LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is a mask attack (also called rule-based or heuristic attack), and why is it so much faster than pure brute force?

The attacker uses known structural hints about the password to skip impossible combinations — turning years of brute force into hours.

Log-scale candidate counts for an 8-char password: dictionary << mask << full brute force.

* Keyspace an attacker must search (log scale): dictionary/mask vs brute force. *

The idea:

Instead of trying every possible string of length 8, you target a known pattern:

  • "Starts with capital letter"
  • "Ends with 2 digits"
  • "Has a special character somewhere in the middle"

In Hashcat syntax: ?u?a?a?a?a?a?d?d means:

  • ?u = one uppercase
  • ?a = any printable char (95)
  • ?d = digit

Why patterns are predictable:

Real-world password studies show ~40% of users follow predictable structures:

  • "Password requires uppercase" → starts with capital
  • "Password requires digit" → appended 123, 2024, etc.
  • "Password requires special char" → ends with !

Speed difference for an 8-char password:

Strategy Search space Crack time @ 100 GH/s
Pure brute force 95⁸ = 6.6 × 10¹⁵ ~18 hours
Mask ?u?a?a?a?a?a?d?d 26 × 95⁵ × 10² ≈ 2 × 10¹³ ~3 minutes

That's 18 hours → ~3 minutes — a ~300× speedup, just from knowing the structural constraints. Stricter assumptions (e.g. lowercase-only middle) collapse it further to milliseconds.

Where attackers learn the patterns:

  • Leaked databases — analyze password structures statistically
  • Password policy docs — "8 chars, 1 upper, 1 digit" tells the attacker a lot
  • Targeted intel — for spear-cracking, OSINT on the victim (kid's name, birthdate)

Hashcat support:

  • ?l ?u ?d ?s ?a — built-in charsets
  • Custom masks: ?d?d?d?d for 4 digits
  • Can combine with wordlists for hybrid attacks

Defense:

  • Don't follow predictable structures — random or passphrase
  • Stop publishing detailed password policies (security through obscurity has some value here)
  • Use slow hashes so even a fast mask attack remains expensive

Tip: Mask attacks are why "minimum complexity rules" can be counter-productive — they push users into predictable patterns that attackers exploit. NIST SP 800-63B now recommends length over complexity for exactly this reason.

Go deeper:

  • doc Hashcat mask attack (wiki) — worked example reducing a 4-year brute force to ~40 minutes by constraining per-position charsets.

From Quiz: INTROL / Password Cracking | Updated: Jul 14, 2026