What are password mask attacks?

Mask attacks are a targeted brute-force technique used by bad actors to crack passwords. Traditional brute-force attacks systematically try every possible combination of letters, numbers, and symbols to guess a target password. With mask attacks, the goal is to reduce the quantity of password guesses to an approachable chunk of the total possibilities. Attackers use information about password creation habits, like common composition patterns, to craft these attacks.

This article provides context on how bad actors use hashes found in data breaches to perform mask attacks. It also proposes a password complexity solution for Active Directory to increase the difficulty of brute-forcing passwords.

What is password cracking?

Conceptually, you can think of password cracking as trying to guess the password that was used. There’s no such thing as “reversing” a hash, a hashing algorithm is a one-way operation. When you log into an application that utilizes password hashing, the service provider has a hash that they store utilizing some hashing algorithm (e.g., Argon2, bcrypt, MD5) as well as typically a salt.

If you have any experience with red team exercises, or Active Directory password audits, you may have dealt with password dumps in the past, i.e., LSASS or NTDS.DST/SYSTEM dumps. Often an attacker or security professional may look to retrieve credentials from a machine. These credentials come in the form of NTLM hashes, in the case of a modern Windows environment, or SHA-512 in the case of Linux/Unix environments. One may choose to attempt to crack these hashes in order to assess or use the resulting password, either to judge the efficacy of secure password training, or to use the password to pivot to other systems/accounts in the environment in question.

Password cracking with mask attacks

There are several methods that are used in order to crack a given hash. If an attacker were to simply try to brute force all possible passwords for a given length, they would rapidly approach an untenable timeline. Mask attacks can be seen as a targeted brute force attack, rather than attacking all possibilities in the problem space, one can bring the problem space down to specific patterns of these characters, making it easier to get valid hits and start iterating on the data. By using mask attacks, they can attack a subset of password lengths and formats. One common technique is to start with the smallest problem set (shorter passwords) before working up to the largest (with longer passwords, the time to crack grows exponentially).

At the end of the day, an attacker doesn’t need to crack every password in the dataset they acquired containing a company’s information, or passwords that can be mapped back to domain users, for possible re-use. The attacker simply needs to crack enough of them to get that initial foothold, to start deeper enumeration, pivot and continue down their attack flow see: MITRE ATT&CK.

Securing passwords against mask attacks

Mask attacks demonstrate what a relatively unskilled attacker can do with a public breach, if passwords aren’t sufficiently strong, and users are reusing passwords. Simply using longer and stronger password policies driven by Specops Password Policy, and preferably combined with a breached password solution such as the optional Specops Breached Password Protection feature, organizations can reduce their attack surface. The Breached Password Protection solution is updated daily, and includes over 4 billion vulnerable passwords, including the HaveIbeenPwned list, the latest Collection lists, as well as thousands of other known leaked lists as recommended by regulatory bodies like NIST. With this solution in place, one can remove a lot of low-hanging fruit that could lead to initial access from a bad actor.