What Is a Password Mask Attack? 

By now we all know the importance of creating strong and unique passwords. We have all gotten smarter about how to create and store passwords as well as the gravity of having unique passwords for each of our accounts. Unfortunately, having a password is no longer as effective protection as it once was for our online accounts.  Bad actors, hackers, and cybercriminals have gotten quite savvy about cracking our “uncrackable codes” used for everything from our social media accounts to our banking and even our private healthcare data. Many with malicious intent no longer have to use brute force to discover passwords, but are rather using a Password Mask Attack. 


Brute Force Vs Mask Attack 

According to Kaspersky online, a brute force attack is “the use of trial-and-error to guess login info, encryption keys, or find a hidden web page. Hackers work through all possible combinations hoping to guess correctly.”  They’re called brute force since they use many forceful attempts to break their way into your accounts both personal and business. While this is an older method of hacking into accounts, it has proven to be quite a successful method depending on the difficulty and length of the password.  A Password Mask Attack is similar in that the ultimate goal is to gain your password, but this method is more systematic, targeted, and takes even less time than a brute force attack, believe it or not.  IT support experts believe that Password Mask attacks, a form of brute force attack, check passwords that match a specific pattern. This allows cybercriminals to skip unnecessary character combinations. This shortcut, of sorts, allows for a more targeted approach based on human password behavior and reduces the time spent on brute-force password recovery. The ultimate goal of a Password Mask Attack is to reduce the number of password guesses to a more manageable chunk of the total possibilities. This is done through hashing.  Most websites and online apps don’t store users' passwords but rather use a process called hashing where the algorithm changes the password into letters and numbers - a hash. This hash can then start the process of a targeted Password Mask attack. 

Managing This Threat 

In order to manage this threat, there are steps that individuals and businesses can take to mitigate the risks. You may find they sound very familiar as they are commonly discussed in our blogs on passwords. Businesses should use password managers to encourage strong and unique passwords and individuals should use passwords that contain a unique combination of uppercase and lowercase letters, numbers, and special characters. These stronger passwords will make it more difficult for hackers to guess the pattern or calculate the hashes.