psudohash
Psudohash is a Python-based password mutation generator that creates millions of keyword variants by applying leet substitutions, case changes, padding, and year suffixes. It's designed for authorized security testing and penetration testing to simulate common human password patterns.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | t3l3machus/psudohash |
| Owner | t3l3machus |
| Primary language | Python |
| License | MIT — OSI-approved |
| Stars | 1.4k |
| Forks | 175 |
| Open issues | 9 |
| Latest release | v1.1.0 (2025-06-08) |
| Last updated | 2025-06-08 |
| Source | https://github.com/t3l3machus/psudohash |
What psudohash is
A Python 3.x CLI tool that generates permutations of input keywords using configurable character substitution schemas (leet mappings), case variations, numeric padding, year appending with separators, and multi-word joining strategies (in-order or all-order combinations). Output is written to a wordlist file for use in brute-force or hash-cracking workflows.
Get the psudohash source
Clone the repository and explore it locally.
git clone https://github.com/t3l3machus/psudohash.gitcd psudohash# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires Python 3.x and the `tqdm` library; minimal dependencies reduce operational friction.
- Wordlist generation speed varies with keyword count, combination depth, and mutation options; test on sample data to estimate runtime and output size before large-scale runs.
- Output wordlists can grow exponentially with multi-word combinations and padding/year appending; implement length filters (`--minlen`, `--maxlen`) and `--max-combine` limits to manage file size and memory.
- Character substitution mappings and padding values are hardcoded or read from `common_padding_values.txt`; customize these files to reflect target environment password policies.
- No built-in deduplication at scale; the tool acknowledges that combining multiple mutation strategies may produce duplicates—acceptable for wordlist generation but monitor for performance impact on downstream hash-cracking tools.
When to avoid it — and what to weigh
- Unauthorized Access Attempts — Using this tool to crack passwords or gain access to systems you do not own or have explicit written permission to test is illegal and unethical. Restrict use to authorized penetration testing engagements only.
- No Legal Authorization Framework — If you lack a formal Rules of Engagement (RoE) or penetration test contract, do not deploy this tool. Legal liability and criminal charges can result from unauthorized access attempts.
- Production System Defense Role — This tool is not designed for real-time detection or prevention of attacks. Use dedicated IDS/IPS, WAF, and account lockout policies for production defense. Psudohash is an attacker's tool, not a defender's.
- High-Volume, Real-Time Operations — Psudohash generates static wordlists; it is not a live attack orchestration platform. For concurrent distributed attacks, integrate with dedicated frameworks (Hashcat, John the Ripper, etc.) and cloud infrastructure.
License & commercial use
Licensed under the MIT License, which is a permissive OSI-approved open-source license permitting use, modification, and distribution with minimal restrictions (attribution required, no liability).
MIT License permits commercial use in commercial penetration testing services and security consulting. However, using this tool for unauthorized access, even in a commercial context, remains illegal. Ensure all client engagements have explicit, written authorization before deploying. No warranty is provided; liability for misuse rests with the operator.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
Psudohash is a tool designed to simulate attacker behavior (password mutation and brute-force wordlist generation). Key considerations: (1) Operator responsibility: this tool can facilitate unauthorized access if misused—legal and ethical authorization is the operator's responsibility, not the tool's. (2) No input validation documented: unknown if the tool sanitizes or validates keyword input before processing. (3) Output file permissions: generated wordlists are written to disk; ensure appropriate file permissions to prevent unauthorized access to sensitive testing data. (4) No encryption or signing: wordlists are unencrypted; protect them as sensitive test artifacts. (5) Relies on password pattern assumptions: effectiveness depends on how accurately configured transformations and padding match target environment practices—poorly tuned configurations waste resources.
Alternatives to consider
Hashcat / John the Ripper
Industry-standard hash-cracking suites with built-in wordlist generation, rule engines, and GPU acceleration. More powerful for large-scale attacks but steeper learning curve and higher resource overhead.
Crunch
Purpose-built wordlist generator supporting character sets, patterns, and length ranges. Language-agnostic and optimized for brute-force character combinations; less flexible for semantic keyword mutations.
SecLists (Seclists.net)
Pre-built, community-maintained wordlist collections for common scenarios (passwords, usernames, paths, API endpoints). Eliminates the need to generate custom lists but lacks dynamic customization.
Build on psudohash with DEV.co software developers
Our technical team can help you integrate Psudohash into your penetration testing procedures, customize mutation rules for your target environment, and ensure proper legal authorization and audit controls. Contact us to discuss authorized security assessments.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
psudohash FAQ
Can I use Psudohash on systems I don't own?
How large can the generated wordlist get?
Can I modify the leet substitution rules?
Does Psudohash integrate with hash-cracking tools?
Custom software development services
Need help beyond evaluating psudohash? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.
Ready to incorporate Psudohash into your security testing workflow?
Our technical team can help you integrate Psudohash into your penetration testing procedures, customize mutation rules for your target environment, and ensure proper legal authorization and audit controls. Contact us to discuss authorized security assessments.