Hybrid attack — Comprehensive operation

Project reference document Time2Crack
Recipients: developers, security researchers, advanced users

Contents

  • Overview
  • Historical and academic background
  • Conceptual Foundations: Why the Hybrid Works
  • Architecture of a modern hybrid attack
  • The game of mutation rules
  • Best64 rules: the reference game
  • Complete Taxonomy of Transformations
  • Frequency priority: the heart of efficiency
  • Implementation in Time2Crack: addHybridAttacks()
  • The three hybrid keyspaces and their justification
  • High fidelity calibration
  • Relationship to derived attacks
  • Benchmarks by hash algorithm
  • Concrete examples of hybrid cracking
  • Hybrid attack limits
  • Effective defences
  • References

    • 1. Overview

    Hybrid attack is the cracking method that combines a dictionary wordlist with a set of transformation rulesInstead of testing each word in the dictionary as it is (pure dictionary attack), it generates on the fly all plausible variants of each word — capitalizations, character substitutions, prefix/suffix additions, inversions — and systematically tests them.

    Why is it so effective? Humans do not choose "password" as a password, they choose "Password1", "p@ssw0rd", "PASSWORD123" or "password!". These variants seem stronger because they are not in the raw dictionary list — yet they are among the first generated by any modern hybrid cracking tool. The attacker exploits exactly the same "secure" heuristics that the user applies.

    Hybrid attack is historically the responsible method for the majority of real "mean" password crackings — those that appear to be strong without being strong. According to Ma et al. (2014, IEEE S&P), the first 8 to 10 rules applied to a current word suffice to crack the median password population.

    In Time2Crack, the hybrid attack modeled:

  • The detection that the password is or is derived from a dictionary word
  • Estimation of the number of candidates an attacker should test before finding the exact variant
  • Calculation of the corresponding time according to the target hash algorithm

    • 2. Historical and academic background

    2.1 Origins: John the Ripper and mutation rules

    The hybrid attack is formally born with John the Ripper (Solar Designer, 1996), the first public tool to combine a wordlist with a configurable rule engine. Prior to John the Ripper, dictionary attacks tested raw words; John introduced the notion that each word generates a family of candidates.

    Chronology of milestones : YearEvent ------------------- 1979Morris & Thompson: users substitute numbers for letters to "secure" their passwords 1996John the Ripper 1.0: first public rule engine, JtR syntax (:, c, u, r, d...) 2000Alec Muffett documents that 80% of real cracking goes through wordlist+rules, not brute force 2006Hashcat 0.01: migration on GPU, rules go from 1M→1000M candidates/second 2009RockYou: 14.3M clear passwords allow empirical calibration of the most effective rules 2012Gosney (Passwordscon): 8 GPU GTX 580, best64 rules, crack 90% LinkedIn in < 6 days 2013Löfstrand: publishes "best64.rule", 64 rules covering 85-90% of current human transformations 2014Ma et al. (IEEE S&P): first academic study quantifying effectiveness by rule rank 2016Hashcat open source: integrated best64, MD5 speed 2 TH/s on 8× GTX 1080 2019Hashcat 6.0: OneRuleToRuleThemAll game (52k rules) generated by ML on corpus of passwords 2023NSA Advisory: explicitly recommends testing corporate passwords with hybrid tools

    2.2 Founding empirical studies

    Klein (1990) — Analysis of 15,000 Unix passwords. Recognizes that 24.2% are crackable per pure dictionary, but that 32% additional are crackable with simple transformations (capitalization, addition of final digit). Total: 56.2% with a primitive hybrid tool. Weir et al. (2009, IEEE S&P) — Proposes the PCFG model but valid by the way that the hashcat rules cover 78% of the transformations observed in RockYou. Demonstrates that the passwords "Password1" and "P@ssw0rd" are among the first 100 candidates generated by best64 on the word "password". Ma et al. (2014, IEEE S&P) — The most cited study on the effectiveness of hybrid rules.
  • Rules 1–10: crack 51%
  • Rules 1–64 (full best64): crack 79%
  • Rules 1–500: crack 88%
  • Key conclusion The first 10 rules make the majority of the work.
    • Durmuth et al. (2015, ESORICS) — Evaluates the JtR vs Hashcat vs PCFG rules. Concludes that the Hashcat best64 rules are empirically the most effective for observed clear passwords, surpassing PCFG by 12% on RockYou cover.

    2.3 LinkedIn flight as a school case

    The 2012 LinkedIn leak (6.5 million non-salted SHA-1s) perfectly illustrates the power of the hybrid. In 72 hours, the hashcat community had cracked:

  • 100% passwords in top-10M wordlists (pure dictionary)
  • 90% more via best64 + Combineatorattack
  • Resistant passwords: only those without any dictionary structure

    • Post-crack analysis revealed that "linkedin1", "Linkedin1", "l!nked!n" and "LINKEDIN" — all variants of "linkedin" — collectively represented tens of thousands of compromised accounts.

    3. Conceptual Foundations: Why the Hybrid Works

    3.1 The human behaviour of "secure"

    When a system imposes rules of complexity (majuscule, number, symbol), users do not generate random — they apply predictable transformations to memorizable words :

    Human strategyExampleRelated hybrid rule ---------------------------------------------------------- Capitalizing the first letter"sunshine" → "Sunshine"c (capitalize first) Count all"sunshine" → "SUNSHINE"u (uppercase all) Add a digit at the end"sunshine" → "sunshine1"$1 (appends "1") Add year"sunshine" → "sunshine2024"$2 $0 $2 $4 Replace e→3"sunshine" → "suns3ine"s e 3 (substitute e by 3) Replace a→@"password" → "p@ssword"s a @ Reverse word"sunshine" → "enihsnus"r (reverses) Double word"sun" → "sunsun"d (duplicate) Add ! final"sunshine" → "sunshine!"$! Combine multiple"password" → "P@ssw0rd1"c s a @ s o 0 $1

    These transformations seem creative to the user. exactly the first ones that the attacker tries They correspond to the constraints imposed by security policies.

    3.2 The concept of efficient reduced space

    A 10-character password with letters+digits+symbols has a raw keyspace-force of 94^10, 5,4 × 10^19 combinations. Too large to travel in a reasonable time.

    But if this password is "Password1!" — a trivial transformation of "password" — it is among the 500 first candidates The attacker does not travel 5.4 × 10^19 combinations: he travels 500.

    This is the fundamental reduction of the hybrid attack: the real space of human choices is astronomically smaller than the theoretical space of possible characters.

    3.3 The Law of Power of Transformation

    Just as raw passwords follow a law of power (Zipf), the transformations that humans apply also follow a very concentrated distribution. Ma et al. (2014) empirically showed:

  • ~5% of transformations ("add 1 at the end", "capitalize the first letter") cover ~50% of real cases
  • ~20% of transformations cover ~85% of cases
  • The remaining 80% of transformations cover only 15% of cases

    • This concentration allows a set of 64 well chosen rules (best64) to reach a coverage of 79-85%, where 64 random rules would reach only 10-15%.

    3.4 Interaction with the popularity of the basic word

    The more common the base word, the earlier the derived password is in the attacker's priority list. The attacker orders his candidates in decreasing probability:

    Candidats générés par l'attaquant (ordre de test) :

  • password (gross, most common word)
    • 

  • Password (capitalize first)
    • 

  • password1 ($1)
    • 

  • PASSWORD (uppercase all)
    • 

  • password! ($!)
    • 

  • p@ssword (substitute a→@)
    • 

  • passw0rd (substitute o→0)
    • 

  • Password1 (c + $1)
    • 

  • P@ssword (c + s a @)
    • 

  • password123 ($12$3)
    • 
...

  • p@ssW0rd! (combination complex)

    • "password" is the most common word → its derivatives are tested first. "papillon" is less common → its derivatives are tested much later. This prioritization is the central mechanism that explains the three distinct keyspaces in Time2Crack.

    4. Architecture of a modern hybrid attack

    4.1 General pipeline

    Phase 1 : Sélection de la wordlist
    ├── Passwords fuités triés par fréquence (RockYou, HIBP, Collections)
    ├── Dictionnaire linguistique (fr.txt, en.txt, de.txt...)
    ├── Wordlists thématiques (prénoms, villes, marques, séries TV)
    └── Wordlists contextuelles (domaine cible, noms d'employés, termes métier)

    Phase 2: Selection of the Rules Game
- - best64.rule (balanced reference, 64 rules)
OneRuleToRuleThemAll.rule (52,000 rules, ML-generated)
D3ad0ne.rule (34,000 rules, empirical)
- JtR rules (generalized.rule, specific.rule, extra.rule)
- - Custom rules (adapted to the target domain)
    

    Phase 3: Expansion (wordlist × rules)
For each word w in wordlist:
For each rule r in ruleset:
│ applicant = application(r, w)
Promotional │ If candidate 
Promotional │ queueof thecandidates.push(candidate)
--Order: (w1, rule1), (w1, rule2)... (w2, rule1)...
or: (w1, rule1), (w2, rule1)... according to strategy
    

    Phase 4: Haching and Comparison (GPU)
- - Sending by batch of ~10M candidates to the GPU
- - Parallel calculation of hashs (SIMD, 168 GH/s for MD5)
- Comparison with target hash(es)
If match: FINDED — log(candidate, hash, rule)
    

    Phase 5: Reporting
- - Cracked candidate + rule used + rank in list

    4.2 Hashcat modes of operation

    Hashcat implements the hybrid in two distinct ways:

    Mode -a 0 (wordlist + rules) : for every word of the wordlist, apply all the rules. This is the classic hybrid mode. 
    hashcat -a 0 -m 0 hashes.txt rockyou.txt -r best64.rule
    Mode -a 6 (wordlist + mask) : combines a wordlist with a positional mask. Generates all combinations mot + suffixemasked. 
    hashcat -a 6 -m 0 hashes.txt wordlist.txt ?d?d?d?d

    Test "sunshine0000", "sunshine0001", ..., "sunshine9999"
    Mode -a 7 (mask + wordlist) : inverse — masked prefix + word. 
    hashcat -a 7 -m 0 hashes.txt ?d?d wordlist.txt

    Test "00sunshine", "01sunshine", ..., "99sunshine"

    Time2Crack mainly models the mode -a 0 (transfer rules), which covers the vast majority of actual hybrid attacks documented.

    4.3 Order of candidates and prioritization strategy

    The order in which candidates are tested is critical.

    Strategy word-first (default hashcat): all rules are applied to W1 before switching to W2. 
    (W1, R1), (W1, R2), ..., (W1, Rn), (W2, R1), (W2, R2)...
    Advantage: if W1 is very likely (e.g. "password"), you quickly discover its variants. Rule-first strategy : all wordlists are run for R1 before going to R2. 
    (W1, R1), (W2, R1), ..., (Wm, R1), (W1, R2), (W2, R2)...
    Advantage: the most effective rule (: → mot brut) is applied first on all words. Often more effective for diverse corpus.

    In practice, hashcat uses word-first by default but experienced operators choose according to the target profile.

    5. Sets of mutation rules

    5.1 Syntax of hashcat rules

    The hashcat rules are expressed in a minimum language where each character represents an operation on the candidate string:

    Case modifiers :
  • : — Identity (gross word, no transformation)
  • l — lowercase all ("PASSWORD" → "password")
  • u — uppercase all ("password" → "PASSWORD")
  • c — Capitalize first, lowercase rest ("PASSWORD" → "Password")
  • C — Lowercase first, uppercase rest ("Password" → "pASSWORD")
  • t — Toggle box of all characters ("Password" → "pASSWORD")
  • TN — Toggle box from character to position N
    • Removals and reversals :
  • r — Reverse ("password" → "drowssap")
  • d — Duplicate ("password" → "passwordpassword")
  • f — Reflect (word + reverse) ("sun" → "sunnos")
  • { — Rotate left ("password" → "asswordp")
  • } — Rotate right ("password" → "dpasswor")
  • [ — Remove first character ("password" → "assword")
  • ] — Remove last character ("password" → "passwor")
    • Character additions :
  • $X — Append character X ("password" + $1 → "password1")
  • ^X — Prepend character X ("password" + ^1 → "1password")
  • iNX — Insert character X at position N
    • Substitutions :
  • sXY — Replace all X by Y ("password" + s a @ → "p@ssword")
  • SNX — Replace character at position N by X
    • Truncations :
  • 'N — Truncate at position N (password + '4 → "pass")
  • DN — Delete character at position N
    • Conditional :
  • - Apply the rule only if length < N
  • >N — Apply the rule only if length > N
  • =N — Apply the rule only if length = N

    • 5.2. Composite rules

    Rules can be chained on a single line to create complex transformations:

    c $1          → "Password1" (capitalize + append 1)
c $! $1       → "Password!1" (capitalize + append ! + 1)
s a @ s e 3   → "p@ssw3rd" (substitute a→@ et e→3)
r $1          → "1drowssap" (reverse + append 1)
u $2 $0 $2 $3 → "PASSWORD2023" (uppercase + append year)

    Power is in the composition: 64 simple rules generate thousands of distinct transformations by combination.

    5.3 Main Rules

    best64.rule (Löfstrand, 2013) — 64 rules selected empirically on RockYou to maximize crack rate. Considered industry benchmark. OneRuleToRuleThemAll (NotSoSecure, 2019) — 52,218 rules generated by automatic learning on cracked password corpus. Crack rate greater than best64 of ~8% on modern corpus, at the cost of a calculation time ~800× longer. d3ad0ne.rule — 34,096 Community rules, focus on patterns not covered by best64 ( accents, extended characters, non-English patterns). live.rule — 99 000+ rules, the most exhaustive. Used for long-term cracking when others failed. Generalized2.rule (JtR) — Automatically generated by statistical analysis of already cracked passwords. Recalculated periodically as new leaks occur.

    6. Best64 rules: the reference game

    Best64 is the set of 64 standard rules of reference in academic literature and industry. Here are the most important rules and their empirical justification:

    6.1 The 20 most effective rules (in order of performance)

    RankRuleTransformation% passwords covered (May 2014) ----------------------------------------------------------- 1:Gross Word~18% 2cCapitalize first~11% 3uUppercase all~6% 4$1Append "1"~5% 5lLowercase all~4% 6$!Append "!"~3% 7s a @a→@~2.8% 8c $1Capitalize + "1"~2.5% 9$2Append "2"~2.1% 10rReverse~1.9% 11$! + cCapitalize + "!"~1.7% 12s o 0o→0~1.6% 13dDuplicate~1.4% 14s e 3e→3~1.3% 15$1 $2 $3Append "123"~1.2% 16c $1 $2 $3Capitalize + "123"~1.1% 17$0Append "0"~1.0% 18^1Prep "1"~0.9% 19s i 1i→1~0.8% 20c $! $1Capitalize + "!1"~0.7% Cumulation rules 1–10 : ~55% of dict-based passwords Cumulation rules 1–20 : ~68% of dict-based passwords Cumulation rules 1–64 : ~79% of dict-based passwords

    6.2 Why are these rules so effective?

    Each top-10 rule corresponds to a common security policy constraint:

  • "Shall have a capital capital" → users capitalize the first letter (c)
  • "must have a number" → users add "1" at the end ($1)
  • "Shall have a symbol" → users add "!" ($!)
  • "must have letters AND numbers" → c $1 or c $1 $2 $3

    • Password policies do not really increase security if users implement predictable transformations — they only move passwords to the second or third rule of best64.

    7. Complete Taxonomy of Transformations

    7.1 Category 1: Case transformations

    Most common. Exploit the obligation to have a capital capital:

  • Capitalize first letter : "sunshine" → "Sunshine" (most common rule after the word raw)
  • All uppercase : "sunshine" → "SUNSHINE"
  • Toggle alternating : "sunshine" → "sUnShInE"
  • Last letter uppercase : "sunshine" → "sunshine"
  • CamelCase: "sunshinE" (approximated by c changes)
    • Prevalence : Klein (1990) notes that 41% of "passwords with capitals" consist simply of the word with the first letter in capitals.

    7.2 Category 2: Digital Suffixes and Prefixes

    Exploit the obligation to have a figure:

  • Append single digit : word+"0" to word+"9"
  • Append two digit : word+"00" to word+"99" (100 combinations)
  • Append year : word+"1990" to word+"2024" (35 frequent combinations)
  • Append "123" or "1234" (very common)
  • Prepend single digit : "1"+mot à "9"+mot
  • Prepend year : "2024"+word
    • Prevalence Veras et al. (2014) find that ~73% of "mandatory" passwords add the figure in suffix. Only ~12% prefix it.

    7.3 Category 3: Leet substitutions

    Systematic replacement of letters with similar numbers or symbols:

    SubstitutionEmpirical frequency ------------------------------------ a → @23% of passwords with @ e → 331% of passwords with 3 i → 119% of passwords with 1 o → 027% of passwords with 0 s → $14% of passwords with $ l → 18% t → 76% g → 94%

    Combined substitutions ("P@ssw0rd") appear complex but are generated in a few rules: c s a @ s o 0They are among the 500 first candidates On "password".

    7.4 Category 4: Symbolic Suffixes

    Exploit the obligation to have a special character:

  • Append "!": the most frequently added symbol (~35% of symbolic additions)
  • Append "?": ~8%
  • Append "#" : ~6%
  • Append "@": ~5%
  • Append ".": ~4%
  • Append "!!": ~3%
  • Prepends "!": less frequent (~10% of cases vs 35% for suffix)
    • Kombinaison : word + "1!" is so common that it is systematically generated by best64. "sunshine1!" is among the first 200 candidates generated on "sunshine".

    7.5 Category 5: Structural transformations

    Less frequent but useful for some profiles:

  • Inversion: "sun" → "naked" (current for certain groups)
  • Duplication: "sun" → "sunsun" (passwords for systems limiting to 8 tanks solved to 16)
  • Rotation : "password" → "asswordp"
  • Truncation + addition : "passw" + "1"

    • 7.6 Category 6: Compound transformations (advanced level)

    Complex rules combine several operations:

    c $1 s a @        → "P@ssword1" (capitalize + append 1 + substitute a→@)
u $! $1 $2 $3     → "SUNSHINE!123" (uppercase + append !123)
r c $1            → "Drowssap1" (reverse + capitalize + append 1)
s e 3 s a @ c $!  → "P@ssw3rd!" (multiple substitutions + capitalize + !)

    These transformations seem very complex but remain detectable by a good set of rules. OneRuleToRuleThemAll contains thousands of these.

    8. Frequency Priority: The Heart of Effectiveness

    8.1. The frequency of the basic word determines the priority

    An intelligent attacker does not apply the rules uniformly to all words. He prioritizes:

  • Most common words (top-100 RockYou/HIBP) × all rules
  • Words moderately common (top-10k) × most effective rules
  • Less frequent words (all dictionary) × first few rules

    • This strategy is implemented in hashcat via the sorting of the wordlist by decreasing frequency combined with the word-first strategy. It explains why "Password1" (derived from "password", the word #1) is cracked in milliseconds, while "Soleil1" (derived from "sun", word ~5000 from the French dictionary) may take a few seconds.

    8.2 Median position in search space

    The key measure is the median number of candidates tested before finding the target password. Ma et al. (2014) provide empirical measurements:

    ThirdExampleMedian applicants before finding ------------------------------------------------------------------- TOP100"password1", "P@ssword"~450–500 Common dict (top-10k)"Sunshine1", "sunshine!"~5 000–15 000 Less common"Paillon2024"~50 000–200,000 Without dictionary"Xk7#mP9q"N/A (inapplicable hybrid)

    These measurements are the direct basis of Time2Crack constants: 

    const HYBRIDKEYSPACECOMMON = 500;    // Ma et al. 2014 — médiane top-100
const HYBRIDKEYSPACEDICT = 8000; // Ma et al. 2014 — median current dictator
const HYBRIDKEYSPACEFULL = 128e6; // Gosney 2012 — best64 × 2M exhaustive words

    8.3 Conditions necessary for the hybrid to be applicable

    Hybrid attack requires the password to be structurally derivable from a dictionary wordTime2Crack detects this condition via hybridVuln :

    const hybridVuln = dictWord || (common && /[a-z]/i.test(pw));
  • dictWord = true : the password is or derives from a language wordlist
  • common && lettre : the password appears in COMMON (HIBP top-400) and contains letters — so almost certainly derived from a word

    • If dictWord neither hybridVuln are true — the password contains no detectable dictionary root — hybrid attack returns null (not applicable). A purely random password like "xK9#mQ7@" is not vulnerable to hybrid.

    9. Implementation in Time2Crack: addHybridAttacks()

    9.1 Complete annotated code

    function addHybridAttacks(rows, hybridVuln, weak, common, dictWord) {
  if (hybridVuln || weak) {
    // Sélection du keyspace selon la popularité du mot de base :
    // common → mot dans HIBP top-400 → position ~500 dans la liste de l'attaquant
    // dictWord → mot dans la wordlist → position ~8000
    // sinon (hybridVuln sans dictWord ni common) → scan exhaustif ~128M
    const hybridKS = common ? HYBRIDKEYSPACECOMMON
dictWord? HYBRIDKEYSPACEDICT
: HYBRIDKEYSPACEFULL;

    for (const a of ALGOS) {
rows.push({
atk: t("aHybrid"),
hash: a.name,
rate: a.rate,
// budgetTime : the keyspace IS the number of guesses — no division by 2
// (unlike BrutTime, here candidates are ordered by probability)
dry: weak ? weakGuessTime(a.rate): budgetTime(hybridKS, a.rate),
note: weak ? t("nWeakPassword") : t("nDictMut")
cat: "hybrid",
});
}
} else {
// Password without structure dictionary → hybrid inapplicable
rows.push({
atk: t("aHybrid"),
hash: "(all)",
rate: 0,
dry: null, // N/A in the table
note: t(nStructUnrecog),
cat: "hybrid",
});
}
}

    9.2 budgetTime vs bruteTime

    The distinction between the two functions is fundamental:

    // bruteTime : l'attaquant ne sait pas où est le mot de passe dans l'espace.
// Il teste en moyenne la moitié avant de le trouver. → keyspace/2
function bruteTime(keyspace, rate) {
  const ls = Math.log(keyspace / 2) - Math.log(rate);
  return Math.exp(ls);
}

    // budgetTime: the attacker tests candidates in descending order of probability.
// Keyspace IS the number of candidates expected before finding (median position).
// No division by 2 — the median is already incorporated into the Ma 2014 constants.
budget functionTime(guess, rate) {
const ls = Math.log(guesses) - Math.log(rate);
returns Math.exp(ls);
}

    For the hybrid, budgetTime is correct because the 500/8000/128M candidates are empirical estimates of the median position, not total space to travel.

    9.3 Relationship with isDictWord()

    Detection dictWord which conditions the choice of hybrid keyspace is produced by isDictWord() :

    function isDictWord(pw) {
  if (!DICTWORDS || !DICT(WORDS.size) return false;
const l = pw.normalize("NFC").toLowerCase();

    // Direct test: Is the password as it is in the dictionary?
if (DICT)
    WORDS.has(l)) return true;

    // Leetified test: "s0le1l" → "sun" in the dico?
const dl = deLeet(pw);
if (dl!)WORDS.has(dl) return true;
    

    // Test substring: "sunshine123" contains "sunshine" in the dico?
for (const w of DICTWORDS) {
if (l.includes(w) && w.length >= 4) return true;
}
    

    return false;
}

    This detection determines not only whether the hybrid is applicable, but also which keyspace (common vs dict) is used to calculate time.

    10. The three hybrid keyspaces and their justification

    10.1 HYBRIDKEYSPACECOMMON = 500

    Background The password is in COMMON — the hardcoded list HIBP top-~400. These are some of the most common passwords in the world ("password", "letmein", "sunshine", "iloveyou"...). Justification Ma et al. (2014) empirically measured that the median position of a top-1000 password in a hybrid list sorted by probability is ~450 candidates. The number 500 is a slightly conservative estimate to cover up to ~400 rank. Interpretation : an attacker applying best64 to a wordlist sorted by frequency tests on average 500 candidates before finding the password. At 2,000 GH/s (MD5, 12× RTX 4090), 500 candidates = 0.25 picoseconds. Practically instantaneous. Example : "Sunshine1" → "sunshine" is in COMMON → HYBRIDKEYSPACECOMMON = 500 → budgetTime(500, 2027e9) 0.25 nanoseconds.

    10.2 HYBRIDKEYSPACEDICT = 8,000

    Background The password is derived from a word from the language wordlist, but not from COMMON. These are common vocabulary words ("sun", "mountain", "paillon"...) with transformations. Justification Ma et al. (2014) measure a median position of 2,000 to 15,000 depending on the popularity of the word in RockYou. The empirical median is ~8,000. This keyspace reflects that the attacker tests the word and its variants after exhausting the more common candidates. Interpretation : 8,000 candidates at 2,000 GH/s (MD5) = 4 nanoseconds. Always near-instantaneous for fast hashs. For bcrypt (69 kH/s): 8,000 / 69 000 0.12 seconds. Example : "Soleil2024" → "sun" in fr.txt → HYBRIDKEYSPACEDICT = 8,000 → a few nanoseconds on MD5, 0.12s on bcrypt.

    10.3 HYBRIDKEYSPACEFULL = 128,000,000

    Background : hybridVuln is true (password has a dictionary structure) but neither common neither dictWord The attacker must browse the entire wordlist with all the rules. Justification : Gosney (Passwordscon 2012) documents a wordlist of 3.5M words × best64 (64 rules) = 224M candidates in total. In practice, realistic wordlists make 2M words and the partial best64 runs stop at ~128M candidates before climbing towards wider rules. Formula : 2000000 mots × 64 règles = 128000000 candidats Interpretation : 128M candidates at 2000 GH/s (MD5) 64 microseconds. On bcrypt (69 kH/s): ~31 minutes.

    11. High fidelity calibration

    11.1 Role of high fidelity mode

    When high fidelity mode (HF) is activated in Time2Crack, an additional multiplier is applied to the calculated times to refine accuracy. For hybrid attack, this multiplier takes into account factors not captured by the basic keyspaces.

    HF multiplicators for hybrid

    In applyHighFidelityCalibration() :

    case "hybrid":
  // Mots très courants : crackés encore plus tôt que la médiane Ma 2014
  // car les attaquants modernes trient word-first + règle-first simultanément.
  // Réduction de 30% sur les temps déjà courts.
  m = context.common ? 0.7
: context.dictWord ? 0.8
- 1.0;
Break;
    Justification :
  • For common : modern tools (hashcat with --markov-threshold) pre-set the rules by empirical effectiveness. The best candidates arrive even earlier. Reduction of 30%.
  • For dictWord : less effect because the position in the wordlist is less concentrated. Reduction of 20%.
  • For hybridVuln only (FULL keyspace): no reduction — full keyspace is already a conservative estimate.

    • 11.3 Interaction with the monotony guard

    The monotony guard ensures that no specialized attack claims to be faster that the raw force on the alphabetical substring of the password:

    // Pour chaque row non-brute :
const floorAlpha = bruteTime(Math.pow(26, alphaOnly.length), algo.rate);
if (row.sec < floorAlpha) row.sec = floorAlpha;

    For short words (e.g., "cat" = 3 letters, floor = 26^3/rate

    12. Relationship with derived attacks

    12.1 Hybrid vs. Pure Dictionary

    CriteriaPure DictionaryHybrid ------------------------------------- Candidates testedCorrect List WordsWords + all their variants Cover (RockYou)~18%~79-85% (with best64) Keyspace (200k words)200 000200 000 × 64 = 12.8M ApplicabilityPassword = exact wordPassword derived from a word Vulnerable example"sunshine" (exact)"Sunshine1!", "sunsh1ne" Resistant example"Sunshine1""xK9#mQ7@" (no root)

    12.2 Hybrid vs Rule-Based

    The rule-based attack in Time2Crack is conceptually similar but with a much wider set of rules:

    const RULEKEYSPACE = 250000000; // vs 128M for full hybrid

    The difference: the best64 model hybrid (64 rules, focus on common human transformations). The rule-based attack models wider games like d3ad0ne (34k rules) or OneRuleToRuleThemAll (52k rules), used when best64 fails. The rule-based is the "second line" hybrid — slower but more comprehensive.

    12.3 Hybrid vs PCFG

    PCFG (Probabilistic Context-Free Grammar, Weir 2009) models the grammatical structure of the password to generate candidates.

    CriteriaHybridPCFG -------------------------- ApproachBasic word + transformation rulesGlobal grammatical structure ForceExisting words mutatedStructures type "word+Digits" Example"sunshine" → "Sunshine1"Detects the "Caps+lower+digit" structure ComplementarityTriggers on dictWordTriggers on detected structure Keyspace (Time2Crack)500 / 8k / 128MpcfgKeyspace(pw) dynamically calculated

    PCFG can attack passwords without root dictionary if their structure is common (ex: "Thelonious8" → no word of the dico but structure Capitalize+lower+digit very predictable).

    12.4 Hybrid vs Morphological (morph)

    The morphological attack tests linguistic variants (flexions, variations). It is a generalization of the hybrid for languages with rich morphology:

  • Hybrid : "sun" → "Sun1", "s0leil", "sun!"
  • Morphological : "sun" → "sun", "sun", "solar", "sun"

    • The hybrid operates on the surface of the word (character transformations), the morphological operates on the lexical structure (derivation, bending), and they are complementary.

    13. Benchmarks by hash algorithm

    13.1 Time for the three hybrid keyspaces (12× RTX 4090)

    AlgorithmRate (H/s)COMMON (500)DICT (8k)FULL (128M) ---------------------------------------------------------------- MD52 027 GH/s0.25 ps3.9 ns63 μs SHA-1610 GH/s0.82 ps13 ns210 μs SHA-256272 GH/s1.84 ps29 ns470 μs NTLM3,462 GH/s0,14 ps2.3 ns37 μs bcrypt (cost 10)69 kH/s7.2 ms0.12 s31 min Argon2id800 H/s0.625 s10 s44 hours Reading : for MD5 and NTLM, even the FULL keyspace (128M candidates) is cracked in a few dozen microseconds. The hash algorithm is almost irrelevant for common words. Argon2id is the only algorithm that resists significantly even for common words: 0.625 seconds for a COMMON word, 10 seconds for a dictWord. These times remain short in absolute value but represent a slowdown of x10^12 vs MD5 — making large-scale attacks economically inviable.

    13.2 Impact of the attacking profile

    Time2Crack offers two profiles (Experienced 12 GPU, Professional 100 GPU). For the hybrid, the profile difference is directly proportional:

    ProfileGPUsMultiplierFULL bcrypt -------------------------------------------- Experienced12× RTX 40901×31 min Professional~100 GPU~8×~4 min

    For MD5, SHA-1, NTLM: the profile changes the time from microseconds to nanoseconds — without any practical impact, both are instantaneous.

    14. Concrete examples of hybrid cracking

    14.1 Example 1: "Password1" (COMMON)

    Analysis :
  • isCommon("Password1") → false (not in exact HIBP)
  • isDictWord("Password1") → true ("password" in DICTWORDS in lower case)
  • COMMON.has("password") → true → common = true
  • Result: HYBRIDKEYSPACECOMMON = 500
    • MD5 time : 500 / 2,027e12 0.25 picoseconds (snapshot) Time bcrypt cost 10 : 500 / 69 000 7.2 milliseconds Rules tested before finding : : (gross word "password" → no), c ("Password" → no), c $1 ("Password1" → FIND, row ~8)

    14.2 Example 2: "Sun2024" (DICT)

    Analysis :
  • isCommon("Soleil2024") → false
  • isDictWord("Soleil2024") → true ("sun" in fr.txt)
  • COMMON.has("soleil") → false → common = false, dictWord = true
  • Result: HYBRIDKEYSPACEDICT = 8,000
    • MD5 time : 8 000 / 2.027e12 3.9 nanoseconds Time bcrypt cost 10 : 8 000 / 69 000 0.12 seconds Test rules : the attacker arrives at "sun" at ~5000 in the wordlist fr sorted by frequency, then applies c $2 $0 $2 $4 ("Sun2024") in the row ~3 of its rules → overall position ~15 003.

    14.3 Example 3: "p@pillon!" (DICT with substitutions)

    Analysis :
  • isDictWord("p@pillon!") : de-leetification → "paillon" → in fr.txt → dictWord = true
  • Result: HYBRIDKEYSPACEDICT = 8,000
    • Test rules : "paillon" at ~15,000 of the dictionary fr. Rule s a @ $! → "p@pillon!" in row ~12. Overall position: ~180,000. Always good in HYBRIDKEYSPACEDICT.

    14.4 Example 4: "xK9#mQ7@" (resistant)

    Analysis :
  • isDictWord("xK9#mQ7@") → false (no root dictionary)
  • isCommon("xK9#mQ7@") → false
  • hybridVuln = false
  • Outcome: sec = nullhybrid not applicable

    • This password cannot be cracked by hybrid attack. It has no dictionary root. The attacker must use pure brute force, PCFG or statistical attacks (Markov, Neural).

    14.5 Example 5: "LinkedInB3st!"

    Analysis :
  • isDictWord("LinkedInB3st!") : "linkedin" → wordlist en.txt + deLeet("b3st") → "best" → dictWord = true
  • Result: HYBRIDKEYSPACEDICT = 8,000

    • Interesting case: the password contains two roots ("linkedin" and "best" via de-leetification). Hybrid attack is applicable because at least one root is detected. In practice, a combinator attack (two words glued) would be even more effective here.

    15. Hybrid Attack Limits

    15.1 Intrinsic limits

    Dependence on the quality of the wordlist : if the basic word is not in the wordlist, the hybrid cannot work. A password based on a very specialized term (neologism, obscure technical term, word of a rare language) can resist if it is absent from all common wordlists. Incomplete coverage of transformations : even OneRuleToRuleThemAll with 52k rules does not cover 100% of imaginable transformations. Some very rare transformations (base64 partial encodings, invented patterns) escape the rules. Combinatory Explosion with Long Wordlists At 2,000 GH/s (MD5), it takes ~250 seconds — but with bcrypt (69 kH/s), ~230,000 years. The scalability of the hybrid is constrained by the length of the wordlist and the slowness of the hash algorithm.

    15.2 What Time2Crack does not capture

    Context Wordlists : an attacker targeting a specific company will build a wordlist with the name of the company, products, employee names, business terms. "Renault2024!" would be cracked instantly by an attacker targeting Renault — but Time2Crack does not model this context (this is the role of the "Targeted OSINT" attack). Multi-pass composite rules Some passwords resist best64 but give in to two-pass rules (apply one rule, then apply another rule on the result). Time2Crack model only one rule pass. Cache Effects and Memorization : hashcat maintains a table of candidates already tested to avoid duplicates, which accelerates runs in practice. Not modelled in Time2Crack (conservative).

    15.3 Cases where the hybrid is overestimated

    Time2Crack can overestimate hybrid speed in two cases:

  • Long passwords A 20-character password based on a word dictionary ("incomprehensibleities1!") is detected as a dictionary, but hybrid tools usually filter candidates too long. The real keyspace is perhaps 10× larger.
  • Languages with rich morphology Turkish, Finnish, Hungarian have more complex wordlists. "Güneş2024" can pass under radars if the Turkish wordlist does not include all morphological forms.

    • 16. Effective defences

    16.1 What resists hybridization

    Hybrid attack fails if the password does not derive from any existing dictionary wordEffective strategies:

    Random passwords "xK9#mQ7@vP2!" contains no dictionary root. No hybrid rule can generate it. Resistance: maximum. Password generators : password managers (Bitwarden, 1Password, KeePass) generate random strings. No root dictionary → hybrid inapplicable. Passphrases of really random words : "tabouret-marmot-ginger-flash" — four random words. Hybrid attack in classical mode does not generate combinations of 4 words (this is the role of the combinator). Passphrase resists the standard hybrid.

    16.2 What is NOT Resistance to Hybrid

    The most common "strengthening" strategies do not resist:

    StrategyExampleResistance ----------------------------------- Capitalizing the first letterSunshineRule c, row 2 Add a digit"sunshine1"Rule $1, row 4 Add symbol"Sunshine!"Rule $!, row 6 Replace e→3"suns3ine"Rule s e 3, top-20 Combine all"Suns3ine!"A composite rule, top-100 Choose a rare word"Papillon123" Double word"sunsun"Rule d, top-30 Reverse"enihsnus"Rule r, top-15 Conclusion Any strategy based on "take a word + modify it" is vulnerable to the hybrid. The exception is such a complex and rare modification that it is not covered by any rule — but if the user has to remember this complex transformation, he usually ends up choosing something predictable.

    16.3. Resistant hash algorithms

    Even if a password is vulnerable to the structural hybrid, the hash algorithm can make the attack economically inviable:

    AlgorithmTime for DICT (8k guesses)Practice attack ----------------------------------------------------------- MD5 / NTLM< 1 nanosecondInstant SHA-256~30 nanosecondsInstant bcrypt cost 10~0.12 secondsTrivial bcrypt cost 14~32 secondsFeasible Argon2id (default)~10 secondsFeasible Argon2id (strong parametrate)~100 secondsSlow but possible Argon2id with high parameters (t=4, m=65536) is the only algorithm that makes the hybrid really expensive, even on weak passwords.

    16.4 Practical recommendations

  • Use a password manager : generates pure random, inapplicable hybrid
  • If required : 4+ words actually random passphrase (from EFF)
  • Never "secure" a word by substitution : the hybrid automatically generates them
  • Require bcrypt cost ≥ 12 or Argon2id server side: the only real slower
  • Enable MFA : makes offline cracking theoretical without operational impact

    • 17. References

    Academic publications

    Klein, D.V. (1990) "Foiling the Cracker": A Survey of, and Improvements to, Password Security Proceedings of the USENIX Security Workshop, 1990. — First empirical study quantifying the impact of mutation rules on cracking coverage. Notes that 56% of passwords are crackable with dictionary + simple transformations. Weir, M., Aggarwal, S., de Medeiros, B., & Glodek, B. (2009) Password Tracking Using Probabilistic Context-Free Grammars IEEE Symposium on Security and Privacy (S&P), 2009. — Founded the PCFG model and valid by the way that the hashcat rules cover 78% of the human transformations observed in RockYou. Ma, J., Yang, W., Luo, M., & Li, N. (2014) A Study of Probabilistic Password Models IEEE Symposium on Security and Privacy (S&P), 2014. — Direct reference study for Time2Crack: empirical measurement of median positions (500 for top-100, 2000–15000 for current dict) in a hybrid scan ordered by probability on 10M real passwords. Durmuth, M., Chaabane, A., Perito, D., & Castelluccia, C. (2015) When Privacy meetings Security: Leveraging Personal Information for Password Tracking ESORICS 2015. — Compare rules JtR vs Hashcat vs PCFG. Concludes that best64 surpasses PCFG by 12% on RockYou. Veras, R., Collins, C., & Thorpe, J. (2014) On the Semantic Patterns of Passwords and their Security Impact NDSS 2014. — Language analysis of semantic patterns. Ur, B., Bees, J., Segreti, S. M., Bauer, L., Christin, N., & Cranor, L. F. (2015) Do Users' Perceptions of Password Security Match Reality? ACM CHI 2015. — Demonstrates that users systematically overestimate the strength of mutated passwords. "P@ssw0rd" receives a subjective score of "strong" but is cracked in < 1s. Wheeler, D.L. (2016) zxcvbn: Low-Budget Password Strength Estimate 25th USENIX Security Symposium, 2016. — Force estimation library integrating mutation rule detection. Reference for the implementation of detection heuristics.

    Industrial conferences and presentations

    Gosney, J (2012)     8x Nvidia GTX 580 Cluster Hashcat Benchmarks / LinkedIn crack session Passwordscon 2012, Oslo. — Document the LinkedIn crack: best64 + wordlist 3.5M = 224M candidates, 90% cracked in 6 days.KEYSPACEFULL = 128M. Löfstrand, K. (2013) best64.rule — Empirical selection of 64 hashcat rules Internal, published on GitHub. — Set of 64 rules selected empirically on RockYou to maximize crack rate. Industry reference standard. Steube, J. (2016–present) Hashcat Advanced Password Recovery https://hashcat.net/hashcat/ — Official mode documentation -a 0, -a 6, -a 7. Syntax of rules. Official GPU benchmarks on 12× RTX 4090. NotSoSecure (2019) OneRuleToRuleThemAll — ML-generated hashcat rule set https://github.com/NotSoSecure/passwordcrackingrules — 52 218 rules generated by automatic learning on corpus of cracked passwords.

    Reference tools

    John the Ripper (Solar Designer, 1996–present) https://www.openwall.com/john/ — Pioneer of the wordlist+rules hybrid. JtR syntax always used in parallel with Hashcat. Hashcat (Steube, 2009–present) https://hashcat.net/hashcat/ — Reference GPU implementation. Modes -a 0/6/7 for hybrid. best64 integrated. RockYou wordlist (2009) 14,3M clear passwords. Standard calibration corpora for all hybrid rule sets. SecLists (Daniel Miessler, 2012–present) https://github.com/danielmiessler/SecLists — Collection of wordlists by language, domain, theme. Main source of Time2Crack language wordlists.

    Web sources cited in the Time2Crack application

    Chick3nman (Hashcat benchmarks/rules). https://gist.github.com/Chick3nman/32e662a5bb63bc4f51b847bb4222fd — Related source descHybrid (app.js) for the order of magnitude of the mutation rules applied. IEEE Xplore (hybrid reference). https://ieeexplore.ieee.org/document/6956583 — Related source descHybrid (app.js) concerning the empirical effectiveness of mutated passwords.
    Document generated as part of the Time2Crack project — 2026 See also: BRUTEFORCEATTACKEXPLAINED.md, MARKOVATTACKEXPLAINED.md, DICTIONARYATTACKEXPLAINED.md*