About

Misconfigured password policies and weak credential hygiene remain the primary attack vector in over 80% of breaches (Verizon DBIR 2024). Penetration testers require targeted wordlists that reflect an organization's naming conventions, locale patterns, and common mutation behaviors. Generic lists like rockyou.txt cover broad ground but miss site-specific candidates. This tool generates wordlists using four methods: raw charset enumeration, pattern masks (compatible with Hashcat ?l?u?d?s syntax), base-word mutation (leet substitution, case permutation, suffix appending), and hybrid combinations. Output is a plain-text file with one candidate per line. The combinatorial estimate N = C^L grows exponentially. A 6-character lowercase-only set produces 308,915,776 candidates. This tool caps output at 5,000,000 lines to prevent browser memory exhaustion. For larger jobs, use the pattern mode to narrow the keyspace.

Limitations: this runs client-side in a Web Worker. It approximates dedicated tools like crunch or maskprocessor but cannot match their throughput on billion-scale keyspaces. All generation happens locally. No data leaves your browser. The downloaded .txt file is compatible with Hashcat, John the Ripper, Hydra, and Burp Suite Intruder.

Formulas

The total keyspace N for charset enumeration across lengths L_min to L_max from a character set of size C:

N = L_max∑L=L_min C^L

For pattern-based masks, each position i has its own set size C_i. The total keyspace is the product:

N = k∏i=1 C_i

For mutation mode with W base words, S leet substitution variants per word, P case permutations, and F suffix/prefix additions:

N = W × S × P × F

Where S = n∏j=1 (m_j + 1) for each substitutable character j with m_j possible replacements. Case permutations: P = 2^alpha where alpha is the count of alphabetic characters in the word.

Where C = character set cardinality, L = candidate length, k = mask length (number of positions), W = base word count, F = affix multiplier.

Reference Data

Mask Character	Character Set	Size	Example
?l	Lowercase Latin	26	a−z
?u	Uppercase Latin	26	A−Z
?d	Digits	10	0−9
?s	Special symbols	33	!@#$%…
?a	All printable ASCII	95	?l?u?d?s
?h	Hex lowercase	16	0−9a−f
?H	Hex uppercase	16	0−9A−F
Common Leet Substitutions
a	@ 4	3 variants	p@ssword, p4ssword
e	3	2 variants	s3curity
i	1 !	3 variants	adm1n, adm!n
o	0	2 variants	r00t
s	$ 5	3 variants	pa$$word
t	7 +	3 variants	7est, +est
l	1	2 variants	he1lo
g	9	2 variants	9oogle
Common Suffixes (Mutation Mode)
Year suffixes		10	2020−2029
Digit padding		1000	000−999
Symbol tails		8	! @ # $ % & * ?
Keyboard walks		6	123, qwerty, 1234
Keyspace Estimates (Charset Mode)
Lower 4-char	26⁴	456,976
Lower 6-char	26⁶	308,915,776
Alnum 4-char	62⁴	14,776,336
Full 4-char	95⁴	81,450,625

Frequently Asked Questions

The generator caps output at 5,000,000 candidates to prevent browser tab memory exhaustion. A typical browser tab allocates roughly 1 - 4 GB of heap. Each candidate averaging 10 bytes plus newline means ~55 MB at the cap. For keyspaces exceeding this, use pattern mode to segment your attack (e.g., fix the first character and run multiple exports), or switch to native tools like crunch or maskprocessor.

Each substitutable character multiplies the variant count. The word "password" has 4 substitutable characters (a→2, s→2 occurrences × 2 variants, o→1). This produces (3)(3)(3)(2) = 54 leet variants before case permutation. Adding case permutation (2⁸ = 256) yields 13,824 mutations from a single word. Toggle case permutation off if you only need leet variants.

Yes. Output format is one candidate per line in a plain UTF-8 .txt file with Unix line endings (\n). This is the standard input format for Hashcat (-a 0 dictionary mode), John the Ripper (--wordlist), Hydra (-P), and Burp Suite Intruder payload lists. No BOM is prepended.

This tool pre-expands the mask into an explicit wordlist file. Hashcat's -a 3 mask mode generates candidates on-the-fly during cracking, which is faster and memory-efficient for GPU attacks. Use this tool when you need a static file for tools that lack native mask support (e.g., Hydra, Medusa), or when you want to combine mask output with mutation rules (hybrid mode) before feeding to Hashcat as a dictionary.

Yes. For example, leet-substituting l→1 and then case-permuting does not change the digit 1, creating identical lines. The generator includes a deduplication toggle (enabled by default) that uses a Set to filter unique candidates. This adds memory overhead proportional to N but guarantees no wasted cracking cycles.

The custom charset field accepts any Unicode characters you paste in. However, the mask shortcuts (?l, ?u) map only to ASCII a - z and A - Z. For Cyrillic, CJK, or accented Latin, enter your character set manually in the custom charset input. Note that multi-byte characters increase file size significantly: a 4-character Cyrillic wordlist uses 2× the bytes of ASCII.