ELI5: What is a Hybrid Attack?
It takes common words from a dictionary and mixes in numbers and symbols — like trying “Summer2024!” and “p@ssword1”. It’s smarter than random guessing because people make predictable choices.
Definition
A hybrid password attack combines the efficiency of dictionary attacks with brute-force character substitutions and appends. Instead of trying every possible combination, a hybrid attack takes dictionary words and applies rule-based transformations—capitalizing letters, appending numbers or symbols, substituting characters (l33t speak), or prepending common patterns—to cover the most common password structures humans create.
Key Details
- Most humans follow predictable password construction patterns when forced to add complexity.
- Common patterns exploited:
Word + Year(Summer2024!),Word + Number(Password1),Word + Special char(dog@home). - Hashcat rules: Predefined rule files that apply systematic transformations to wordlist entries—highly effective against common passwords.
- Effective even against passwords that would resist a pure dictionary attack because of added characters.
- Defense: use truly random passwords (generated by a password manager) that don’t follow any human-predictable pattern.
Connections
- Parent: password-attacks — combines dictionary and brute-force approaches
- See also: dictionary-attack, brute-force