What is a mask attack (also called rule-based or heuristic attack), and why is it so much faster than pure brute force?
The attacker uses known structural hints about the password to skip impossible combinations — turning years of brute force into hours.
* Keyspace an attacker must search (log scale): dictionary/mask vs brute force. *
The idea:
Instead of trying every possible string of length 8, you target a known pattern:
- "Starts with capital letter"
- "Ends with 2 digits"
- "Has a special character somewhere in the middle"
In Hashcat syntax: ?u?a?a?a?a?a?d?d means:
?u= one uppercase?a= any printable char (95)?d= digit
Why patterns are predictable:
Real-world password studies show ~40% of users follow predictable structures:
- "Password requires uppercase" → starts with capital
- "Password requires digit" → appended
123,2024, etc. - "Password requires special char" → ends with
!
Speed difference for an 8-char password:
| Strategy | Search space | Crack time @ 100 GH/s |
|---|---|---|
| Pure brute force | 95⁸ = 6.6 × 10¹⁵ | ~18 hours |
Mask ?u?a?a?a?a?a?d?d |
26 × 95⁵ × 10² ≈ 2 × 10¹³ | ~3 minutes |
That's 18 hours → ~3 minutes — a ~300× speedup, just from knowing the structural constraints. Stricter assumptions (e.g. lowercase-only middle) collapse it further to milliseconds.
Where attackers learn the patterns:
- Leaked databases — analyze password structures statistically
- Password policy docs — "8 chars, 1 upper, 1 digit" tells the attacker a lot
- Targeted intel — for spear-cracking, OSINT on the victim (kid's name, birthdate)
Hashcat support:
?l ?u ?d ?s ?a— built-in charsets- Custom masks:
?d?d?d?dfor 4 digits - Can combine with wordlists for hybrid attacks
Defense:
- Don't follow predictable structures — random or passphrase
- Stop publishing detailed password policies (security through obscurity has some value here)
- Use slow hashes so even a fast mask attack remains expensive
Tip: Mask attacks are why "minimum complexity rules" can be counter-productive — they push users into predictable patterns that attackers exploit. NIST SP 800-63B now recommends length over complexity for exactly this reason.
Go deeper:
Hashcat mask attack (wiki) — worked example reducing a 4-year brute force to ~40 minutes by constraining per-position charsets.