A CLI password and wordlist generator for security research and ethical hacking.
Dual-mode: generate cryptographically-random passwords or build targeted wordlists from base words with case variants and leet speak transformations.
git clone https://github.com/keirsalterego/wordsmith.git
cd wordsmithNo dependencies — uses only Python standard library.
Generate a random password with secrets:
python wordsmith.py --mode password --length 20 --charset allCharset options: all, lower, upper, digits, symbols.
Build a wordlist from base words:
python wordsmith.py -w keir,2024 -l -m 4 -M 16 -o wordlist.txt| Flag | Long Flag | Description | Default |
|---|---|---|---|
-w |
--words |
Comma-separated base words | Required* |
-l |
--leet |
Enable leet speak (a→4, e→3, i→1, o→0, s→5) | False |
-m |
--min |
Minimum candidate length | 4 |
-M |
--max |
Maximum candidate length | 12 |
-o |
--output |
Write wordlist to file instead of stdout | — |
-L |
--length |
Password length (password mode only) | 16 |
--mode |
password or wordlist |
wordlist | |
--charset |
Character set: all, lower, upper, digits, symbols |
all | |
-h |
--help |
Show help | — |
* Required in wordlist mode only.
--length 0or negative → clean usage error, not a traceback- Empty charset →
ValueErrorwith a clear message - Missing
--wordsin wordlist mode →parser.error
Python's random module is deterministic — anyone who learns the seed can reproduce every "random" value. secrets uses OS-provided cryptographic randomness. Never use random for passwords. This distinction is a real infosec interview question.
A year into building security tools I noticed most wordlist generators dump every permutation of every word from SecLists or ship a dependency tree the size of a browser. I wanted something I could audit in one sitting. So I wrote wordsmith.
Password mode uses Python's secrets module to generate random passwords. Pick length and charset (lower, upper, digits, symbols, or all). No random, no seed to crack.
python wordsmith.py --mode password --length 20 --charset all
# F7{53=J'~$c<Y%bzWordlist mode takes base words (names, dates, keywords) and builds permutations: case variants, leet substitutions, length filtering. Output to stdout or a file.
python wordsmith.py -w keir,2024 -l -m 4 -M 16 -o wordlist.txtThe secrets vs random thing matters. random is deterministic: know the seed, know every password. secrets pulls from the OS entropy pool. One line change, huge difference.
Defensive take: length beats complexity. secrets with 20 chars from ascii_letters + digits + punctuation is about 130 bits of entropy.