A comprehensive security research utility for testing non-dictionary passwords
Everyone knows that it’s easy to crack a password if it appears in a dictionary. dicti0nary-attack is a humorous inversion of that concept - it’s a powerful tool for generating and testing passwords that are NOT in traditional dictionaries, focusing on the creative variations users think make their passwords "secure."
     
This tool is for authorized security testing only.
Authorized use includes: - ✅ Penetration testing with explicit written permission - ✅ Security audits of systems you own - ✅ CTF (Capture The Flag) competitions - ✅ Academic research and education - ✅ Password strength analysis on your own data
Unauthorized access to computer systems is illegal and may result in criminal prosecution under computer fraud and abuse laws.
-
Leetspeak Generator: Transforms words using character substitutions (a→4, e→3, o→0, etc.)
-
Phonetic Generator: Uses phonetic substitutions (for→4, to→2, you→u)
-
Pattern Generator: Creates pattern-based passwords (keyboard walks, sequences, date patterns)
-
Random Generator: Generates truly random non-dictionary passwords
-
Markov Chain Generator: Statistical password generation based on training data
-
Multi-Algorithm Support: MD5, SHA1, SHA224, SHA256, SHA384, SHA512, BLAKE2b, BLAKE2s
-
Parallel Processing: Multi-core support for faster cracking
-
Batch Operations: Crack multiple hashes simultaneously
-
Progress Tracking: Real-time statistics and progress monitoring
-
🎨 Rich CLI Interface: Beautiful terminal UI with progress bars and tables
-
🌐 Web Interface: Browser-based GUI for easy password generation and cracking
-
📊 Comprehensive Statistics: Detailed performance metrics and reporting
-
🔧 Flexible Configuration: YAML/JSON configuration files
-
📝 Multiple Output Formats: Text, JSON, CSV, HTML reports
-
🐳 Docker Support: Containerized deployment
-
🧪 Extensive Test Suite: High code coverage with pytest
-
⚡ Performance Benchmarks: Built-in benchmarking tools
-
🏆 RSR Framework Compliant: Bronze level (86% compliance)
-
📴 Offline-First: Core functionality works without internet
-
🔒 Security-First: RFC 9116 compliant, comprehensive security policy
-
Chapel 2.3+ - Download Chapel
-
Rust 2021 edition - Install via rustup
-
Deno (for web dev) - Install Deno
-
just task runner - Install just
git clone https://github.com/Hyperpolymath/dicti0nary-attack.git
cd dicti0nary-attack
# Initialize development environment
just init
# Build Chapel + Rust CLI
just build
# Build WASM for web interface
just build-wasm# Build with Podman (preferred)
podman build -t dicti0nary-attack -f Containerfile .
podman run --rm dicti0nary-attack just info
# Or with Docker
docker build -t dicti0nary-attack .
docker run --rm dicti0nary-attack just info# Generate 1000 leetspeak passwords
dicti0nary generate -g leetspeak -n 1000
# Save to file
dicti0nary generate -g pattern -n 5000 -o passwords.txt
# Custom length constraints
dicti0nary generate -g random -n 100 --min-length 12 --max-length 20# Crack a SHA256 hash using pattern generator
dicti0nary crack 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 -a sha256 -g pattern
# Use parallel processing
dicti0nary crack <hash> -a sha256 -g leetspeak -p --workers 8
# Use custom wordlist
dicti0nary crack <hash> -a md5 -w wordlists/custom.txt# Create leetspeak wordlist
dicti0nary create-wordlist wordlists/leetspeak.txt -g leetspeak -n 50000
# Create phonetic wordlist
dicti0nary create-wordlist wordlists/phonetic.txt -g phonetic -n 10000# Hash with SHA256
dicti0nary hash-password "mypassword"
# Hash with MD5
dicti0nary hash-password "mypassword" -a md5# Serve static web interface
just serve-static
# Or with Deno
deno task serveVisit http://localhost:8080 in your browser.
-
Usage Guide - Comprehensive usage instructions
-
API Documentation - Python API reference
-
Plugin Guide - Plugin development guide
-
Configuration Guide - Configuration options
-
RSR Compliance - Standards compliance report
-
Security Policy - Vulnerability reporting
-
Contributing - Contribution guidelines
Test if users are using common non-dictionary password patterns:
dicti0nary create-wordlist audit.txt -g leetspeak -n 100000
dicti0nary crack <hash> -w audit.txt -a sha256dicti0nary-attack/
├── src/ # Main source code
│ ├── main.rs # Rust CLI entry point
│ ├── dicti0nary.chpl # Chapel main program
│ ├── generators/ # Chapel generator modules
│ │ ├── Leetspeak.chpl # Leetspeak transformations
│ │ ├── Phonetic.chpl # Phonetic substitutions
│ │ ├── Pattern.chpl # Pattern-based generation
│ │ ├── Random.chpl # Random generation
│ │ └── Markov.chpl # Markov chain generation
│ └── crackers/ # Hash cracking engine
│ └── HashCracker.chpl # Multi-algorithm cracker
├── crates/ # Rust workspace crates
│ ├── core/ # Type definitions & traits
│ ├── generators/ # Rust generator implementations
│ └── crackers/ # Rust cracking engine
├── web/ # Static web interface
│ ├── index.html # Main HTML
│ ├── src/ # ReScript source
│ │ ├── App.res # Application logic
│ │ ├── Generators.res # Password generators
│ │ ├── Hash.res # Hashing utilities
│ │ └── WasmLoader.res # WASM module loader
│ └── static/ # Static assets
│ ├── css/ # CSS-first styling
│ ├── js/ # Compiled ReScript output
│ └── wasm/ # Chapel-compiled WASM
├── config/ # Configuration files
│ ├── dicti0nary.ncl # Nickel configuration
│ └── *.yaml # YAML configs
├── tests/ # Chapel test suite
├── docs/ # Documentation
├── wordlists/ # Example wordlists
├── justfile # Task automation
├── Cargo.toml # Rust workspace manifest
├── Chapel.toml # Chapel config
├── rescript.json # ReScript config
└── deno.json # Deno configCreate a configuration file (config.yaml):
generators:
leetspeak:
max_substitutions: 3
min_length: 6
max_length: 16
pattern:
min_length: 6
max_length: 16
cracker:
algorithm: sha256
workers: 8
batch_size: 5000
output:
format: json
directory: output
save_stats: trueUse with commands:
dicti0nary --config config.yaml generate -g leetspeak -n 1000Run the test suite:
# Run Chapel tests
just test
# Run with coverage
just test-cov
# Run Rust tests
cargo test
# Watch mode (requires entr)
just test-watchRun performance benchmarks:
# Run Chapel benchmarks
just bench
# Run Rust benchmarks
cargo bench# Podman (preferred)
podman build -t dicti0nary-attack -f Containerfile .
# Docker
docker build -t dicti0nary-attack .# Clone repository
git clone https://github.com/Hyperpolymath/dicti0nary-attack.git
cd dicti0nary-attack
# Initialize (installs deps, sets up directories)
just init
# Install pre-commit hooks
just setup-hooks
# Build ReScript (web interface)
deno task build:rescript
# Watch mode for development
deno task watch:rescriptjust # List all commands
just build # Compile Chapel sources
just build-wasm # Compile to WASM
just build-all # Build everything
just test # Run Chapel tests
just test-cov # Tests with coverage
just bench # Performance benchmarks
just format # Format Chapel code
just lint # Lint Chapel code
just quality # All quality checks
just clean # Remove build artifacts
just serve-static # Serve web interface
just podman-build # Build container
just validate-rsr # Check RSR compliance
just nickel-eval # Evaluate Nickel config
just stats # Show project statisticsContributions are welcome! Please ensure:
-
All tests pass:
just testandcargo test -
Code is formatted:
just formatandcargo fmt -
No linting errors:
just lintandcargo clippy -
ReScript compiles:
deno task build:rescript -
Documentation is updated
This project is licensed under the GNU General Public License v3.0 - see the LICENSE file for details.
-
Inspired by the need for better password security testing tools
-
Built with Chapel, Rust, ReScript, and Nickel
-
Powered by WASM for offline-first browser execution
-
Thanks to the security research community
-
Issues: GitHub Issues
-
Documentation: docs/
-
License: GPL-3.0
This tool is designed to help security professionals identify weak passwords. It should never be used:
-
To gain unauthorized access to any system
-
To crack passwords you don’t have permission to test
-
For any illegal or unethical purposes
Always obtain explicit written permission before testing any system you do not own.
Made with ❤️ for the security research community
