DEV.co
Open-Source Security · t3l3machus

psudohash

Psudohash is a Python-based password mutation generator that creates millions of keyword variants by applying leet substitutions, case changes, padding, and year suffixes. It's designed for authorized security testing and penetration testing to simulate common human password patterns.

Source: GitHub — github.com/t3l3machus/psudohash
1.4k
GitHub stars
175
Forks
Python
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryt3l3machus/psudohash
Ownert3l3machus
Primary languagePython
LicenseMIT — OSI-approved
Stars1.4k
Forks175
Open issues9
Latest releasev1.1.0 (2025-06-08)
Last updated2025-06-08
Sourcehttps://github.com/t3l3machus/psudohash

What psudohash is

A Python 3.x CLI tool that generates permutations of input keywords using configurable character substitution schemas (leet mappings), case variations, numeric padding, year appending with separators, and multi-word joining strategies (in-order or all-order combinations). Output is written to a wordlist file for use in brute-force or hash-cracking workflows.

Quickstart

Get the psudohash source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/t3l3machus/psudohash.gitcd psudohash# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Corporate Penetration Testing

Simulate password mutations employees commonly create (e.g., company name + year + padding). Effective for testing network devices, application accounts, and domain credentials in authorized security assessments.

Authorized Hash-Cracking Operations

Generate context-aware wordlists when you have semantic clues about the target (e.g., user's name, company, pet name, birth year). Reduces brute-force search space compared to generic wordlists.

Security Awareness & Training

Demonstrate to developers and system administrators how easily their passwords can be cracked by mutation-based attacks, illustrating the importance of stronger password policies and multi-factor authentication.

Implementation considerations

  • Requires Python 3.x and the `tqdm` library; minimal dependencies reduce operational friction.
  • Wordlist generation speed varies with keyword count, combination depth, and mutation options; test on sample data to estimate runtime and output size before large-scale runs.
  • Output wordlists can grow exponentially with multi-word combinations and padding/year appending; implement length filters (`--minlen`, `--maxlen`) and `--max-combine` limits to manage file size and memory.
  • Character substitution mappings and padding values are hardcoded or read from `common_padding_values.txt`; customize these files to reflect target environment password policies.
  • No built-in deduplication at scale; the tool acknowledges that combining multiple mutation strategies may produce duplicates—acceptable for wordlist generation but monitor for performance impact on downstream hash-cracking tools.

When to avoid it — and what to weigh

  • Unauthorized Access Attempts — Using this tool to crack passwords or gain access to systems you do not own or have explicit written permission to test is illegal and unethical. Restrict use to authorized penetration testing engagements only.
  • No Legal Authorization Framework — If you lack a formal Rules of Engagement (RoE) or penetration test contract, do not deploy this tool. Legal liability and criminal charges can result from unauthorized access attempts.
  • Production System Defense Role — This tool is not designed for real-time detection or prevention of attacks. Use dedicated IDS/IPS, WAF, and account lockout policies for production defense. Psudohash is an attacker's tool, not a defender's.
  • High-Volume, Real-Time Operations — Psudohash generates static wordlists; it is not a live attack orchestration platform. For concurrent distributed attacks, integrate with dedicated frameworks (Hashcat, John the Ripper, etc.) and cloud infrastructure.

License & commercial use

Licensed under the MIT License, which is a permissive OSI-approved open-source license permitting use, modification, and distribution with minimal restrictions (attribution required, no liability).

MIT License permits commercial use in commercial penetration testing services and security consulting. However, using this tool for unauthorized access, even in a commercial context, remains illegal. Ensure all client engagements have explicit, written authorization before deploying. No warranty is provided; liability for misuse rests with the operator.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Psudohash is a tool designed to simulate attacker behavior (password mutation and brute-force wordlist generation). Key considerations: (1) Operator responsibility: this tool can facilitate unauthorized access if misused—legal and ethical authorization is the operator's responsibility, not the tool's. (2) No input validation documented: unknown if the tool sanitizes or validates keyword input before processing. (3) Output file permissions: generated wordlists are written to disk; ensure appropriate file permissions to prevent unauthorized access to sensitive testing data. (4) No encryption or signing: wordlists are unencrypted; protect them as sensitive test artifacts. (5) Relies on password pattern assumptions: effectiveness depends on how accurately configured transformations and padding match target environment practices—poorly tuned configurations waste resources.

Alternatives to consider

Hashcat / John the Ripper

Industry-standard hash-cracking suites with built-in wordlist generation, rule engines, and GPU acceleration. More powerful for large-scale attacks but steeper learning curve and higher resource overhead.

Crunch

Purpose-built wordlist generator supporting character sets, patterns, and length ranges. Language-agnostic and optimized for brute-force character combinations; less flexible for semantic keyword mutations.

SecLists (Seclists.net)

Pre-built, community-maintained wordlist collections for common scenarios (passwords, usernames, paths, API endpoints). Eliminates the need to generate custom lists but lacks dynamic customization.

Software development agency

Build on psudohash with DEV.co software developers

Our technical team can help you integrate Psudohash into your penetration testing procedures, customize mutation rules for your target environment, and ensure proper legal authorization and audit controls. Contact us to discuss authorized security assessments.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

psudohash FAQ

Can I use Psudohash on systems I don't own?
No. Unauthorized access is illegal. Use only on systems you own or have explicit written permission to test (e.g., authorized penetration test contract). Verify your legal authorization before deployment.
How large can the generated wordlist get?
Size grows exponentially with keyword count, combination depth (`--max-combine`), and mutation options. Use `--minlen`, `--maxlen`, and lower `--max-combine` to control output size. Test with sample inputs to estimate growth.
Can I modify the leet substitution rules?
Yes. Edit the `transformations` list in `psudohash.py` to add or remove character mappings. Modify `common_padding_values.txt` to customize padding strategies. Changes apply on next execution.
Does Psudohash integrate with hash-cracking tools?
No built-in integration. Psudohash outputs a plain-text wordlist; pipe or import it manually into Hashcat, John, Hydra, or custom scripts. Automation requires wrapper scripts.

Custom software development services

Need help beyond evaluating psudohash? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.

Ready to incorporate Psudohash into your security testing workflow?

Our technical team can help you integrate Psudohash into your penetration testing procedures, customize mutation rules for your target environment, and ensure proper legal authorization and audit controls. Contact us to discuss authorized security assessments.