- Password policies can lead to predictable password patterns if users are not adequately educated on proper password hygiene ![[images/Pasted image 20251117195334.png]] - Hybrid attacks leverage the strengths of both dictionary and brute-force techniques, maximizing the chances of cracking passwords, especially in scenarios where users fall into predictable patterns - Customize or filter a wordlist from `seclists` to fit a password policy ```bash # filter wordlist to only include candidates 8 characters or longer grep -E '^.{8,} darkweb2017-top10000.txt > darkweb2017-minlength.txt # filter wordlist to only include candidates with at least one uppercase character grep -E '[A-Z]' darkweb2017-minlength.txt > darkweb2017-uppercase.txt # filter wordlist to only include candidates with at least one uppercase character grep -E '[a-z]' darkweb2017-uppercase.txt > darkweb2017-lowerercase.txt # filter wordlist to only include candidates with at least one number grep -E '[0-9]' darkweb2017-lowerercase.txt > darkweb2017-number.txt # show number of remaining candidates wc -l darkweb2017-number.txt ``` - Credential stuffing is also a form of hybrid attack ![[images/Pasted image 20251117195826.png]]