Masks - Hashtopia

**Structured Keyspace Modeling for Password Research** Masks are a way to describe **what a password looks like** instead of guessing blindly. Rather than enumerating every possible string, masks constrain the search space to patterns that **humans actually use**. A mask is not an attack by itself. It is a **model** of password structure. --- ## **What a Mask Really Is** At its core, a mask is: > A **positional constraint system** that defines _what type of character is allowed at each position_ in a password. Instead of asking: > “What characters could appear anywhere?” Masks ask: > “What characters appear **here**, **then here**, **then here**?” This distinction is what makes masks powerful. --- ## **Why Masks Exist** Pure brute force treats every position as equally likely. Humans do not. Humans: - Capitalize predictably - Append digits consistently - Reuse years, counts, and patterns - Follow keyboard and language habits Masks encode those **biases** directly into the keyspace. --- ## **Mask Placeholders (Conceptual)** A mask is built from **placeholders**, each representing a character class: |**Placeholder**|**Meaning**| |---|---| |?l|lowercase letter| |?u|uppercase letter| |?d|digit| |?s|symbol| |?a|all printable characters| A password mask is simply a **sequence** of these placeholders. Example: ``` ?u?l?l?l?l?d?d ``` Interpreted as: > Capital letter → 4 lowercase letters → 2 digits --- ## **Masks vs Brute Force** ### **Brute Force** - Explores **everything** - Maximum coverage - Maximum waste - Ignores structure ### **Masks** - Explore **likely structure** - Drastically reduced keyspace - Orders guesses intelligently - Can still fully emulate brute force if needed > A mask can always expand to brute force > Brute force cannot shrink into a mask --- ## **Why Masks Are Efficient** Consider the password: ``` Julia1984 ``` ### **Brute Force Assumption** - Mixed case + digits - Length = 9 - Keyspace ≈ 62⁹ ≈ **13.5 trillion** ### **Masked Assumption** ``` ?u?l?l?l?l?d?d?d?d ``` - Uppercase only at position 1 - Lowercase letters next - Digits at the end - Keyspace ≈ **237 billion** That is **orders of magnitude smaller**, without sacrificing realism. --- ## **Masks Encode Human Behavior** Masks are effective because they capture **behavioral regularities**: |**Behavior**|**Mask Expression**| |---|---| |Capital first letter|?u?l...| |Digits at the end|...?d?d| |Year patterns|...?d?d?d?d| |Fixed prefix|Password?d?d| |Fixed suffix|?l?l?l!| Masks turn sociology into mathematics. --- ## **Fixed Characters Inside Masks** Masks are not limited to placeholders. You can include **static characters**: ``` Password?d?d ``` Meaning: > Literal word + two digits This is critical when: - Password policies enforce prefixes/suffixes - Application defaults are known - Organizational patterns repeat --- ## **Custom Character Sets** Masks allow **custom character classes**. Example conceptually: - “Only vowels” - “Only hex characters” - “Only keyboard-adjacent symbols” This allows masks to model: - Language bias - Encoding constraints - Input filtering behaviors --- ## **Mask Length and Incrementing** Masks are **length-specific**. "A mask for length 8 will never find a password of length 9." -Confucius Incrementing masks: - Automatically try shorter → longer - Preserve structure at each length - Avoid restarting attacks manually Conceptually: ``` ?l ?l?l ?l?l?l ... ``` This mirrors how humans escalate complexity. --- ## **Masks vs Rules vs Hybrid** |**Technique**|**What It Models**|**Strength**| |---|---|---| |Masks|Structure|Precision| |Rules|Transformation|Breadth| |Hybrid|Word + structure|Coverage| Masks are strongest when: - Structure is known - Length is predictable - Position matters Rules are strongest when: - Base words are known - Variations are common --- ## **When Masks Are the Right Tool** Use masks when: - Password length is constrained - Patterns repeat across accounts - Digits/symbols appear in predictable positions - You want deterministic coverage Avoid masks when: - Structure is unknown - Passwords are free-form phrases - Length varies wildly without pattern --- ## **Common Mask Anti-Patterns** 1. **Over-restricting** - Masks too tight miss valid passwords 2. **Under-restricting** - Masks too loose revert to brute force 3. **Ignoring culture** - Different regions exhibit different patterns 4. **Skipping analysis** - Masks without evidence are guesses, not models --- ## **Masks as Research Artifacts** In research contexts, masks are valuable because they: - Make assumptions explicit - Allow repeatable experiments - Enable fair comparison across datasets - Produce measurable outcomes A mask answers: > “What structure did we assume?” Which is more important than: > “Did we crack something?” --- ## **Takeaways** - They reduce keyspace by encoding human behavior - Every placeholder is a hypothesis - Good masks come from observation, not intuition - Masks complement rules and hybrids, they don’t replace them [[Home]]