We just hacked @donie (with his consent) and here's a breakdown of how we cracked his password. At a high level, we used a data breach site, the password cracking tool @hashcat, and a custom wordlist and ruleset. This is how it went down.

RT @0xTib3rius: Be me. Get invited by @RachelTobac & @evantobac to play craps. Side note: when the Tobacs invite you to gamble, you go. Th….

RT @RachelTobac: One of my favorite people in the @defcon universe is @_MG_ .Go buy his hacking tools, you’ll have a blast. .

RT @RachelTobac: The @socialproofsec @defcon 33 Clue Hunt in ON!.This challenge is short, it’s just 1 clue. Coin & sticker will both be of….

RT @RachelTobac: I just live hacked @ArleneDickinson (Dragons' Den star - Canada's Shark Tank) by using her breached passwords, social medi….

Very cool, portable tool to get insight into USB cables from @alvaroprieto .

Great writeup of reversing and troubleshooting a malfunctioning Beaglebone Black. Lots of tools and techniques used (UART, JTAG, Saleae, EMIF Tuning, tinySA, ARM Reversing, etc.).

For anyone who wanted a key but didn't get one. Now you can print your own!.

What's the fair market value on goon money these days?

RT @RachelTobac: Are you ready to play a game, @defcon? Our 1st Clue Hunt clue is ready for you. Winners get the challenge coin that screws….

RT @socialproofsec: Our @defcon Clue Hunt is starting soon & it’s bigger than ever before!.1st clue & Keymasters at @sec_defcon starting Fr….

RT @RachelTobac: *Sizzle Reel + Ransomware Song Debut!*.We just hit 500,000+ users for our @socialproofsec security awareness training vide….

RT @RachelTobac: Here’s how I used AI to clone a 60 Minutes correspondent’s voice to trick a colleague into handing over her passport numbe….

RT @60Minutes: 60 Minutes hired an ethical hacker to show how easy it is to be scammed. She conned our unsuspecting colleague using artific….

RT @RachelTobac: *Our Music & Spoken Security Awareness Videos are now on (almost) every continent🤯 - Demo/Update*.Here are more sample sni….

For no particular reason, I have decided to create a Mastodon account. Come say hi at

RT @clintgibler: Great overview of the dangers of password reuse due to data breaches by @RachelTobac, @evantobac . * Find email addresses….

So putting it all together, we found a password hash for Donie on a data breach site, made a Donie-specific wordlist of previously-used passwords and personal info, and fed it to Hashcat with a modified version of Dive ruleset. Hashcat cracked the password in under 15 seconds.

Example Hashcat rules might be adding special characters to the beginning or end, incrementing numbers, or converting words to leetspeak (e.g. p4ssw0rd). Rules can basically automate most of the superficial changes many people make to their old passwords.

Hashcat is a tool that creates password guesses and hashes them to see if they match the target. It takes as input a wordlist of potential password guesses and a list of rules for all the modifications of each password to try.

I took all the old passwords that we knew Donie used in the past and added them to a list of personal details about Donie we found on social media. This was our wordlist. I used this wordlist with a password cracking tool called Hashcat.