What Is a Hybrid Password Attack? How Is It Used in Password Cracking?
You often see the term "hacking" when attacks on passwords are discussed. Many argue that this is a poor choice of words. They say that passwords can't be hacked. According to them, attackers can only "guess" passwords.
Strictly speaking, they do have a point. An attack on a password doesn't change the way it works or the level of security it provides. Instead, it helps cybercrooks figure out what the password is. There are two main approaches: brute-forcing and a dictionary attack.
Let's start with the brute-force attack. Think of a four-digit PIN. In a brute-force attack, the hackers first guess that the correct PIN is "0000". If that doesn't work, they try "0001", "0002", "0003", etc. At some point between "0000" and "9999", they will get a match and will be able to break open the account safeguarded by the PIN. It's more or less the same story with passwords, with the only difference being that the greater number and variety of characters makes the whole process slower or, in case the password is strong enough, impractical.
Far fewer guesses are made in a dictionary attack. It involves taking long lists of words, keyboard patterns (like "qwerty", for example), and digit combination, and trying each and every entry until a match is found. As we've established in the past, many people use the same weak passwords over and over again, and finding a dictionary full of them is a trivial job.
Enter password rules
Website owners thought that battling this is possible by forcing people away from common words and patterns and making them use random strings of characters instead. Websites that enforce password rules don't allow people to use "password", "qwerty", or "123456" as their password. Shortly after being confronted with password rules, users realized that they can't remember the jumbled mess of letters numbers and characters, and they started looking for a solution. Here's how they did it.
Lucy, who graduated in 2005, has a dog named Spike. Her password is "spike2005". George is a massive Los Angeles Lakers fan, and his son, Matt, was born in 1993. His password is "lakers1993". Chris met his wife, Amanda in New York in 2010. His password is "NewYork2010".
These are the sort of mechanisms people resorted to when password rules first appeared, and considering the fact that these were the days when social media couldn't reveal everything about our personal lives after a single Google search. The word-plus-year combination did provide an additional layer of security because it significantly slowed down brute-force attempts and rendered the classic dictionary attack useless. Unfortunately, pretty soon, the bad guys were on top of it.
They realized that people would often use the name of their pet in combination with their graduation year. They saw all the other common algorithms and were soon aware of how passwords are created. And in the world of online security, if you know how something works, you can attack it.
Adding brute-force to the dictionary attack
The bad guys took a divide-and-conquer approach. First, they realized that often, passwords either start or end with four-digit combinations. Cracking those in a typical brute-force scenario would likely take 10,000 guesses or less which, in the world of password attacks, is nothing.
With the rest of the password thrown into the mix, however, brute-forcing would have been a challenge. Unfortunately, they also realized that a dictionary attack would be effective against the first part of the password and that by combining it with a brute-force attempt on the numeric portion, they can have a practical, efficient method of guessing them. That's how the hybrid attack was born.
Obviously, the mechanism described above is designed to crack only passwords that begin with a word and end with a four-digit combination, but needless to say, designing one that guesses passwords that start with numbers and end with words is not really a problem for the hackers. They have been analyzing users' passwords for years, and they are aware of what a typical modern password looks like. Adapting their tools is a minor technicality.
Protecting yourself from a hybrid attack
It's not difficult to predict that you, like so many other people, are going to use a year in your password, and neither is the fact that you'll place it either at the end or in the beginning. The same goes for capitalizing the first letter of your password or putting an exclamation mark at the end.
If your password is to be resistant to a hybrid attack, it needs to be random. You have to make sure that cybercrooks can't guess what it consists of. In fact, ideally, even you shouldn’t know what your password consists of.
Having an automated tool scramble letters, numbers, and special characters for you will ensure that any password attack would be either completely impractical or outright pointless. Of course, there will be the problem of remembering all your passwords, but thankfully, modern password management solutions like Cyclonis Password Manager can take care of both tasks.