1Password Master Passwords. The prizes we offer should be worth the effort that the participants need to put in.

At the same time we want the attempts to take some real effort so that we can get more data on that effort. In any cracking effort, there are some fixed costs of simply setting up the cracking run (preparing the data, configuring the software, etc), we want those costs to be dominated by the actual cracking.

Our interest is to understand cracking efforts in terms of the strength of a test Master Password under the assumption that an attacker fully knows the details of key derivation and password generation scheme. Therefore we try to provide everything a participant will need to know to set up their systems prior to the beginning of the competition. Thus we make available

1. The source for the scripts used to generate the challenge passwords
2. Sample challenges (some with "answers") published prior to the official challenge.
3. The KDF we use for these challenges is stripped of many of the idiosyncracies of the 1Password KDF that are not relevant for the difficulty of cracking locally captured data.

Individual challenges will look something like this, but see the source for generating them and the sample docs for more detail.

{
    "id": "aXw39qx7a5kt",
    "hint": "3 words",
    "prf": "HMAC-SHA256",
    "rounds": 100000,
    "salt": "697c37f6ac7b6b992d12c8eab3269af6",
    "derived": "3e0f1903cc73b07a7070a661f8450d495cc99151ae67bcdf69a80d0391e7d62f"
}

To ensure fair handling of the contest itself and the award of payments, we are asking Bugcrowd to administer this.

The Bugcrowd program is at https://bugcrowd.com/onepasswordgame

This is a natural choice, as they both have the experience with delivering bounties, and have earned a reputation as a trusted party in dealing both with those offering bounties and those seeking them.

On June 11, 2018 we doubled our initial prizes and added a fourth place prize. On July 26, we increased the prizes yet again.

• For the first person or team to crack a three word password, we offer 4096 8192 12288 USD.

• For the second person or team to crack a different three word password, we offer 2048 4096 8192 USD.

• For the third person or team to crack yet a different three word password, we offer 1024 2048 6144 USD.

• And for the fourth person or team to crack yet another one, we we offer 1024 4096 USD.

If no correct submission has been submitted within one month, we may increasing the prizes. [Update: On June 11 we have increased the prizes. On July 26, we increased the prizes yet again.]

On August 23, 2018, we published an updated challenge file with 1 bit hints. This lists the first bit of the unsalted SHA256 hash of the solution.

On September 24, 2018, we published an updated challenge file with 2 bit hits. This lists the first two bits of the unsalted SHA256 hash of the solution.

The file with these hints is at The hints will be initial bit(s) of a SHA256 unsalted hash of the password. The nature of the hints has been under discussion in this forum topic.

1. No one at AgileBits or BugCrowd can win.
2. Social engineering, or gaining the solutions through penetration is not allowed. This is a cracking-only exercise.
3. Participants may only use systems with the owner's permission. You may not steal computing resources in your cracking efforts.
4. Winners must provide a write-up of what they did, with estimations of total cost to crack, guesses per second, the systems used. The write-up need not be submitted at the same time as a successful crack, which need only include the ID of the particular challenge and the successful password.
5. Submission is exclusively via Bugcrowd, and Bugcrowd standard rules apply

Announcement of forthcoming challenge (when this and associated documents are published): TBA

Start of contest. Publication of the actual challenges: Noon, EDT on World Password Day, May 3, 2018. 2018-05-03 16:00:00 +0000 UTC

The challenge was published at that time at https://github.com/agilebits/crackme/tree/master/password-day-2018.json

Note that a file with 1 bit hints is at https://github.com/agilebits/crackme/tree/master/password-day-2018-1bitHints.json

All prize winning targets (1st through 4th place) have been found. There will be no prize awards for 5th through 7th place.

Last update: 2019-01-10:17:45:13 UTC