Back to Articles
Developer Tools

PACK: Building Probabilistic Password Cracking Strategies from Breach Data

★ 877 Python 95/100 May 13, 2026
Rob Ragan
Rob Ragan Offensive security researcher and AI agent architect. Founder of Starlog.
[ View on GitHub ]

PACK: Building Probabilistic Password Cracking Strategies from Breach Data

Hook

The most common password mask isn't what security training suggests. Analysis of breach data reveals that 'stringdigitstring' patterns dominate enterprise environments, yet most cracking campaigns waste 80% of compute time on improbable combinations.

Context

Password cracking has traditionally been a brute-force numbers game: throw dictionaries at hashes, try every permutation, hope your computational power outlasts the keyspace. Early tools like John the Ripper and Hashcat brought speed, but they treated all password patterns as equally probable. The reality is far more predictable. When RockYou leaked 32 million plaintext passwords in 2009, security researchers gained unprecedented insight into password psychology. Humans aren't random number generators—they follow patterns. They append years to dictionary words. They capitalize the first letter and add an exclamation point. They choose eight characters because that's the minimum.

PACK emerged from this revelation. Rather than blindly iterating through trillions of combinations, what if you could analyze prior breaches to identify the patterns users actually choose? What if you could tell Hashcat to try six-character lowercase-then-two-digits before attempting nine-character mixed-case-with-symbols? This is intelligence-driven password auditing. PACK doesn't crack passwords—it tells you where to aim your cracking tools by converting empirical data into probabilistic attack strategies. It's the reconnaissance phase that transforms password auditing from exhaustive search into targeted campaign.

Technical Insight

Analysis Output

PACK Toolkit

Password List

Plaintext

statsgen

Statistical Analysis

Frequency Data

Lengths, Charsets, Masks

maskgen

rulegen

Hashcat Mask Files

Prioritized by Frequency

Rule Transform Files

Hashcat

Mask Attack
System architecture — auto-generated

PACK's architecture revolves around three core utilities that form a pipeline: statsgen analyzes password lists to extract statistical patterns, maskgen converts those patterns into Hashcat mask files prioritized by frequency, and rulegen generates rule-based transformation files. Each utility operates on plaintext password lists, typically sourced from breach databases or prior successful cracks.

The statsgen utility performs frequency analysis across multiple dimensions. It categorizes passwords by length, character set composition (lowercase, uppercase, digits, symbols), and mask patterns. A mask is an abstraction that replaces character classes with tokens: 'password123' becomes 'stringdigit', while 'P@ssw0rd!' becomes 'upperlowersymboldigitlowersymbol'. The tool outputs distribution data showing what percentage of passwords follow each pattern:

# Analyze a password list
python statsgen.py passwordlist.txt -o analysis.txt

# Output shows patterns like:
# [+] Password length:
#     8: 28.5% (2,850,000)
#     7: 18.2% (1,820,000)
#     6: 15.1% (1,510,000)
# [+] Mask analysis:
#     stringdigitdigit: 23.4% (2,340,000)
#     string: 18.7% (1,870,000)
#     stringdigit: 12.3% (1,230,000)

This statistical foundation enables the maskgen utility to create optimized attack files. Instead of Hashcat trying every conceivable pattern, maskgen outputs masks in descending order of probability. You can filter by complexity (only masks with symbols), length (only 8-character passwords), or occurrence threshold (only patterns appearing in at least 1% of samples):

# Generate Hashcat masks for 8-char passwords appearing in >2% of data
python maskgen.py analysis.txt --targettime 3600 --minlength 8 --maxlength 8 -o masks.hcmask

# Output generates Hashcat advanced masks:
# ?l?l?l?l?l?l?d?d,234000
# ?u?l?l?l?l?l?l?l,187000
# ?l?l?l?l?d?d?d?d,123000

The format is Hashcat-native: ?l represents lowercase, ?u uppercase, ?d digits, ?s symbols. The trailing number indicates expected matches, helping you estimate cracking time. If your hash list contains 10,000 passwords and the first mask historically matches 23.4% of passwords, you can expect approximately 2,340 cracks from that pattern alone.

Rulegen takes a different approach, generating transformation rules rather than masks. Rules modify dictionary words: capitalize first letter, append common years, replace 'o' with '0'. This is particularly effective when analyzing passwords that follow word+mutation patterns:

# Generate rules based on how users transform base words
python rulegen.py analysis.txt -o rules.rule

# Output might include Hashcat rules like:
# c $1 $2 $3        # Capitalize, append 123
# c $!              # Capitalize, append !
# so0 $2 $0 $1 $9  # Replace o with 0, append 2019

The real power emerges when you combine PACK with breach data segmentation. Analyze passwords from financial institutions separately from gaming sites. Enterprise breaches reveal different patterns than consumer services. Healthcare organizations often mandate specific complexity requirements that create predictable patterns—initial uppercase, exactly one symbol, ends with four digits. By feeding PACK domain-specific breach data, you create targeted masks that dramatically outperform generic approaches:

# Example workflow for a targeted audit
import subprocess

# 1. Analyze previous breaches from similar organizations
subprocess.run(['python', 'statsgen.py', 'healthcare_breaches.txt', '-o', 'healthcare_stats.txt'])

# 2. Generate masks targeting 8-12 character passwords (common enterprise policy)
subprocess.run(['python', 'maskgen.py', 'healthcare_stats.txt', 
                '--minlength', '8', '--maxlength', '12',
                '--minoccurrence', '0.5',
                '-o', 'healthcare_masks.hcmask'])

# 3. Run Hashcat with prioritized masks
subprocess.run(['hashcat', '-m', '1000', 'target_hashes.txt', 
                '-a', '3', 'healthcare_masks.hcmask'])

This workflow transforms weeks of blind cracking into hours of targeted attacks. When PACK identifies that 40% of healthcare passwords follow uppercase+lowercase+2digits+symbol patterns, you've eliminated 99% of the keyspace from consideration. You're exploiting password psychology, not just computational speed.

Gotcha

PACK's effectiveness depends entirely on input data quality and relevance. Feed it consumer breach data from 2012, and you'll generate masks optimized for password policies that no longer exist. Analyze RockYou to audit a defense contractor, and you're applying gamer password patterns to security-conscious professionals—the distributions won't match. The tool assumes your target population behaves like your training data population, which is often false. Enterprise environments with enforced complexity requirements produce completely different pattern distributions than consumer sites with lax policies.

The toolkit also creates a false sense of precision. PACK tells you that 23.4% of passwords in your analysis matched 'stringdigitdigit', but it can't tell you which 23.4% of your target hashes will crack. If you're auditing a company that recently changed password policies, historical breach data becomes misleading. The masks PACK generates are backward-looking—they describe what users chose in the past, not what they're choosing today. Additionally, analyzing passwords that were cracked by other attackers introduces selection bias. Those passwords might have been cracked precisely because they followed common patterns, meaning your analysis overestimates pattern frequency in uncracked sets. You're measuring attacker success patterns, not user behavior patterns.

Verdict

Use if: You're conducting password audits with limited time and computational resources, have access to relevant breach data from similar environments, and need to maximize crack rate in the first 24-48 hours of an engagement. PACK excels in red team scenarios where you can spend reconnaissance time analyzing prior breaches to optimize live attacks. It's particularly valuable when auditing organizations in regulated industries (healthcare, finance, education) where password policies are documented and relatively uniform—this makes historical breach data highly predictive. Skip if: You're working without prior breach data, targeting environments with novel or frequently-changing password policies, or need real-time cracking capabilities. Also skip if your hash list is small (under 1,000 entries)—at that scale, the time spent analyzing and generating masks exceeds the time saved. For one-off quick audits or situations where you have unlimited computational resources and time, brute-force approaches with standard dictionaries may be simpler and equally effective.

// RELATED

Developer Tools

Open Interpreter: Running GPT-4 with Root Access to Your Machine

By Rob Ragan ★ 63.9k Unknown Jun 9, 2026
Developer Tools

Accomplish: Why Wrapping OpenCode Instead of Building an Agent Runtime Was the Right Bet

By Rob Ragan ★ 10.8k Unknown Jun 10, 2026
Developer Tools

NVIDIA Cosmos: A Case Study in Strategic Repository Deprecation

By Rob Ragan ★ 8.1k Unknown May 25, 2026
Developer Tools

How Ripgrep Makes Searching 10x Faster Than Grep: A Deep Dive Into Rust-Powered Text Search

By Rob Ragan ★ 63.7k Unknown May 14, 2026
Developer Tools

Open Interpreter: Running GPT-4 with Root Access to Your Machine

By Rob Ragan ★ 63.9k Unknown Jun 9, 2026
Developer Tools

Accomplish: Why Wrapping OpenCode Instead of Building an Agent Runtime Was the Right Bet

By Rob Ragan ★ 10.8k Unknown Jun 10, 2026
Developer Tools

NVIDIA Cosmos: A Case Study in Strategic Repository Deprecation

By Rob Ragan ★ 8.1k Unknown May 25, 2026
// ADD TO YOUR README
Featured on Starlog 
[![Featured on Starlog](https://starlog.is/api/badge/developer-tools/iphelix-pack.svg)](https://starlog.is/api/badge-click/developer-tools/iphelix-pack)