Lance Grover

Lance Grover

Patterns in passwords

Posted date:

Funny thing about people and passwords… just about anything really, we get comfortable with certain things, for example, you probably know of a family where all the kids first names start with the same letter.  Kids tend to be a little more creative, but adults tend to hold onto things, similar things.  Lets look at passwords, now keep in mind I am not saying everyone is like this, you may not be, but chances are….the majority of people will have a password that is similar in structure.  Lets say this is your password:


Your original password was probably something similar to you, say you liked cat in the hat, and you were born in the year 1989.  But the content of the password will change over time… but the structure could stay the same.  You see how the first character is a capitol, then there are several lower case letters, then two numbers and a special character?  Well, once you have been told that this is a good structure of a password you may feel this is the way you will structure most of your future passwords, without given new information.  So your next password might be like this:


Totally different password, but the structure is exactly the same….. So taking that into account, hashcat has a quicker brute force attack, it is called a mask attack…

So, lets say we build a rule that will crack this using the built in character sets:
?l = lowercase letters
?u = uppercase letters
?d = decimal number
?s = special characters

hashcat -a 3 -m 1000 -1 ?u -2 -?l -3 ?d -4 ?s –username myAD.audit ?1?2?2?2?2?2?3?3?4